[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Questions on CERT payload



> ----------
> From: 	Kalyan Chakravarthy Bade[SMTP:kalyan@trinc.com]
> Sent: 	Thursday, January 28, 1999 8:38 AM
> To: 	ipsec@tis.com
> Subject: 	Questions on CERT payload 
> 
> Hi
> 
> Can anyone help me in clarifying some of the basic doubts
> in IKE (authentication with digiatal signatures).
> 
> 1. What is the format in which certificates are exchanged in 
>     a bake-off ? 
> 
HI,

Within IKE it is binary ASN.1 DER.  If you mean during the bakeoff event
when a vendor wants to get a certificate from a CA then the certificate
request and response can be in any format (binary, base64, ascii hex etc..)
that the CA and vendor support.  The most common is base - 64, however most
CA's will accept either in the request.

> 2. Can we assume that if the CERT payload is  not sent, 
>      the certificates are exchanged in a out of band  mechanism 
>      in a bake-off ?
> 
If you don't request one in IKE (using the Cert Request payload) and the
peer doesn't request one, then yes.  Technically you don't NEED certificates
to do IKE signature mode.

> 3. If the chain of certificates are to be sent, will they come as
>     a single CERT payload or multiple  CERT payloads ? Is the
>     order of the chain fixed or the CERTS can come in any order ?
> 
As multiple CERT payloads, or if you request a single CERT payload with type
set to PKCS-7.  It would be best to program that they come in any order,
however that could be clarified in the future.
Bye
> ----
> Greg Carter, Entrust Technologies
> greg.carter@entrust.com