[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.

To: EKR <ekr@rtfm.com>
Subject: Re: Confirm decision on identity handling.
From: Uri Blumenthal <uri@bell-labs.com>
Date: Fri, 16 May 2003 10:28:26 -0400
Cc: Michael Thomas <mat@cisco.com>, Paul Hoffman / VPNC <paul.hoffman@vpnc.org>, Gregory Lebovitz <Gregory@netscreen.com>, "Scott G. Kelly" <scott@airespace.com>, ipsec@lists.tislabs.com
Organization: Lucent Tehcnologies / Bell Labs
Original-CC: Michael Thomas <mat@cisco.com>, Paul Hoffman / VPNC<paul.hoffman@vpnc.org>, Gregory Lebovitz <Gregory@netscreen.com>, "ScottG. Kelly" <scott@airespace.com>, ipsec@lists.tislabs.com
References: <541402FFDC56DA499E7E13329ABFEA87E66D8E@SARATOGA.netscreen.com> <kj65oc8iw2.fsf@romeo.rtfm.com> <p0521061bbae95ab471b9@[63.202.92.152]> <kjel30s0wc.fsf@romeo.rtfm.com> <p0521061dbae95e654f37@[63.202.92.152]> <kjaddorzxc.fsf@romeo.rtfm.com> <16068.1766.561003.133227@thomasm-u1.cisco.com> <kj3cjfsx6m.fsf@romeo.rtfm.com> <16068.2874.797405.258729@thomasm-u1.cisco.com> <kjr86zq2mh.fsf@romeo.rtfm.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Eric Rescorla wrote:
>> > >  > > You could have a security policy that ignored the identity in the cert
>> > >  > > ("allow an SA with these restrictions to anyone who has a cert from
>> > >  > > XYZRoot"), or one that was identity-based ("let chris@example.com make
>> > >  > > an SA").
>>Well, I don't see it. The desire to restrict or
>>permit based on header classification seems
>>completely orthogonal to the policy decision of
>>what constitutes "authenticated enough".
> 
> Huh? Because I want to be able to have applications make security
> decisions based on the IP address of the peer and that means that
> the certificate has to be bound to the IP address.

I jumped in late, so probably missed some important parts of this
conversation. But binding certificates to IP addresses doesn't
seem like a good idea at all, because of how short IP address
lifespan may be.

AFTER the authentication it may be reasonable to "fix" the IP
address to the just-established SA and dance from there for
the SA's duration... But that has little to do with certs.

If I really didn't get it, feel free to clue me in.

Follow-Ups:
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>

References:
- RE: Confirm decision on identity handling.
  - From: Gregory Lebovitz <Gregory@netscreen.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>
- Re: Confirm decision on identity handling.
  - From: Michael Thomas <mat@cisco.com>
- Re: Confirm decision on identity handling.
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: Re: Confirm decision on identity handling.
Next by thread: Re: Confirm decision on identity handling.
Index(es):
- Date
- Thread