[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate Requesting
From: Greg Carter <greg.carter@entrust.com>
Date: Sun, 22 Feb 1998 14:51:49 -0500
Thanks you just made my point. Like it says "any point during the
exchange".
I would not interpret this to mean that I can arbitrarily extend the
exchange. There is plenty of opportunity to send the cert request during
the defined exchange.
The text I quoted is from the ISAKMP document; within the context of
ISAKMP, there can be an arbitrary number of round-trips. IKE rides on
top of ISAKMP, and defines three round trips for main mode, and one and
a half round trips for quick mode. However, IKE doesn't restrict the
number of round-trips to those it defines.
Note that the ISAKMP spec also states:
The responder to the Certificate Request payload
MUST send its immediate certificate, if certificates are supported,
So your interpretation would require violating this part of the ISAMP
spec.
- Ted
References: