[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Eric Rescorla writes:
> Michael Thomas <mat@cisco.com> writes:
>
> > Eric Rescorla writes:
> > > Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
> > >
> > > > At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
> > > > >Hmm... I see your point. I was speculating that this would mean
> > > > >that you didn't much care what was in the certificate.
> > > >
> > > > You could have a security policy that ignored the identity in the cert
> > > > ("allow an SA with these restrictions to anyone who has a cert from
> > > > XYZRoot"), or one that was identity-based ("let chris@example.com make
> > > > an SA").
> > > But you would presumably want to have some restrictions
> > > on the IP addresses they were allowed to front for, right?
> >
> > Why? Are you thinking of this only in terms of
> > tunnels?
> No.
>
> Many of the same considerations apply for machine to machine SAs.
Well, I don't see it. The desire to restrict or
permit based on header classification seems
completely orthogonal to the policy decision of
what constitutes "authenticated enough". Why
should a policy of "*@foo.com" have to be further
qualified with "from 1.2.3.0/24" as well? You
might want to do that, but then again you might
not. The former may be perfectly adequate
securitywise.
Mike