RE: cert request or cert repository?

[Sumit Vakil <SVakil@vpnet.com>]

Cliff,
Requesting a cert on receiving a signature payload won't work for either
main mode or for aggressive mode.  By the time the signature payload is
received, its too late.  Consider main mode.  The responder will receive the
signature payload in message 5.  So he would have to request a cert in
message 6.  That's the last message of the exchange, so the initiator cannot
send its cert.   Similarly, the initiator sees a signature payload only in
message 6.  So, for them to exchange certs, main mode would have to be
extended beyond 6 messages and that's not allowed.  From section 5 of IKE,

   Exchanges in IKE are not open ended and have a fixed number of
   messages.  Receipt of a Certificate Request payload MUST NOT extend
   the number of messages transmitted or expected.

This topic came up on the list some time back.  You may want to check the
archives.

Sumit A. Vakil
VPNet Technologies, Inc.

> -----Original Message-----
> From:	Cliff Wang [SMTP:cxwang@us.ibm.com]
> Sent:	Tuesday, June 09, 1998 2:46 PM
> To:	ipsec@tis.com
> Subject:	cert request or cert repository?
> 
> When an ISAKMP received a signature payload
> without the optional certificate payload, in order to
> get the peer's public key for signature verfication,
> shall the ISAKMP send a certificate request to the
> peer or try to retrieve it through certificate repository?
> Seems that sending a certificate request makes
> more sense.  Thanks!
> 
> Cliff Wang
> cxwang@us.ibm.com

---

• Prev by Date: cert request or cert repository?
• Next by Date: Re: commercial IPSEC in Europe?
• Prev by thread: cert request or cert repository?
• Next by thread: FW: Rest of World encryption hardware products?
• Index(es):
  • Main
  • Thread