[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: EKR <ekr@rtfm.com>
Subject: Re: Confirm decision on identity handling.
From: Michael Thomas <mat@cisco.com>
Date: Thu, 15 May 2003 14:48:42 -0700 (PDT)
Cc: Michael Thomas <mat@cisco.com>, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>, Gregory Lebovitz <Gregory@netscreen.com>, "Scott G. Kelly" <scott@airespace.com>, ipsec@lists.tislabs.com
In-Reply-To: <kj3cjfsx6m.fsf@romeo.rtfm.com>
References: <541402FFDC56DA499E7E13329ABFEA87E66D8E@SARATOGA.netscreen.com><kj65oc8iw2.fsf@romeo.rtfm.com><p0521061bbae95ab471b9@[63.202.92.152]><kjel30s0wc.fsf@romeo.rtfm.com><p0521061dbae95e654f37@[63.202.92.152]><kjaddorzxc.fsf@romeo.rtfm.com><16068.1766.561003.133227@thomasm-u1.cisco.com><kj3cjfsx6m.fsf@romeo.rtfm.com>
Sender: owner-ipsec@lists.tislabs.com

Eric Rescorla writes:
 > Michael Thomas <mat@cisco.com> writes:
 > 
 > > Eric Rescorla writes:
 > >  > Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
 > >  > 
 > >  > > At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
 > >  > > >Hmm... I see your point. I was speculating that this would mean
 > >  > > >that you didn't much care what was in the certificate.
 > >  > > 
 > >  > > You could have a security policy that ignored the identity in the cert
 > >  > > ("allow an SA with these restrictions to anyone who has a cert from
 > >  > > XYZRoot"), or one that was identity-based ("let chris@example.com make
 > >  > > an SA").
 > >  > But you would presumably want to have some restrictions
 > >  > on the IP addresses they were allowed to front for, right?
 > > 
 > > Why? Are you thinking of this only in terms of
 > > tunnels?
 > No.
 > 
 > Many of the same considerations apply for machine to machine SAs.

Well, I don't see it. The desire to restrict or
permit based on header classification seems
completely orthogonal to the policy decision of
what constitutes "authenticated enough". Why
should a policy of "*@foo.com" have to be further
qualified with "from 1.2.3.0/24" as well? You
might want to do that, but then again you might
not. The former may be perfectly adequate
securitywise.

		Mike

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>

References:
- RE: Confirm decision on identity handling.
  - From: Gregory Lebovitz <Gregory@netscreen.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread