draft-ietf-ipsec-isakmp-06.txt

[Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>]

The following two clips of text are from draft-ietf-ipsec-isakmp-06.txt.

> 3.10 Certificate Request Payload
>
>
> The Certificate Request Payload provides a means to request certificates
> via ISAKMP and can appear in any message.  Certificate Request payloads
> SHOULD be included in an exchange whenever an appropriate directory ser-
> vice (e.g.  Secure DNS [DNSSEC]) is not available to distribute certifi-
> cates.  The Certificate Request payloads MUST be accepted at any point
> during the exchange.  The responder to the Certificate Request payload
> MUST send its immediate certificate, if certificates are supported, and
> SHOULD send as much of its certificate chain as possible.  Figure 11 shows
> the format of the Certificate Request Payload.
>
>


> 5.8 Certificate Request Payload Processing
>
>
> When a Certificate Request payload is received, the receiving entity (ini-
> tiator or responder) MUST do the following:
>
	[ snip ]
>
> 2.  Determine if the Certificate Types are supported.  If any of the
>     Certificate Types are not supported, the message is discarded and the
>     following actions are taken:
>
>    (a)  The event, INVALID CERTIFICATE TYPE, is logged in the appropriate
>         system audit file.
>
>    (b)  An Informational Exchange with a Notification payload containing
>         the INVALID-CERT-ENCODING message type MAY be sent to the
>         initiating entity.  This action is dictated by a system security
>         policy.
>

What is the intention here? These statements imply the sender
knows the certificate types the recipient supports.



-dpg

---

• Prev by Date: Re: IPsec and TCP
• Next by Date: Re: IPsec and TCP
• Prev by thread: Re: IPsec and TCP
• Next by thread: Q re procol values in draft-ietf-ipsec-isakmp-06.txt
• Index(es):
  • Main
  • Thread