[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BOUNCE ipsec@portal.ex.tis.com: Non-member submission from [Will Price <wprice@cyphers.net>]



>From majordomo-owner  Fri Nov 20 14:50:55 1998
Received: from relay.hq.tis.com (firewall-user@relay.hq.tis.com [192.94.214.100])
	by portal.ex.tis.com (8.9.1/8.9.1) with ESMTP id OAA00271
	for <ipsec@ex.tis.com>; Fri, 20 Nov 1998 14:50:55 -0500 (EST)
Received: by relay.hq.tis.com; id PAA19913; Fri, 20 Nov 1998 15:17:51 -0500 (EST)
Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.1)
	id xma019849; Fri, 20 Nov 98 15:16:56 -0500
Received: from relay.hq.tis.com (firewall-user@relay.hq.tis.com [10.33.1.1])
	by clipper.hq.tis.com (8.9.1/8.9.1) with ESMTP id PAA17645
	for <ipsec@tis.com>; Fri, 20 Nov 1998 15:07:04 -0500 (EST)
Received: by relay.hq.tis.com; id PAA19834; Fri, 20 Nov 1998 15:16:51 -0500 (EST)
Received: from enigma.cyphers.net(205.178.102.88) by relay.hq.tis.com via smap (4.1)
	id xma019779; Fri, 20 Nov 98 15:15:56 -0500
Received: from cyphers.net (blowfish.cyphers.net [205.178.102.84])
	by enigma.cyphers.net (8.8.7/8.8.7) with ESMTP id NAA15404;
	Fri, 20 Nov 1998 13:09:30 -0800
Message-ID: <3655CC64.F3493E09@cyphers.net>
Date: Fri, 20 Nov 1998 12:09:12 -0800
From: Will Price <wprice@cyphers.net>
X-Mailer: Mozilla 4.5 (Macintosh; U; PPC)
X-Accept-Language: en
MIME-Version: 1.0
To: SALLE Mathias <matsal@hplb.hpl.hp.com>
CC: ipsec@tis.com
Subject: Re: Work around using SPKI certificates instead of X509
References: <3655A8F2.FE209139@hplb.hpl.hp.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IKE is particularly brain dead with regards to certificate type
negotiation (ie there is no certificate type negotiation).

In the absence of such, I've been using the Vendor ID field with a
generic value such as "SPKI" or "OpenPGP1" to get some idea of whether
the remote system supports a particular certificate type.  Since
inclusion of multiple Vendor ID payloads is allowed, this is an
adequate solution for now.  This really needs to become an attribute
in the IKE transform for the next version of IKE.

- -Will
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBNlXMGqy7FkvPc+xMEQKTOQCeNEMmGCODcQQyWp8gaL7zNbov0FUAoPlv
sa36Ayfb/4sbkZsSTpF+OFLZ
=wGyN
-----END PGP SIGNATURE-----



SALLE Mathias wrote:
> 
> hi,
> 
> REFERENCE: ipsec drafts, SPKI drafts
> PROBLEM:
>  Is it possible to use ISAKMP/Oakley to establish an SA and at the same
> time exchange users SPKI certificates, this in a context of a Host to
> Host mode.
> 
> QUESTION:
>  Is there any work around using SPKI certificates instead of X509
> certificates in ISAKMP?
> 
>  If no, would it be possible to use Certificate Request Payload and
> Certificate Payload to exchange SPKI certificates? Is there any drafts
> on that?
> 
>  The Extended Authentication Within ISAKMP/OAkley
> <draft-ietf-ipsec-isakmp-xauth-03.txt> describe different authentication
> methods but none of them are related to this problem.
> 
> I will appreciate all your comments,
> 
> thanks
> 
> regards,
> 
> mathias
> --
> ___________________________________________
> Mathias SALLE
> Networked Systems Dpt.
> Hewlett-Packard Research Labs
> Filton Road
> Stoke Gifford
> Bristol  BS12 6QZ, UK
> 
> E-mail: matsal@otter.hpl.hp.com
> Tel   : +44 (0)117 922 9753
> ___________________________________________

-- 

Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
Direct  (408)346-5906
Cell/VM (650)533-0399
<pgpfone://cast.cyphers.net>

PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0xCF73EC4C>