[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Work around using SPKI certificates instead of X509
Why wouldn't you use the Certificate Request Payload with type SPKI or PGP?
_________Certificate_Type____________Value____
NONE 0
PKCS #7 wrapped X.509 certificate 1
PGP Certificate 2
DNS Signed Key 3
X.509 Certificate - Signature 4
X.509 Certificate - Key Exchange 5
Kerberos Tokens 6
Certificate Revocation List (CRL) 7
Authority Revocation List (ARL) 8
SPKI Certificate 9
X.509 Certificate - Attribute 10
RESERVED 11 - 255
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com
> ----------
> From: owner-ipsec@ex.tis.com[SMTP:owner-ipsec@ex.tis.com]
> Sent: Friday, November 20, 1998 2:51 PM
> To: owner-ipsec@tis.com
> Subject: BOUNCE ipsec@portal.ex.tis.com: Non-member submission
> from [Will Price <wprice@cyphers.net>]
>
> From: Will Price <wprice@cyphers.net>
> X-Mailer: Mozilla 4.5 (Macintosh; U; PPC)
> X-Accept-Language: en
> MIME-Version: 1.0
> To: SALLE Mathias <matsal@hplb.hpl.hp.com>
> CC: ipsec@tis.com
> Subject: Re: Work around using SPKI certificates instead of X509
> References: <3655A8F2.FE209139@hplb.hpl.hp.com>
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> IKE is particularly brain dead with regards to certificate type
> negotiation (ie there is no certificate type negotiation).
>
> In the absence of such, I've been using the Vendor ID field with a
> generic value such as "SPKI" or "OpenPGP1" to get some idea of whether
> the remote system supports a particular certificate type. Since
> inclusion of multiple Vendor ID payloads is allowed, this is an
> adequate solution for now. This really needs to become an attribute
> in the IKE transform for the next version of IKE.
>
> - -Will
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.0.2
>
> iQA/AwUBNlXMGqy7FkvPc+xMEQKTOQCeNEMmGCODcQQyWp8gaL7zNbov0FUAoPlv
> sa36Ayfb/4sbkZsSTpF+OFLZ
> =wGyN
> -----END PGP SIGNATURE-----
>
>
>
> SALLE Mathias wrote:
> >
> > hi,
> >
> > REFERENCE: ipsec drafts, SPKI drafts
> > PROBLEM:
> > Is it possible to use ISAKMP/Oakley to establish an SA and at the same
> > time exchange users SPKI certificates, this in a context of a Host to
> > Host mode.
> >
> > QUESTION:
> > Is there any work around using SPKI certificates instead of X509
> > certificates in ISAKMP?
> >
> > If no, would it be possible to use Certificate Request Payload and
> > Certificate Payload to exchange SPKI certificates? Is there any drafts
> > on that?
> >
> > The Extended Authentication Within ISAKMP/OAkley
> > <draft-ietf-ipsec-isakmp-xauth-03.txt> describe different authentication
> > methods but none of them are related to this problem.
> >
> > I will appreciate all your comments,
> >
> > thanks
> >
> > regards,
> >
> > mathias
> > --
> > ___________________________________________
> > Mathias SALLE
> > Networked Systems Dpt.
> > Hewlett-Packard Research Labs
> > Filton Road
> > Stoke Gifford
> > Bristol BS12 6QZ, UK
> >
> > E-mail: matsal@otter.hpl.hp.com
> > Tel : +44 (0)117 922 9753
> > ___________________________________________
>
> --
>
> Will Price, Architect/Sr. Mgr., PGP Client Products
> Total Network Security Division
> Network Associates, Inc.
> Direct (408)346-5906
> Cell/VM (650)533-0399
> <pgpfone://cast.cyphers.net>
>
> PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0xCF73EC4C>
>