This is a prominent example where the identity based CA constraint is
benefical. While the description of the test claims a strict binding
of the client to the intermediate CA, this is not fully true if CA operators
are not fully trusted: A rogue OU=Sales intermediate may issue certificates
containing a OU=Research.
By binding the connection to the CA, we can avoid this, and using the identity
based constraint still allows moon to receive the intermediate over IKE
or hash-and-url.
}
remote {
auth = pubkey
- id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
+ ca_id = "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
}
children {
alice {
}
remote {
auth = pubkey
- id = "C=CH, O=strongSwan Project, OU=Sales, CN=*"
+ ca_id = "C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
}
children {
venus {