On Jan 12, 2014, at 7:15 AM, Paul Wouters <p...@nohats.ca> wrote: >> Regarding audit, we can mandate that each record should say something like >> "Snow White (claimed but unauthenticated identity)". > > You are suggesting client side security? I don't understand. If I would > write software where an ID is sent but completely unauthenticated and > falsifiable, I would probably just not log it to avoid confusion.
IDK. My mail client shows your message as coming from "Paul Wouters <p...@nohats.ca>" even though that is just a text field that you could put anything in. We always trust claimed identities to a certain extent. The only time we don't is when someone claims an identity that is bound (in our policy) to some authorization. So if your machine contacts mine out of the blue and claims to be "Paul's VPN gateway" that's fine and I can log it. If it claims to be "ili-natasha-gw.checkpoint.com", then I'll need some more proof. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec