[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Confirm decision on identity handling.

> At 8:29 AM -0700 5/15/03, Eric Rescorla wrote:
> >  > You could have a security policy that ignored the 
> identity in the cert
> >>  ("allow an SA with these restrictions to anyone who has a 
> cert from
> >>  XYZRoot"), or one that was identity-based ("let 
> chris@xxxxxxxxxxx make
> >>  an SA").
> >But you would presumably want to have some restrictions
> >on the IP addresses they were allowed to front for, right?
> Sure.

you could, but there are plenty of cases (the roaming user) where there is
no need. Those of us advocating the disassociation are not saying 100%
disassociate. We are saying make the base-line MUST disassociation, but
allow the user's the ability in configuration to associate and look for ID
in a certain place in the cert IF THEY WANT. That way, the 10% of the cert
users that want to associate will get what they need, and the rest of the
90% will have something that works easily. 

This is the basic convenience vs. security continuum. Our job as protocol
designers is to give the people something they can use. 20% want it super
secure at the cost of convenience. 80% want it secure, but convenient, and
are willing to make the trade-off from the super-secure. The text I proposed
tried to reach this goal.