[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
>>>>> "VPNC" == VPNC <Paul> writes:
VPNC> At 11:19 PM -0400 5/18/03, Michael Richardson wrote:
VPNC> You could have a security policy that ignored the identity in the
VPNC> cert ("allow an SA with these restrictions to anyone who has a cert
VPNC> from XYZRoot"), or one that was identity-based ("let
VPNC> chris@example.com make an SA").
>>
>> >> What would be the point of using an ID payload if you didn't
>> >> care what was in it?
>>
VPNC> There isn't one.
>>
>> The parties involved are not the same. You guys keep flipping between
>> "VPN" and "two random parties" in your discussion.
VPNC> Sorry, but that's not true at all. I have consistently been talking
VPNC> about VPNs. (No surprise there.) In this thread, it seems like
VPNC> you're
I've barely commented :-)
What I do hear is that the VPN has to work for two parties who have
picked random CAs, and can't control what goes into the certificate. That
sure sounds like "rwo random parties" to me.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [