[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate Request Payload

To: carterg@nortel.ca
Subject: RE: Certificate Request Payload
From: wdm@epoch.ncsc.mil (W. Douglas Maughan)
Date: Wed, 4 Dec 96 09:34:28 EST
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Greg,

> >>ISAKMP is not intended to provide the services of the certificate
> >>infrastructure. Thus, we did not intend to include CRLs and ARLs within
> >>ISAKMP messages as part of the certificate chain. If the CRLs and ARLs
> >>can fit within the Certificate Payload format AND the WG feels this is
> >>a necessary requirement, then we can explore supporting this
> >>functionality (including, possibly changing the payload formats).
> >>However, I don't feel this is the job of ISAKMP.
> 
> Let me give you a very probable situation:
> 
> Remote user connecting through a firewall to home network.  The remote
> user acts as an ISAKMP peer as does the Firewall.  The Firewall has 
> access to the directory services and is using X.509 certificates.
> 
> The remote user has no access to the directory during ISAKMP
> negotiation, but knows how to handle X.509 certificates.  During the 
> negotiation the remote user ISAKMP engine requests the peers certificate.
> 
> In order to do full validation of the certificate a good CRL is needed.
> If cross-certificates are returned in the certificate chain then ARLs 
> will also be need to validate the certificate.  It wouldn't make 
> sense to be able to get a certificate but not the ARLs-CRLs necessary to
> validate it through ISAKMP.

Very valid scenario. 

> I don't think there would be any problem fitting the ARLs and CRLs
> within the Cert payload.  It MAY mean the addition of some cert types.

As I stated in my previous response, ISAKMP was not designed to provide
the services of the certificate infrastructure. However, I agree with
you that this functionality COULD be provided by adding some new
certificate types for requesting CRLs and/or ARLs as part of the
protocol. This would allow your remote user the capability to request
CRLs and ARLs (when needed). Given the draft is now in Last Call, I'll
leave this discussion to the working group and the WG chairs.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Douglas Maughan                Voice:  (301) 688-0847           *
* Technical Director, R23        Fax:    (301) 688-0255           *
* National Security Agency       E-mail: wdmaugh@tycho.ncsc.mil   *
* 9800 Savage Road                       maughan@cs.umbc.edu      *
* Fort Meade, MD. 20755-6000                                      *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Prev by Date: Re: San Jose Agenda for IPsec
Next by Date: IPsec Implementation Survey update
Prev by thread: RE: Certificate Request Payload
Next by thread: Re: How to skip phase 1?
Index(es):
- Main
- Thread