[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
>And what is the point of this? It seems to make the policy lookup
>slightly simpler, since you can get the ID payload from the packet
>instead of parsing the cert. But this is only on the front end, because
>you still have to parse the cert, and you have the added step of
>verifying that the ID matches something in the cert (if you care about
>security).
Some people have been referring to the id as a "key for policy lookup". The
idea is that if you have a decorrelated database (or an ordered database
where more specific rules serve only to grant privileges and not to take
them away), a unique id can allow a very fast policy lookup.
However, once this lookup is complete, you can throw the id away. It is not
necessary to check the id against a field in the certificate. You only have
to check the certificate against the policy (and the signature against the
public key and the validity of the cert chain).
I wish people would stop saying thing like "you can check the id against the
certificate if you require a more stringent policy check."
Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail