Re: Confirm decision on identity handling.

[Eric Rescorla <ekr@rtfm.com>]

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:

> At 6:00 AM -0700 5/15/03, Eric Rescorla wrote:
> >Gregory Lebovitz <Gregory@netscreen.com> writes:
> >  > I vote for disassociating ID from cert contents. (BUT, I proposed text that
> >  > would allow for those who desired/required to be able to match if they
> >>  wanted to).
> >The problem, then, of course, is that you've just made it near
> >impossible to make a system which works in the generic
> >"I want to establish an SA with some I've never heard
> >of before" mode.
> 
> Could you explain why? For this scenario, how is binding an ID to the
> cert any different than ignoring the ID and getting an identity out of
> the cert?

Hmm... I see your point. I was speculating that this would mean
that you didn't much care what was in the certificate.

What would be the point of using an ID payload if you didn't
care what was in it?

-Ekr