[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt

To: "Hsu, Yung-Kao" <yungkaohsu@lucent.com>
Subject: Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
From: Rodney Thayer <rodney@tillerman.nu>
Date: Thu, 10 Sep 1998 17:53:12 -0400
Cc: ipsec@tis.com
In-Reply-To: <35F81C5E.1C58A5AE@lucent.com>
Sender: owner-ipsec@ex.tis.com

At 02:37 PM 9/10/98 -0400, you wrote:
>I'm new, don't know enough, and have two questions.
>
>1) In section 2.2, it is stated
>
>	All the certificates used in the IPSec device and the PKI must 
>	be of the same key length.
>
>So, for examples, I can't have a CA with a 2048-bit key signs a cert of 
>1024-bit key for my IPsec device. Why?

I said it the way I did to keep things simple.  a 2048 signing a 1024 seems safe although "downshifting" is still questionable.  a 512 signing a 1024 seems insecure, to me.

>
>2) In section 3.2, it is stated
>
>	IPSec devices MUST be able to retrieve their own fulfilled
>	certificates, signing certificates for other IPSec devices, and
>	identification certificates for other IPSec devices.
>
>Does this mean that, from an IPsec device, I can query cert of other IPsec
>devices even without establishing any communication to them?

No, it means you have posess your own cert and the signing cert[s] for the other party in order to do this.

>
>Yung-Kao Hsu
>Lucent Technologies
>

References:

questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt

From: "Hsu, Yung-Kao" <yungkaohsu@lucent.com>

Prev by Date: cert chain processing
Next by Date: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
Prev by thread: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
Next by thread: cert chain processing
Index(es):
- Main
- Thread