[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate Requesting
- To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
- Subject: Re: Certificate Requesting
- From: Robert Moskowitz <rgm-sec@htt-consult.com>
- Date: Wed, 25 Feb 1998 14:16:52 -0500
- Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>, wdm@epoch.ncsc.mil, rpereira@TimeStep.com, dharkins@cisco.com, greg.carter@entrust.com, kivinen@ssh.fi, ipsec@tis.com, wdm@epoch.ncsc.mil
- In-Reply-To: <199802251734.MAA27336@dcl.MIT.EDU>
- References: <Robert Moskowitz's message of Wed, 25 Feb 1998 10:14:55 -0500,<3.0.5.32.19980225101455.0098f950@homebase.htt-consult.com>
- Sender: owner-ipsec@ex.tis.com
At 12:34 PM 2/25/98 -0500, Theodore Y. Ts'o wrote:
>
>Bob,
>
>Just to clarify what you're suggesting here.... Do a DN exchange how?
>Via an aborted IKE exchange? Or via some other out of band means?
Via an identification payload of type ID_DER_ASN1_DN, or that is the way I
read ISAKMP-08 and DOI-06 (yeah, yeah, got to grap the new DOI...).
>The
>problem is that by the time you do the DN exchange within the current
>IKE framework, there's no time to do a cert-req without extending the
>number of round trips, *or* aborting the IKE exchange and trying again.
exacticially.
>We can do one or the other, but we had better document which, and
>everyone will need to agree to do it the same way. (And to not log too
>verbosely aborted IKE exchanges if that's how we decide to do things,
>etc.)
Yes indeed. There seems to be an unintended consequence here that may be
for the good. It might be for IPsecond, but I think we can get this
exchange to have just enough flexibility to cover real PKI needs (beyond a
single CA or at best a single hierarchy), but not enough to hang ourselves.
Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com
References: