[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: isakmpd AND NOT policy

To: Pepijn Vissers <vissers@fox-it.com>
Subject: Re: FW: isakmpd AND NOT policy
From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
Date: Thu, 04 Oct 2001 11:36:08 -0400
Cc: "'tech@openbsd.org'" <tech@openbsd.org>

In message <D58D3E1961C58043BD828065D12E49951D6D05@foxserver>, Pepijn Vissers w
rites:
>
>142342.263902 Plcy 40 check_policy: adding authorizer [DN:/L=Den
>Haag/C=NL/OU=Roaming User 001<snip>
>
>Normally, because this user has a CA-signed PGPkey, he would be able to
>connect, because
>all CA-signed certificates are authorized by "POLICY". I now want to exclude
>users that 
>still have their CA-signed key, but should no longer be allowed to connect,
>by matching
>their DN to a 'blacklist'.

Ah, ok. Yes, you can match against _ACTION_AUTHORIZERS (sorry, _AUTHORIZERS by
itself is not right), but note that this user can delegate to another (fake)
user and bypass the check, unless you've set the no-propagate (no-delegate) flag
in their X.509 certificate.
-Angelos

Follow-Ups:
- Re: FW: isakmpd AND NOT policy
  - From: Philipp Buehler <lists@fips.de>

References:
- RE: FW: isakmpd AND NOT policy
  - From: Pepijn Vissers <vissers@fox-it.com>

Prev by Date: Re: pf and statesfull filtering on a bridge
Next by Date: Re: FW: isakmpd AND NOT policy
Prev by thread: RE: FW: isakmpd AND NOT policy
Next by thread: Re: FW: isakmpd AND NOT policy
Index(es):
- Date
- Thread