[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Hi Andrew,
Can you give a real-world example of the process you describe below?
That is, what sort of ID payload would be sent, what might it contain,
and how would the policies look against which this compared?
Thanks,
Scott
Andrew Krywaniuk wrote:
>
> >And what is the point of this? It seems to make the policy lookup
> >slightly simpler, since you can get the ID payload from the packet
> >instead of parsing the cert. But this is only on the front end, because
> >you still have to parse the cert, and you have the added step of
> >verifying that the ID matches something in the cert (if you care about
> >security).
>
> Some people have been referring to the id as a "key for policy lookup". The
> idea is that if you have a decorrelated database (or an ordered database
> where more specific rules serve only to grant privileges and not to take
> them away), a unique id can allow a very fast policy lookup.
>
> However, once this lookup is complete, you can throw the id away. It is not
> necessary to check the id against a field in the certificate. You only have
> to check the certificate against the policy (and the signature against the
> public key and the validity of the cert chain).
>
> I wish people would stop saying thing like "you can check the id against the
> certificate if you require a more stringent policy check."
>
> Andrew
> --------------------------------------
> The odd thing about fairness is when
> we strive so hard to be equitable
> that we forget to be correct.
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail