[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate Requesting

To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: RE: Certificate Requesting
From: Greg Carter <greg.carter@entrust.com>
Date: Fri, 6 Mar 1998 23:13:53 -0500
Sender: owner-ipsec@ex.tis.com

Sounds good to me.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com

>----------
>From: 	Theodore Y. Ts'o[SMTP:tytso@MIT.EDU]
>Sent: 	Thursday, March 05, 1998 2:07 PM
>To: 	wdm@epoch.ncsc.mil; ipsec@tis.com
>Subject: 	Re: Certificate Requesting
>
>
>Accordingly, Dan was going to modify the IKE spec to remove this point
>of ambiguity by stating that within the IKE DOI, implementations are not
>allowed to send a CERTREQ if doing so would extend the number of
>messages beyond the six specified by the IKE.  If either side doesn't
>have a certificate, they can send a notify message and abort the
>exchange.  
>
>If we assume this strategy, the only thing we are missing is to have the
>ISAKMP spec define a notify message which is "MISSING CERTIFICATE",
>with the data field having the same information as is contained in the
>CERTREQ message.  Notify messages are optional to implement, so
>implementations wouldn't have to do this; however, smart implementations
>would be able note this information and then send the appropriate
>certificate when they retry the IKE negotiation.  Doug, is this
>something you can add to the ISAKMP draft?
>
>

Prev by Date: Re: Question about SAs and draft-ietf-ipsec-isakmp-oakley-06
Next by Date: Re: IPSEC tunnels and Mobile IP
Prev by thread: Re: Certificate Requesting
Next by thread: Re: Certificate Requesting
Index(es):
- Main
- Thread