[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
At 02:37 PM 9/10/98 -0400, you wrote:
>I'm new, don't know enough, and have two questions.
>
>1) In section 2.2, it is stated
>
> All the certificates used in the IPSec device and the PKI must
> be of the same key length.
>
>So, for examples, I can't have a CA with a 2048-bit key signs a cert of
>1024-bit key for my IPsec device. Why?
I said it the way I did to keep things simple. a 2048 signing a 1024 seems safe although "downshifting" is still questionable. a 512 signing a 1024 seems insecure, to me.
>
>2) In section 3.2, it is stated
>
> IPSec devices MUST be able to retrieve their own fulfilled
> certificates, signing certificates for other IPSec devices, and
> identification certificates for other IPSec devices.
>
>Does this mean that, from an IPsec device, I can query cert of other IPsec
>devices even without establishing any communication to them?
No, it means you have posess your own cert and the signing cert[s] for the other party in order to do this.
>
>Yung-Kao Hsu
>Lucent Technologies
>
References: