cert request payload proposal

[Rodney Thayer <rodney@tillerman.nu>]

In talking to Dan Harkins about Cert Request payloads, I thought of
something that might satisfy a few requirements, including comments
from you two.  How about something like this...

Proposal to extend IKE Cert Request Payload Format
==================================================
Rodney Thayer <rodney@tillerman.nu>

Currently the Cert Request payload has by tradition contained either
NOTHING or a DN of an Issuer.  I propose to document and extend this:

If the contents of the Cert Request payload is EMPTY then the receiver
is to respond with any valid certificate.

If the contents of the Cert Request payload is not empty, it should
contain this:

  first byte 0x30 -- entire contents is Distinguished Name of an issuer
                    (for backwards compatibility)

  first byte 0x00 -- remainder is one DN of one issuer

  first byte 0x01 -- list of hashes of public keys of issuers the sender
                     is willing to work with (do I have to do this once 
                     for RSA and once for DSA?):
                     first byte          - 0x01
                     second, third bytes - count (network order) of hashes
                     fourth..last bytes  - SHA-1 hashes of public keys,
                                           20*(count) bytes total, max is
                                           UDP max size

  first byte 0x02 -- remainder is PKCS-7 wrapped list of certs of issuers,
                     RFC23xx format for PKCS-7 wrapped list of certificates

  first byte 0x80..0x2f, 0x31..0xff -- reserved for private use

  first byte 0x03..0x7f -- reserved for IANA

---

• Prev by Date: RE: null encryption
• Next by Date: I-D ACTION:draft-wallner-key-arch-01.txt
• Prev by thread: Re: Redmond Bakeoff Summary Report (long)
• Next by thread: I-D ACTION:draft-wallner-key-arch-01.txt
• Index(es):
  • Main
  • Thread