[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cert request payload proposal
In talking to Dan Harkins about Cert Request payloads, I thought of
something that might satisfy a few requirements, including comments
from you two. How about something like this...
Proposal to extend IKE Cert Request Payload Format
==================================================
Rodney Thayer <rodney@tillerman.nu>
Currently the Cert Request payload has by tradition contained either
NOTHING or a DN of an Issuer. I propose to document and extend this:
If the contents of the Cert Request payload is EMPTY then the receiver
is to respond with any valid certificate.
If the contents of the Cert Request payload is not empty, it should
contain this:
first byte 0x30 -- entire contents is Distinguished Name of an issuer
(for backwards compatibility)
first byte 0x00 -- remainder is one DN of one issuer
first byte 0x01 -- list of hashes of public keys of issuers the sender
is willing to work with (do I have to do this once
for RSA and once for DSA?):
first byte - 0x01
second, third bytes - count (network order) of hashes
fourth..last bytes - SHA-1 hashes of public keys,
20*(count) bytes total, max is
UDP max size
first byte 0x02 -- remainder is PKCS-7 wrapped list of certs of issuers,
RFC23xx format for PKCS-7 wrapped list of certificates
first byte 0x80..0x2f, 0x31..0xff -- reserved for private use
first byte 0x03..0x7f -- reserved for IANA