[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Requesting



   Date: Wed, 25 Feb 1998 10:14:55 -0500
   From: Robert Moskowitz <rgm-sec@htt-consult.com>

   When to do this is the question.  given performance issues, it might
   almost be 'smart' to first do a DN exchange and if you don't have the
   cert cached give a cert-req, or some such.

Bob,

Just to clarify what you're suggesting here....  Do a DN exchange how?
Via an aborted IKE exchange?  Or via some other out of band means?  The
problem is that by the time you do the DN exchange within the current
IKE framework, there's no time to do a cert-req without extending the
number of round trips, *or* aborting the IKE exchange and trying again.

We can do one or the other, but we had better document which, and
everyone will need to agree to do it the same way.  (And to not log too
verbosely aborted IKE exchanges if that's how we decide to do things,
etc.)

						- Ted


Follow-Ups: References: