[Swan] Wildcarding rightid
paul at nohats.ca
Mon Apr 8 09:33:25 UTC 2019
On Fri, 5 Apr 2019, Messa, Michael - 0664 - MITLL wrote:
> "I still cannot imagine a scenario where the constraints you mention are a valid set of constraints for deployment."
> I concur. The counter argument I've received is that the PSK alone is sufficient to anchor the trust between the client and the server and that the IDr in this case is not consequential.
That might be true, if the PSK is unique and not shared, and the
scenario only works when you have one of these, because if you have
two of these, then you would end up having to select one PSK and if the
AUTH fails, retry with the other PSK. So again, that makes supporting
this a really odd corner case. the obvious solution would be to agree
on the ID and configure it. Or if the other party refuses that, to just
see what ID they send and stupidly configure it on your end as the peer
More information about the Swan