[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.



Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:

> At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
> >Hmm... I see your point. I was speculating that this would mean
> >that you didn't much care what was in the certificate.
> 
> You could have a security policy that ignored the identity in the cert
> ("allow an SA with these restrictions to anyone who has a cert from
> XYZRoot"), or one that was identity-based ("let chris@example.com make
> an SA").
But you would presumably want to have some restrictions
on the IP addresses they were allowed to front for, right?

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/