[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SKIP: Fixes to certificate discovery protocol
Hi, Tom,
I am confused by this fix. Germano wrote :
> |
> |Master Key-ID - this is a 32 bit or a 128 bit identifier as described
> | in the section on Master Key-IDs.
>
> Hmm. How do I know if it is 32bit or 128 bit? Why only the two values?
> Redesign. Include NSID!
This comment from Germano is for Draft 2, because the cerificate
discovery message contains Master Key-ID, but no NSID.
Draft 2 :
> 0 1 2 3
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | VERSION | ACTION | STATUS |NUMBER-OF-CERTS|
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Master Key-ID of certificate(s) in packet ~
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
I thought this is fixed in Draft 3 :
> 0 1 2 3
> 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | VERS |ACTION | STATUS | NSID |NUMBER-OF-CERTS|
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Master Key-ID of certificate(s) in packet ~
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The fix has NSID with each certificate.
0 1 2 3
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VERS |ACTION | STATUS | NUMBER-OF-CERTS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Requested Master Key-ID of certificate ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CERT-TYPE | NSID |CERT-LENGTH |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CERTIFICATE ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CERT-TYPE | NSID |CERT-LENGTH |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| CERTIFICATE ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...
> Master Key-ID - this is the identifier as described in the section on
> Master Key-IDs. It's length is dependent on the value
> of the NSID field. It is only used when requesting
> certificates with a specific master key-id from another
> entity. The requester may set this to zero (0) in which
> case the receiver should consider the request for ALL
> certificates. The responder should always set this
> field to zero (0).
Suggestion : The responder should retain the same Master Key-ID so
one can match a certificate response to its certificate request.
There can be multiple outstanding certificate requests.
...
NSID - identifies the namespace that the Key-ID belongs to.
The values of this field are described in the assigned
numbers portion of this document.
There is only one Master Key-ID, Why do you need NSID with each certificate ?
Is the intent to associate each certificate with a Key-ID ? If so,
then you need both NSID and Master Key-ID with each certificate.
Cheers,
Ping-Ping
Follow-Ups: