Re: Confirm decision on identity handling.

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "VPNC" == VPNC  <Paul> writes:
    VPNC> At 11:19 PM -0400 5/18/03, Michael Richardson wrote:
    VPNC> You could have a security policy that ignored the identity in the
    VPNC> cert ("allow an SA with these restrictions to anyone who has a cert
    VPNC> from XYZRoot"), or one that was identity-based ("let
    VPNC> chris@example.com make an SA").
    >> 
    >> >> What would be the point of using an ID payload if you didn't
    >> >> care what was in it?
    >> 
    VPNC> There isn't one.
    >> 
    >> The parties involved are not the same. You guys keep flipping between
    >> "VPN" and "two random parties" in your discussion.

    VPNC> Sorry, but that's not true at all. I have consistently been talking 
    VPNC> about VPNs. (No surprise there.) In this thread, it seems like
    VPNC> you're  

  I've barely commented :-)

  What I do hear is that the VPN has to work for two parties who have
picked random CAs, and can't control what goes into the certificate. That 
sure sounds like "rwo random parties" to me.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [