[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Multiple Certificate Request Payloads
> ----------
> From: Charles Kunzinger[SMTP:kunzinge@us.ibm.com]
> Sent: Friday, June 19, 1998 9:33 PM
> To: ipsec@tis.com
> Subject: Multiple Certificate Request Payloads
>
> In cases where a machine can accept certificates issued by two or more
> different CAs, we are considering using multiple instances of the
> Certificate
> Request Payload to indicate to an IKE negotiating partner which CAs are
> acceptable to machine making the request. When multiple Certificate
> Request
> Paylaods are present in a given IKE message, the semantics would be that
> the
> recipient should respond with a certifciate issued by at least one of the
> named
> CAs. The recipient would not be required to respond with a certificate
> issued
> by every named CA, but could return certificates issued by multiple CAs if
> it
> so desired.
>
>
I think you have to respond with only one, which has the public key needed
to verify the signature payload. Unless you are having the same public key
signed by multiple Certification Authorities. Which in general is not a
good thing.
> The description in ISAKMP section 5.10 on Certifcate Payload Request
> processing
> didn't talk about a case where multiple request occur in a single IKE
> message,
> so we are looking for feedback from the group on the use we're
> considering. In
> particular, is it legitimate to include multiple Certificate Request
> Payloads
> in a single IKE message?
>
Multiple certificate request payloads are OK. In previous versions of the
protocol only a single CRP was used which had a list of acceptable CAs. To
make processing easier the payload format changed and now multiple CRP are
used.
Bye.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com