IKE stuff, was Re: Agenda stuff

[Daniel Harkins <dharkins@cisco.com>]

On Tue, 01 Dec 1998 16:13:03 PST I wrote
> 
>    1. What type of cert encoding is used in a cert request payload 
>       if you wish to obtain the peer's encryption certificate (assuming 
>       the peer has one signature only and one for encipherment only)? 
> 
> ISAKMP mentions "X.509 Certificate - Signature" and "X.509 Certificate -
> Key Exchange". Signature should be out of the question because if you have
> a cert restricted to signatures only that's not the one to request to 
> do encryption with. So is it "Key Exchange"? Is this merely a semantic
> problem in that that doesn't sound too informative?

This is a bit misleading, thanks to Steve Kent for pointing that out. There 
are actually two issues here and neither is really discribed by the above 
rambling.

  One issue is that ISAKMP should have "encoding types" to request X509
certificates for each type of certificate possible-- signature, 
keyEncipherment, dataEncipherment, did-I-miss-anything. The other is
which one do you use when doing IKE's "RSA encrypted nonce" authentication?

  I guess the former is not really an issue that needs much discussion.
It should be self-evident. The latter though can be contentious. In an
effort to jump-start some contention I'll state that it should be
"keyEncipherment" since the decrypted nonces are used to generate the
SKEYID state. 

  Dan.

---

References:

• Re: Agenda stuff
• From: Daniel Harkins <dharkins@cisco.com>

---

• Prev by Date: RE: Minor Security issues regarding Kb rekeying
• Next by Date: Re: Minor Security issues regarding Kb rekeying
• Prev by thread: Re: Agenda stuff
• Next by thread: RE: IKE stuff, was Re: Agenda stuff
• Index(es):
  • Main
  • Thread