From: John A. Sullivan III (john.sullivan_at_nexusmgmt.com)
Date: Sat Dec 07 2002 - 00:51:23 CET
A hypothetical question. Let's say we configure our VPN gateways
to trust external CA's CompanyA-CA and CompanyB-CA. We have a
connection definition that allows a CompanyA user with a cert where
C=US,O=CompanyA,OU=Financial,CN=joe.bloggs and another that allows in a
CompanyB user with a cert where
C=GB,O=CompanyB,OU=CompanyAPartner,CN=jane.doe. If CompanyB-CA issues a
CompanyB user a certificate where
C=US,O=CompanyA,OU=Financial,CN=joe.bloggs,i.e., they have "forged" a
CompanyA certificate, will we allow that user access as a CompanyA user
since we are only checking the X.509 fields and not the issuer?
Is there a way to check the issuer with the X.509 patch without
dissecting the certificate? If I trust multiple CA's how do I know which
one sent which certificate?
This is a real world problem for us since we are using the ID
information to make further dynamic security changes to iptables
granting different accesses to CompanyA and CompanyB. Thanks - John
-- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Dec 08 2002 - 05:20:51 CET