[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: Michael Thomas <mat@cisco.com>
Subject: Re: Confirm decision on identity handling.
From: Eric Rescorla <ekr@rtfm.com>
Date: 15 May 2003 15:14:14 -0700
Cc: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>, Gregory Lebovitz <Gregory@netscreen.com>, "Scott G. Kelly" <scott@airespace.com>, ipsec@lists.tislabs.com
In-Reply-To: <16068.2874.797405.258729@thomasm-u1.cisco.com>
References: <541402FFDC56DA499E7E13329ABFEA87E66D8E@SARATOGA.netscreen.com><kj65oc8iw2.fsf@romeo.rtfm.com><p0521061bbae95ab471b9@[63.202.92.152]><kjel30s0wc.fsf@romeo.rtfm.com><p0521061dbae95e654f37@[63.202.92.152]><kjaddorzxc.fsf@romeo.rtfm.com><16068.1766.561003.133227@thomasm-u1.cisco.com><kj3cjfsx6m.fsf@romeo.rtfm.com><16068.2874.797405.258729@thomasm-u1.cisco.com>
Reply-To: EKR <ekr@rtfm.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)

Michael Thomas <mat@cisco.com> writes:

> Eric Rescorla writes:
>  > Michael Thomas <mat@cisco.com> writes:
>  > 
>  > > Eric Rescorla writes:
>  > >  > Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
>  > >  > 
>  > >  > > At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
>  > >  > > >Hmm... I see your point. I was speculating that this would mean
>  > >  > > >that you didn't much care what was in the certificate.
>  > >  > > 
>  > >  > > You could have a security policy that ignored the identity in the cert
>  > >  > > ("allow an SA with these restrictions to anyone who has a cert from
>  > >  > > XYZRoot"), or one that was identity-based ("let chris@example.com make
>  > >  > > an SA").
>  > >  > But you would presumably want to have some restrictions
>  > >  > on the IP addresses they were allowed to front for, right?
>  > > 
>  > > Why? Are you thinking of this only in terms of
>  > > tunnels?
>  > No.
>  > 
>  > Many of the same considerations apply for machine to machine SAs.
> 
> Well, I don't see it. The desire to restrict or
> permit based on header classification seems
> completely orthogonal to the policy decision of
> what constitutes "authenticated enough".
Huh? Because I want to be able to have applications make security
decisions based on the IP address of the peer and that means that
the certificate has to be bound to the IP address.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Uri Blumenthal <uri@bell-labs.com>

References:
- RE: Confirm decision on identity handling.
  - From: Gregory Lebovitz <Gregory@netscreen.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread