[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate Requesting

To: ipsec@tis.com, wdm@epoch.ncsc.mil
Subject: RE: Certificate Requesting
From: John Burke <jburke@cylink.com>
Date: Wed, 25 Feb 1998 13:48:30 -0800
Sender: owner-ipsec@ex.tis.com

I want to state a detail because no one has mentioned it in all the
discussion on this subject.  Greg Carter indicated the problem in his first
response on this, but there have been no suggestions for a solution to in
ISAKMP to problems noted below.

Yes, it would be workable and straightforward to say, 

    "if the last message of an exchange contains a CERTREQ, then this means
    the exchange is extended, to include replying with a CERT."

This just means everyone has to add one state, and make that transition if
they send/receive the CERTREQ in the otherwise-last state (not to mention
the additional state in an exchange which uses Commit, and the fact that
this event would change who needs to set/obey a Commit).

However some other things are a problem without additional mechanisms in
ISAKMP:

  o If the Responder's final ID in Main Mode is one the Initiator does not
    have a Cert for, the Responder has already finished Main Mode and
    believes the SA is now established; it is not expecting another message.

  o Same problem if the CERTREQ/CERT are sent in the last messages but the
    party who gets the CERT finds it inadequate and needs to make another
    CERTREQ, as when the other end now believes SA is established.

To handle these things, ISAKMP would have to state, that the party which
sends the last of the basic messages, cannot consider the exchange
completed absolutely.  How do I deal with the case that perhaps the SA is
complete but perhaps the other party finds it must send me a CERTREQ?

It occurs to me that if the parties were using Commit, this would give us
an absolute indicator of completion of an exchange whose end is indefinite.

Roy Pereira <rpereira@TimeStep.com> began the discussion with this
statement and this diagram of a proposed expanded exchange:

>Since the CERT_REQ payload can be located in any exchange, it might be
>located on the last message;
>
>        Initiator                          Responder
>       ----------                         -----------
>        HDR, SA                     -->
>                                    <--    HDR, SA
>        HDR, KE, Ni                 -->
>                                    <--    HDR, KE, Nr
>        HDR*, IDii, [ CERT, ] SIG_I -->
>                                    <--    HDR*, IDir, [ CERT, ] SIG_R
>[, CERTREQ 
>        [ HDR*, CERT [, CERTREQ]          --> 
>				    [<--    HDR*, CERT ] ] ]
>  
This diagram illustrates this point; Responder here believes it is done
after sending the ID, but more is coming.

Prev by Date: shipping equipment to the Hotel
Next by Date: RE: IPSEC WORKING GROUP LAST CALL
Prev by thread: Re: Certificate Requesting
Next by thread: RE: Certificate Requesting
Index(es):
- Main
- Thread