[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Work around using SPKI certificates instead of X509



Why wouldn't you use the Certificate Request Payload with type SPKI or PGP?

 _________Certificate_Type____________Value____
                 NONE                                  0
                 PKCS #7 wrapped X.509 certificate      1
                 PGP Certificate                        2
                 DNS Signed Key                         3
                 X.509 Certificate - Signature          4
                 X.509 Certificate - Key Exchange       5
                 Kerberos Tokens                        6
                 Certificate Revocation List (CRL)      7
                 Authority Revocation List (ARL)        8
                 SPKI Certificate                       9
                 X.509 Certificate - Attribute         10
                 RESERVED                           11 - 255
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com


> ----------
> From: 	owner-ipsec@ex.tis.com[SMTP:owner-ipsec@ex.tis.com]
> Sent: 	Friday, November 20, 1998 2:51 PM
> To: 	owner-ipsec@tis.com
> Subject: 	BOUNCE ipsec@portal.ex.tis.com:    Non-member submission
> from [Will Price <wprice@cyphers.net>]   
> 
> From: Will Price <wprice@cyphers.net>
> X-Mailer: Mozilla 4.5 (Macintosh; U; PPC)
> X-Accept-Language: en
> MIME-Version: 1.0
> To: SALLE Mathias <matsal@hplb.hpl.hp.com>
> CC: ipsec@tis.com
> Subject: Re: Work around using SPKI certificates instead of X509
> References: <3655A8F2.FE209139@hplb.hpl.hp.com>
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> IKE is particularly brain dead with regards to certificate type
> negotiation (ie there is no certificate type negotiation).
> 
> In the absence of such, I've been using the Vendor ID field with a
> generic value such as "SPKI" or "OpenPGP1" to get some idea of whether
> the remote system supports a particular certificate type.  Since
> inclusion of multiple Vendor ID payloads is allowed, this is an
> adequate solution for now.  This really needs to become an attribute
> in the IKE transform for the next version of IKE.
> 
> - -Will
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
> 
> iQA/AwUBNlXMGqy7FkvPc+xMEQKTOQCeNEMmGCODcQQyWp8gaL7zNbov0FUAoPlv
> sa36Ayfb/4sbkZsSTpF+OFLZ
> =wGyN
> -----END PGP SIGNATURE-----
> 
> 
> 
> SALLE Mathias wrote:
> > 
> > hi,
> > 
> > REFERENCE: ipsec drafts, SPKI drafts
> > PROBLEM:
> >  Is it possible to use ISAKMP/Oakley to establish an SA and at the same
> > time exchange users SPKI certificates, this in a context of a Host to
> > Host mode.
> > 
> > QUESTION:
> >  Is there any work around using SPKI certificates instead of X509
> > certificates in ISAKMP?
> > 
> >  If no, would it be possible to use Certificate Request Payload and
> > Certificate Payload to exchange SPKI certificates? Is there any drafts
> > on that?
> > 
> >  The Extended Authentication Within ISAKMP/OAkley
> > <draft-ietf-ipsec-isakmp-xauth-03.txt> describe different authentication
> > methods but none of them are related to this problem.
> > 
> > I will appreciate all your comments,
> > 
> > thanks
> > 
> > regards,
> > 
> > mathias
> > --
> > ___________________________________________
> > Mathias SALLE
> > Networked Systems Dpt.
> > Hewlett-Packard Research Labs
> > Filton Road
> > Stoke Gifford
> > Bristol  BS12 6QZ, UK
> > 
> > E-mail: matsal@otter.hpl.hp.com
> > Tel   : +44 (0)117 922 9753
> > ___________________________________________
> 
> -- 
> 
> Will Price, Architect/Sr. Mgr., PGP Client Products
> Total Network Security Division
> Network Associates, Inc.
> Direct  (408)346-5906
> Cell/VM (650)533-0399
> <pgpfone://cast.cyphers.net>
> 
> PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0xCF73EC4C>
>