[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
Stephen Kent wrote:
> >......how do you identify a key................
>
> First, I don't want to identify keys in most cases (I don't see them
> as principals), and this would be one of them.
Touche (:-).
> If I am responsible for access control for some resources, I want to
> know who's requesting access, and for that I want a name or at least
> an organizational affiliation........Use of crypto tokens, one-time
> keys, etc. all come to mind and all have limitations...........
Sure. What I'm driving at - FQDN may not be applicable for
identifying the requestor. So a symbolic string with wider
semantic than FQDN should be allowed as an "identity tag"
on the key.
> (The issue also might be whether I want to let the known, authorized
> user into my environment given that he is using a borrowed laptop ...)
(:-) A totally different angle and issue.
> Of course, as a Mac user I rarely have this problem because I would
> not want to borrow a PC laptop anyway :-)
Ah, do you have to salt our wounds? (:-)