[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Questions on CERT payload
> ----------
> From: Kalyan Chakravarthy Bade[SMTP:kalyan@trinc.com]
> Sent: Thursday, January 28, 1999 8:38 AM
> To: ipsec@tis.com
> Subject: Questions on CERT payload
>
> Hi
>
> Can anyone help me in clarifying some of the basic doubts
> in IKE (authentication with digiatal signatures).
>
> 1. What is the format in which certificates are exchanged in
> a bake-off ?
>
HI,
Within IKE it is binary ASN.1 DER. If you mean during the bakeoff event
when a vendor wants to get a certificate from a CA then the certificate
request and response can be in any format (binary, base64, ascii hex etc..)
that the CA and vendor support. The most common is base - 64, however most
CA's will accept either in the request.
> 2. Can we assume that if the CERT payload is not sent,
> the certificates are exchanged in a out of band mechanism
> in a bake-off ?
>
If you don't request one in IKE (using the Cert Request payload) and the
peer doesn't request one, then yes. Technically you don't NEED certificates
to do IKE signature mode.
> 3. If the chain of certificates are to be sent, will they come as
> a single CERT payload or multiple CERT payloads ? Is the
> order of the chain fixed or the CERTS can come in any order ?
>
As multiple CERT payloads, or if you request a single CERT payload with type
set to PKCS-7. It would be best to program that they come in any order,
however that could be clarified in the future.
Bye
> ----
> Greg Carter, Entrust Technologies
> greg.carter@entrust.com