Re: 2401bis Issue # 89 -- Remove the selector "name"

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 8:57 AM -0700 10/23/03, Scott G. Kelly wrote:
>The name selector is often used for remote access, and maybe for 
>other applications. I know of several ipsec implementations which 
>use fqdn for remote access policy selection, and without DN, how do 
>we apply access controls based on certs?

This has been debated many times before. Some systems have policies 
that allow any cert that is signed by the trusted CA to have access. 
That is, the granularity is based on the trusted root, not on the 
identity. This means that a sysadmin doesn't have to list a zillion 
users, all of whom have identical access rights; it also means that 
the user has access as soon as they have their cert, without 
interaction from the sysadmin who is just going to duplicate what 
they did for the last user.

Names are useful for systems that differentiate by user, but they 
kill the ability to differentiate by certifier.

--Paul Hoffman, Director
--VPN Consortium