[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISAKMP Query
We have a question regarding Section 3.10, p. 35 of RFC 2408. The text in
question reads:
o Certificate Authority (variable length) - Contains an encoding of
an acceptable certificate authority for the type of certificate
requested. As an example, for an X.509 certificate this field
would contain the Distinguished Name encoding of the Issuer Name
of an X.509 certificate authority acceptable to the sender of
this payload. This would be included to assist the responder in
determining how much of the certificate chain would need to be
sent in response to this request. If there is no specific
certificate authority requested, this field SHOULD not be
included.
What does "contain the Distinguished Name encoding of the Issue Name of an
X.509 certificate authority" mean?
There is no definition of what the "Distinguished Name encoding" might be
in this or any of the other ISAKMP-related RFCs. RFC 2407 does give an
encoding for distinguished names, but only in the context of the ID
payload. Further, the cisco reference implementation seems to include the
entire certificate of the CA, using the encodings defined for a Certificate
Request. The discussion at PKI night at the Binghamton Bakeoff also pointed
to encoding the entire CA certificate into the payload and not less. But
the RFC does not say to use the CA's certificate.
What is the correct interpretation of this text?
Jesse Walker
Consulting Engineer
Shiva Corporation
28 Crosby Drive
Bedford, AM 01730-1437
voice: 781-687-1719
fax: 781-687-1828
e-mail: jwalker@shiva.com