[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: ipsec@lists.tislabs.com
Subject: Re: Confirm decision on identity handling.
From: David Wierbowski <wierbows@us.ibm.com>
Date: Thu, 1 May 2003 10:37:30 -0400
Importance: Normal
Sender: owner-ipsec@lists.tislabs.com






>>
>> Hi Scott,
>>
>> The verification/authentication is the cert.  I
>> haven't proposed removing the authentication, so
>> I'm not sure why you say there's no defined
>> verification mechanism.
>
>I'm saying this because the proposed language says the ID payload does
>not have to match anything in the cert. If we allow this and you choose
>your policy based on the ID payload, I may be able to misdirect you to
>the "wrong" policy by simply enclosing the "right" ID payload.

I agree.  This seems like an obvious flaw.  If the ID is not required to
match the identity in the cert there does not seem to be a defined
verification mechanism.

Prev by Date: Re: ISAKMP and SSL
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: EAP Handling in IKEv2
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread