[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple Certificate Request Payloads

To: <ipsec@tis.com>
Subject: Multiple Certificate Request Payloads
From: Charles Kunzinger <kunzinge@us.ibm.com>
Date: Fri, 19 Jun 1998 21:33:28 -0400
Sender: owner-ipsec@ex.tis.com

In cases where a machine can accept certificates issued by two or more
different CAs, we are considering using multiple instances of the Certificate
Request Payload to indicate to an IKE negotiating partner which CAs are
acceptable to machine making the request.  When multiple Certificate Request
Paylaods are present in a given IKE message, the semantics would be that the
recipient should respond with a certifciate issued by at least one of the named
CAs. The recipient would not be required to respond with a certificate issued
by every named CA, but could return certificates issued by multiple CAs if it
so desired.

The description in ISAKMP section 5.10 on Certifcate Payload Request processing
didn't talk about a case where multiple request occur in a single IKE message,
so we are looking for feedback from the group on the use we're considering.  In
particular, is it legitimate to include multiple Certificate Request Payloads
in a single IKE message?

Regards,
Charlie

____________________________
Charles A Kunzinger (kunzinge@us.ibm.com)
TCP/IP Technology Management, JDGA/501, RTP
Phone: Tie 8-444-4142 ,  External 1-919-254-4142
Fax: Tie 8-444-6243,  External 1-919-254-6243
VM:  IBMUSM27(KUNZINGE)

Prev by Date: RE: use of client IDs
Next by Date: Re: use of client IDs
Prev by thread: Re: In tunnel mode why options are not copied to outer IP header
Next by thread: RE: Multiple Certificate Request Payloads
Index(es):
- Main
- Thread