[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate Request Payload
Greg,
> From draft 6 of ISAKMP
> 3.10 Certificate Request Payload
> ..."The responder to the Certificate Request payload MUST send its
> immediate certificate,
> if certificates are supported, and SHOULD send as much of its
> certificate chain as possible."
>
> As part of the certificate chain can we send Certificate Revocation
> Lists (CRL) and Authority Revocation
> Lists (ARL)?
ISAKMP is not intended to provide the services of the certificate
infrastructure. Thus, we did not intend to include CRLs and ARLs within
ISAKMP messages as part of the certificate chain. If the CRLs and ARLs
can fit within the Certificate Payload format AND the WG feels this is
a necessary requirement, then we can explore supporting this
functionality (including, possibly changing the payload formats).
However, I don't feel this is the job of ISAKMP.
> Or was it intended that the certificate chain only include the immediate
> certificates of the users/CAs in question?
Correct. The purpose of the Certificate Request payload is just to get
the immediate certificate(s) of the user/CA in question. The
Certificate Request payload was added so that if the certificate
infrastructure was not available, users could still communicate by
using this payload (along with the Certificate payload) to exchange
certificate chains.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Douglas Maughan Voice: (301) 688-0847 *
* Technical Director, R23 Fax: (301) 688-0255 *
* National Security Agency E-mail: wdmaugh@tycho.ncsc.mil *
* 9800 Savage Road maughan@cs.umbc.edu *
* Fort Meade, MD. 20755-6000 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *