[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
>>
>> Hi Scott,
>>
>> The verification/authentication is the cert. I
>> haven't proposed removing the authentication, so
>> I'm not sure why you say there's no defined
>> verification mechanism.
>
>I'm saying this because the proposed language says the ID payload does
>not have to match anything in the cert. If we allow this and you choose
>your policy based on the ID payload, I may be able to misdirect you to
>the "wrong" policy by simply enclosing the "right" ID payload.
I agree. This seems like an obvious flaw. If the ID is not required to
match the identity in the cert there does not seem to be a defined
verification mechanism.