RE: Certificate Request Payload

[Greg Carter <carterg@entrust.com>]

>
>>ISAKMP is not intended to provide the services of the certificate
>>infrastructure. Thus, we did not intend to include CRLs and ARLs within
>>ISAKMP messages as part of the certificate chain. If the CRLs and ARLs
>>can fit within the Certificate Payload format AND the WG feels this is
>>a necessary requirement, then we can explore supporting this
>>functionality (including, possibly changing the payload formats).
>>However, I don't feel this is the job of ISAKMP.

Hi Douglas,
Let me give you a very probable situation:

Remote user connecting through a firewall to home network.  The remote
user acts as an ISAKMP
peer as does the Firewall.  The Firewall has access to the directory
services and is using
X.509 certificates.

The remote user has no access to the directory during ISAKMP
negotiation, but knows how to
handle X.509 certificates.  During the negotiation the remote user
ISAKMP engine requests the
peers certificate.

In order to do full validation of the certificate a good CRL is needed.
If cross-certificates are
returned in the certificate chain then ARLs will also be need to
validate the certificate.  It wouldn't make 
sense to be able to get a certificate but not the ARLs-CRLs necessary to
validate it through ISAKMP.

I don't think there would be any problem fitting the ARLs and CRLs
within the Cert payload.  It MAY 
mean the addition of some cert types.
>----
>Greg Carter
>Nortel Secure Networks - Entrust
>carterg@entrust.com
>

---

• Prev by Date: Re: Terminology: what do you call a set of related SA/SPI's?
• Next by Date: Re: ISAKMP DELETE payload
• Prev by thread: Re: Certificate Request Payload
• Next by thread: RE: Certificate Request Payload
• Index(es):
  • Main
  • Thread