This is also confusing me, since PKI is normally used for authn checking
and not authz checking (PMI is for that). So what information in a PKC
is used to imply that the subject is authorised to act on behalf of a realm?
regards
David
On 02/10/2013 11:15, Sam Hartman wrote:
>>>>>> "Josh" == Josh Howlett <[log in to unmask]> writes:
>
> Josh> Thanks for the reminder, I always forget about this
> Josh> wrinkle. This is something that will get ironed out in the
> Josh> fulness of time, and so I think we should focus on an approach
> Josh> that reduces the risk of transition inertia.
>
> Note that for the managed RP service we're assuming we construct a PKI.
> Do we want to be looking at PSK for that?
> >> * Do we want to be able to disable the hostname check?
>
> Josh> I think that is reasonable. The cert is simply being used to
> Josh> demonstrate authorisation to act as an upstream AAA proxy in
> Josh> the context of a realm. If the acceptor wants multiple
> Josh> upstreams, use a different cert per upstream.
>
> >> * What configuration parameters do we want for cert checking?
>
> Josh> Chains back to a configured root.
>
> I'm having difficulty reconciling these answers.
> If you disable the hostname check and allow it to chain back to a
> configured root
> how do you distinguish different realms?
>
> Or do you configure the root per realm?
>
|