[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: ipsec@lists.tislabs.com
Subject: Re: Confirm decision on identity handling.
From: "Andrew Krywaniuk" <askrywan@hotmail.com>
Date: Wed, 30 Apr 2003 19:09:19 -0400
Sender: owner-ipsec@lists.tislabs.com

>And what is the point of this? It seems to make the policy lookup
>slightly simpler, since you can get the ID payload from the packet
>instead of parsing the cert. But this is only on the front end, because
>you still have to parse the cert, and you have the added step of
>verifying that the ID matches something in the cert (if you care about
>security).

Some people have been referring to the id as a "key for policy lookup". The 
idea is that if you have a decorrelated database (or an ordered database 
where more specific rules serve only to grant privileges and not to take 
them away), a unique id can allow a very fast policy lookup.

However, once this lookup is complete, you can throw the id away. It is not 
necessary to check the id against a field in the certificate. You only have 
to check the certificate against the policy (and the signature against the 
public key and the validity of the cert chain).

I wish people would stop saying thing like "you can check the id against the 
certificate if you require a more stringent policy check."

Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.




_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*   
http://join.msn.com/?page=features/junkmail

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: RE: Confirm decision on identity handling.
Next by thread: Confirm Suites v. a la carte decision.
Index(es):
- Date
- Thread