[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Certificates, CRLs and Security Associations

To: ipsec@tis.com
Subject: Certificates, CRLs and Security Associations
From: "Goss, Chad" <chad.goss@tccmail.fabrik.com>
Date: Wed, 19 Aug 1998 13:30:00 -0700
Sender: owner-ipsec@ex.tis.com

I have been reviewing ISAKMP and IKE particularly with respect to use of
certificates, and certificate path validation during signature validation and
have a couple of questions:

1. In ISAKMP section 5.10 and in IKE section 5.1,  no mention of CRLs is made
in
the description of signature validation. Should a CRL be consulted to determine
the signing certificates status?, should either of the standards reference
possibly the PKIX or ANSI work defining certificate path validation?

2. If it makes sense to introduce CRL checks for certificate status, should an
effort be made to allow ISAKMP SA content invalidation for that which was
established using a revoked certificate? In other words if a CRL is received
can
we identify and terminate active SAs that were created using revoked
certificates? if so how would an application identify the SA to terminate based
on the entry in the CRL which is merely a serial number, revocation date and
issuer DN?

If anyone could point me to the draft that details this it would be a big help

regards
-chad


*****************************************************************************
Chad Goss                                            978-287-6288
Senior Software Engineer                      chad.goss@tccmail.fabrik.com
Technical Communications Corporation
100 Domino Drive, Concord Ma. 01742
*****************************************************************************

Prev by Date: IPCOMP and Tunnel Mode
Next by Date: Re: IPCOMP and Tunnel Mode
Prev by thread: RE: IPCOMP and Tunnel Mode
Next by thread: Commercially available secure units
Index(es):
- Main
- Thread