[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Confirm decision on identity handling.

To: "'Andrew Krywaniuk'" <askrywan@hotmail.com>, Gregory Lebovitz <Gregory@netscreen.com>, ipsec@lists.tislabs.com
Subject: RE: Confirm decision on identity handling.
From: Gregory Lebovitz <Gregory@netscreen.com>
Date: Mon, 21 Apr 2003 12:29:28 -0700
Sender: owner-ipsec@lists.tislabs.com



> >To allow for more stringent local security policy, 
> implementations MAY 
> >offer
> >a configuration option to check that the idenity presented 
> in the identity
> >payload matches the equivalent identity type in the 
> presented certificate.
> 
> I guess my main question would be, in what way does this 
> allow for a "more 
> stringent local security policy"?

If alice and amy are both users with valid certs, amy cannot connect to bob
using her own cert, but using alice's identity in the identity payload.

I personally don't think it is a big deal, but Steve Kent has said he thinks
it is, and I can see higher security organizations wanting it.

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Next by Date: draft-ietf-ipsec-ikev2-07.txt
Prev by thread: RE: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread