[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Requesting

To: Greg Carter <greg.carter@entrust.com>
Subject: Re: Certificate Requesting
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Mon, 23 Feb 1998 12:51:13 -0500
Address: 1 Amherst St., Cambridge, MA 02139
Cc: "'Theodore Y. Ts'o'" <tytso@MIT.EDU>, "'IPSEC Mailing List'"<ipsec@tis.com>, "'Dan Harkins'" <dharkins@cisco.com>, "'RoyPereira'" <rpereira@TimeStep.com>
In-Reply-To: Greg Carter's message of Sun, 22 Feb 1998 14:51:49 -0500,<c=CA%a=_%p=NorTel_Secure_Ne%l=APOLLO-980222195149Z-13089@mail.entrust.com>
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

   From: Greg Carter <greg.carter@entrust.com>
   Date: Sun, 22 Feb 1998 14:51:49 -0500

   Thanks you just made my point.  Like it says "any point during the
   exchange".
   I would not interpret this to mean that I can arbitrarily extend the
   exchange. There is plenty of opportunity to send the cert request during
   the defined exchange. 

The text I quoted is from the ISAKMP document; within the context of
ISAKMP, there can be an arbitrary number of round-trips.  IKE rides on
top of ISAKMP, and defines three round trips for main mode, and one and
a half round trips for quick mode.  However, IKE doesn't restrict the
number of round-trips to those it defines.  

Note that the ISAKMP spec also states:

	The responder to the Certificate Request payload
	MUST send its immediate certificate, if certificates are supported,

So your interpretation would require violating this part of the ISAMP
spec. 

							- Ted

References:

RE: Certificate Requesting

From: Greg Carter <greg.carter@entrust.com>

Prev by Date: RE: Regrouping for IPSEC WORKING GROUP LAST CALL
Next by Date: IPSec Policy Model draft
Prev by thread: RE: Certificate Requesting
Next by thread: RE: Certificate Requesting
Index(es):
- Main
- Thread