[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do IKE peers synchronize public keys ?



Thanks Tero,

I think some wording should be added to IKE drafts, see below.


Tero Kivinen wrote:
> 
> Sara Bitan writes:
> > Suppose two IKE peers want to issue an ISAKMP sa using RSA signature (or
> > encryption) mode.
> > The initiator has two certificates, one from CA A, and another from CA
> > B. He now has two make a decision which public key to use for the ID
> > message authentication.
> > So he sends two certificate requests to the responder, one
> > with CA A, the other with CA B. There is a hidden assumption here, taken
> > by the initiator : if the responder sends back a certificate or a
> > certificate chain) for a certain CA then he is ready to use a
> > certificate (chain) issued by this CA.
> >
> > Assume further that the responder has certificates both from CA A and
> > from CA B, so he sends both certificates to the initiator.
> 
> If the certificates both are for the same public key this is ok, and
> it doesn't matter which one the initiator uses. If the public key is
> different, then I think the responder MUST not send two end user
> certificates, only one.> 
> > The initiator now uses one of his keys (either the one certified by CA
> > A, or the one certified by CA B) to authenticate the ID message. The
> > responder doesn't know which key was used by the initiator (unless he
> > checks all possibilities).
> >
> > I think that this scenario is possible with the current IKE/ISAKMP
> > drafts.
> 
> Yes, the current draft doesn't limit that, but implementations
> should...
> 

The limitation must come from the drafts, since as an initiator I must
in this case rely on the responder's good will (i.e. not to send back
two certificates from different CA for different public keys).

> > A possible solution might be that the responder will
> > send always only one certificate, and this certificate will be used for
> > the authentication. We can view that as a proposal for several
> > certificate sent by the initiator, to which the responder answer with a
> > single choice.
> 
> I would say that the IKE endpoint must only sent certificates leading
> to one public key, which must also match the one used in the
> authentication. The draft should say that IKE endpoint MUST not send
> end user certificates for multiple public keys.
> 
> > The problem becomes even worse when both peers start caching their
> > certificates. If you have several certificates you have already received
> > from a peer, how do you know which one to use to authenticate his ID
> > message?
> --
> kivinen@iki.fi                               Work : +358-9-4354 3218
> SSH Communications Security                  http://www.ssh.fi/
> SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/


References: