[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
Derek Atkins writes:
> Because applications may not be ipsec peers... Or, in most cases,
> ipsec will be host-based, not user-based?
This seems like a rather single user PC based
mentality. If we were running a multiuser timesharing
system, being able to supply credentials on a per
user basis would be rather necessary, no? Or
perhaps I have a smart card which does the
signatures which identifies me regardless of
which machine I'm using, etc, etc. I don't see
what prevents the SPD from having rules like
"for 5-tuple [a,b,c,d,e], demand credentials in
realm X" where those credentials might require
a human to insert a piece of hardware, or type
into a dialog box slapped up by the keying
daemon, or whatever.
Mike
Follow-Ups:
References: