On Tue, Jun 19, 2018 at 3:46 PM, Nico Williams <[email protected]> wrote:
> On Tue, Jun 19, 2018 at 12:26:10PM -0700, Eric Rescorla wrote: > > On Tue, Jun 19, 2018 at 11:34 AM, Nico Williams <[email protected]> > > wrote: > > > The I-D should say that clients MUST allow local configuration of what > > > domains to accept trust anchors for, and SHOULD allow local policy to > > > list . as a domain for which to accept trust anchors. > > > > > > This local configuration should be per-SG. > > > > > > > The ID can say that, but as a practical matter, any enterprise that has > > a reasonable number of internal domains is just going to tell people > > to configure their client to accept any domain name. > > And what's the problem with that? > > If it's your own device you might balk, so get your employer to provide > you with theirs. Or just accept it as part of the employment deal. > Again, right now I'm just trying to establish the facts of the matter. Do you agree this is going to be a common scenario? -Ekr
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
