[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Requesting



At 12:34 PM 2/25/98 -0500, Theodore Y. Ts'o wrote:
>
>Bob,
>
>Just to clarify what you're suggesting here....  Do a DN exchange how?
>Via an aborted IKE exchange?  Or via some other out of band means?  

Via an identification payload of type ID_DER_ASN1_DN, or that is the way I
read ISAKMP-08 and DOI-06 (yeah, yeah, got to grap the new DOI...).

>The
>problem is that by the time you do the DN exchange within the current
>IKE framework, there's no time to do a cert-req without extending the
>number of round trips, *or* aborting the IKE exchange and trying again.

exacticially.

>We can do one or the other, but we had better document which, and
>everyone will need to agree to do it the same way.  (And to not log too
>verbosely aborted IKE exchanges if that's how we decide to do things,
>etc.)

Yes indeed.  There seems to be an unintended consequence here that may be
for the good.  It might be for IPsecond, but I think we can get this
exchange to have just enough flexibility to cover real PKI needs (beyond a
single CA or at best a single hierarchy), but not enough to hang ourselves.


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com


References: