[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
draft-ietf-ipsec-isakmp-06.txt
The following two clips of text are from draft-ietf-ipsec-isakmp-06.txt.
> 3.10 Certificate Request Payload
>
>
> The Certificate Request Payload provides a means to request certificates
> via ISAKMP and can appear in any message. Certificate Request payloads
> SHOULD be included in an exchange whenever an appropriate directory ser-
> vice (e.g. Secure DNS [DNSSEC]) is not available to distribute certifi-
> cates. The Certificate Request payloads MUST be accepted at any point
> during the exchange. The responder to the Certificate Request payload
> MUST send its immediate certificate, if certificates are supported, and
> SHOULD send as much of its certificate chain as possible. Figure 11 shows
> the format of the Certificate Request Payload.
>
>
> 5.8 Certificate Request Payload Processing
>
>
> When a Certificate Request payload is received, the receiving entity (ini-
> tiator or responder) MUST do the following:
>
[ snip ]
>
> 2. Determine if the Certificate Types are supported. If any of the
> Certificate Types are not supported, the message is discarded and the
> following actions are taken:
>
> (a) The event, INVALID CERTIFICATE TYPE, is logged in the appropriate
> system audit file.
>
> (b) An Informational Exchange with a Notification payload containing
> the INVALID-CERT-ENCODING message type MAY be sent to the
> initiating entity. This action is dictated by a system security
> policy.
>
What is the intention here? These statements imply the sender
knows the certificate types the recipient supports.
-dpg