[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
Uri Blumenthal writes:
> Stephen Kent wrote:
> >
> > As many of you know, I try to avoid the T-word (trust) in almost all
> > security technology discussions. I'd like to suggest that it is
> > inappropriate in this discussion as well.
>
> Fully agree. Trust is about authorization, which is not IPsec's
> domain (IMHO).
This statement really bothers me. Authorization is
clearly a part of IPsec. Just because I'm
authenticated should not a priori get
authorization for any filtering I desire on the
remote end. That seems like the heart of the IPsec
qua access control mechanism. We need a clean
separation both in IPsec and keying of those two
concepts.
That said, I'm pretty sympathetic to banishing the
T-word from the lexicon too.
Mike