[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISAKMP Certificate Request Syntax
I have a few questions regarding how ISAKMP certificate request payloads
are generated that I'm hoping some of you folks can answer.
o Distinguished Name Attribute Type.
The ISAKMP draft (v8) states:
"Certificate Authorities (variable length) - Contains a list of Data
Attributes (see section 3.3) which indicate the Distinguished Names
of acceptable certificate authorities. See [IPDOI] for the
Distinguished Name Attribute Type value." However, there is no DN
Attribute Type defined in the IPSEC DOI (v6). There is an
ID type (used for ID payloads) which is defined for DN's
(ID_DER_ASN1_DN)... Is this what people are using for the
attribute type?
o Encoding ASN.1 DN's as attributes.
The ISAKMP draft (v8) states that variable length attributes (like
the DN Attribute Type above) must be aligned in 4-byte blocks.
"If the Attribute Value is not aligned at a 4-byte multiple, the
field is right justified and the remaining bits MUST be prepending
with 0 for 4-byte alignment." Once so aligned, how does one go
about retrieving the original data? Due to the alignment and the
right justification, the original beginning of the data is not known
(nor is the original length). OK, for ASN.1 I know that the first
byte of the data is not zero ... it's an ASN.1 tag. But doesn't
this pose a problem when used for encoding arbitrary attribute
values (where the original data may already be prepended with 0's)?
Any help would be greatly appreciated... Thanks!
---
Tylor Allison tylor_allison@securecomputing.com (612) 628-1554
Secure Computing Corporation