[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
> At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
> >Hmm... I see your point. I was speculating that this would mean
> >that you didn't much care what was in the certificate.
>
> You could have a security policy that ignored the identity in the cert
> ("allow an SA with these restrictions to anyone who has a cert from
> XYZRoot"), or one that was identity-based ("let chris@example.com make
> an SA").
But you would presumably want to have some restrictions
on the IP addresses they were allowed to front for, right?
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/