mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-16 00:00:37 -04:00
f95d512251
This is a prominent example where the identity based CA constraint is benefical. While the description of the test claims a strict binding of the client to the intermediate CA, this is not fully true if CA operators are not fully trusted: A rogue OU=Sales intermediate may issue certificates containing a OU=Research. By binding the connection to the CA, we can avoid this, and using the identity based constraint still allows moon to receive the intermediate over IKE or hash-and-url.