[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Eric Rescorla writes:
> Michael Thomas <mat@cisco.com> writes:
>
> > Eric Rescorla writes:
> > > Michael Thomas <mat@cisco.com> writes:
> > >
> > > > Eric Rescorla writes:
> > > > > Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
> > > > >
> > > > > > At 8:08 AM -0700 5/15/03, Eric Rescorla wrote:
> > > > > > >Hmm... I see your point. I was speculating that this would mean
> > > > > > >that you didn't much care what was in the certificate.
> > > > > >
> > > > > > You could have a security policy that ignored the identity in the cert
> > > > > > ("allow an SA with these restrictions to anyone who has a cert from
> > > > > > XYZRoot"), or one that was identity-based ("let chris@example.com make
> > > > > > an SA").
> > > > > But you would presumably want to have some restrictions
> > > > > on the IP addresses they were allowed to front for, right?
> > > >
> > > > Why? Are you thinking of this only in terms of
> > > > tunnels?
> > > No.
> > >
> > > Many of the same considerations apply for machine to machine SAs.
> >
> > Well, I don't see it. The desire to restrict or
> > permit based on header classification seems
> > completely orthogonal to the policy decision of
> > what constitutes "authenticated enough".
> Huh? Because I want to be able to have applications make security
> decisions based on the IP address of the peer and that means that
> the certificate has to be bound to the IP address.
But that doesn't imply that has to be done in
every scenario. Suppose I set up a service at to
view pictures on a protected web site. I issue
certificates to my friends which allows them past
the IPsec barrier on my web server host. I don't
care who they are -- just that it's somebody who I
issued a cert to -- and most especially don't care
where they happen to have internet connectivity at
the time.
Are you saying this is an illegitimate use of
IPsec/IKE?
Mike