[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: X.509 certificate format

To: ipsec@tis.com, "'Michael Giniger'" <mginiger@tiac.net>
Subject: RE: X.509 certificate format
From: Greg Carter <greg.carter@entrust.com>
Date: Tue, 14 Jul 1998 14:59:42 -0400
Sender: owner-ipsec@ex.tis.com

The DOI suggests that the ID payload is used to do policy lookup.  To make
sure the presented ID is OK, during IKE exchanges authenticated via
signatures/certificates you should validate the ID in the ID payload is in
the certificate.  The place to look for these types of names (rfc822, dns,
ip address) is the subjectAltName extension.  Read
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part1-08.txt
section 4.2.1.7 for formatting of various subjectAltNames.

Bye.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com


> ----------
> From: 	Michael Giniger[SMTP:mginiger@tiac.net]
> Sent: 	Tuesday, July 14, 1998 12:23 PM
> To: 	ipsec@tis.com
> Subject: 	X.509 certificate format
> 
> Hi
> 
> I am trying to determine the working format for the X.509 certificate as
> applied to IKE testing.  In particular, is the subject identifier using
> the altsubjectname and if so what is the format for encoding the IPv4
> address?
> an RFC822 name?
> a full domain name?
> 
> Are there any special characteristics for the X.509 certificate as used
> by IKE that are different form the stnadard X.509 format?
> 
> Thank you very much for your help
> 
> sincerely
> Michael Giniger
> 
>

Prev by Date: X.509 certificate format
Next by Date: Re: Revised drafts -- Arch, AH, ESP
Prev by thread: X.509 certificate format
Next by thread: demo
Index(es):
- Main
- Thread