ISAKMP Certificate Request Syntax

[Tylor Allison <allison@securecomputing.com>]

I have a few questions regarding how ISAKMP certificate request payloads 
are generated that I'm hoping some of you folks can answer.

o   Distinguished Name Attribute Type.

    The ISAKMP draft (v8) states:
    "Certificate Authorities (variable length) - Contains a list of Data
    Attributes (see section 3.3) which indicate the Distinguished Names
    of acceptable certificate authorities.  See [IPDOI] for the
    Distinguished Name Attribute Type value."  However, there is no DN
    Attribute Type defined in the IPSEC DOI (v6).  There is an
    ID type (used for ID payloads) which is defined for DN's
    (ID_DER_ASN1_DN)...  Is this what people are using for the
    attribute type?

o   Encoding ASN.1 DN's as attributes.
    
    The ISAKMP draft (v8) states that variable length attributes (like
    the DN Attribute Type above) must be aligned in 4-byte blocks.  
    "If the Attribute Value is not aligned at a 4-byte multiple, the
    field is right justified and the remaining bits MUST be prepending
    with 0 for 4-byte alignment."  Once so aligned, how does one go 
    about retrieving the original data?  Due to the alignment and the 
    right justification, the original beginning of the data is not known 
    (nor is the original length).  OK, for ASN.1 I know that the first 
    byte of the data is not zero ... it's an ASN.1 tag.  But doesn't 
    this pose a problem when used for encoding arbitrary attribute 
    values (where the original data may already be prepended with 0's)?

Any help would be greatly appreciated... Thanks!

---
Tylor Allison         tylor_allison@securecomputing.com        (612) 628-1554
Secure Computing Corporation

---

• Prev by Date: packet security
• Next by Date: NAT bypass for e2e 'sensitive' applications (e.g: IPSEC)
• Prev by thread: packet security
• Next by thread: NAT bypass for e2e 'sensitive' applications (e.g: IPSEC)
• Index(es):
  • Main
  • Thread