[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Eric Rescorla writes:
> Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
>
> > At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
> > >Hmm... I see your point. I was speculating that this would mean
> > >that you didn't much care what was in the certificate.
> >
> > You could have a security policy that ignored the identity in the cert
> > ("allow an SA with these restrictions to anyone who has a cert from
> > XYZRoot"), or one that was identity-based ("let chris@example.com make
> > an SA").
> But you would presumably want to have some restrictions
> on the IP addresses they were allowed to front for, right?
Why? Are you thinking of this only in terms of
tunnels?
Mike