[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SA payloads and Next payload

To: wdm@epoch.ncsc.mil
Subject: Re: SA payloads and Next payload
From: dpkemp@missi.ncsc.mil (David P. Kemp)
Date: Wed, 8 Oct 1997 10:39:32 -0400
Cc: ipsec@tis.com, ietf-pkix@tandem.com
Sender: owner-ipsec@ex.tis.com

Doug,

I've had a request from a customer to add the capability to transmit
X.509 Attribute Certificates within the ISAKMP Certificate payload.
Attribute Certs allow authorization information (which may change
frequently) to be attached to base certs (which are normally updated
much less frequently), and they allow the authorization administrator
to operate independently of the Certificate Authority.

Attribute Certificates are defined in the ISO/ITU X.509 standard, but
have not yet been profiled in the PKIX document series.  There is
support for doing so, but no one has yet volunteered to do the
writing :-).

I propose adding the following line to the Cert Encoding field of the
ISAKMP Certificate payload:

                __________Certificate_Type___________Value___
                X.509 Certificate - Attribute         10


Regards,
Dave Kemp



----- Begin Included Message -----


                             1                   2                   3
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        ! Next Payload  !   RESERVED    !         Payload Length        !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        ! Cert Encoding !                                               !
        +-+-+-+-+-+-+-+-+                                               !
        ~                       Certificate Data                        ~
        !                                                               !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


                  Figure 10:  Certificate Payload Format


 o  Payload Length (2 octets) - Length in octets of the current payload,
    including the generic payload header.

 o  Certificate Encoding (1 octet) - This field indicates the type of
    certificate or certificate-related information contained in the
    Certificate Data field.


                __________Certificate_Type___________Value___
                 NONE                                  0
                 PKCS #7 wrapped X.509 certificate      1
                 PGP Certificate                        2
                 DNS Signed Key                         3
                 X.509 Certificate - Signature          4
                 X.509 Certificate - Key Exchange       5
                 Kerberos Tokens                        6
                 Certificate Revocation List (CRL)      7
                 Authority Revocation List (ARL)        8
                 SPKI Certificate                       9
                 RESERVED                            10- 255



 o  Certificate Data (variable length) - Actual encoding of certificate
    data.  The type of certificate is indicated by the Certificate
    Encoding field.



----- End Included Message -----

Prev by Date: Re: IPsec mandatory authentication algorithms
Next by Date: RE: SA payloads and Next payload
Prev by thread: I-D ACTION:draft-ietf-ipsec-esp-v2-01.txt
Next by thread: RE: SA payloads and Next payload
Index(es):
- Main
- Thread