Re: New IPSec Monitoring MIB draft

[Lewis McCarthy <lmccarth@cs.umass.edu>]

Tero Kivinen wrote in reply to John Shriver:
> > Now we come to another major issue.  There is no limit of one
> > Certificate Payload per SA.  You ROUTINELY will have a chain of
> > certificates.  But that's not possible with this MIB.  So, we need a
> > table for certs.
> 
> Yes, you can have multiple certificates, but at the end you only have
> ONE end user public key you use in the authentication take from the
> certificate. There isn't a reason to include the whole path, only the
> end user certificate used in the authentication is really interesting.

This last point isn't obvious to me. In view of the work on trust metrics
for certification paths, I imagine that examining the whole path might be
useful. Since the overall authentication relies upon the entire path, I'm
not sure why you would single out the terminal cert for inclusion in the MIB.

-Lewis   <pseudonym@acm.org>

---

Follow-Ups:

• Re: New IPSec Monitoring MIB draft
• From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

References:

• New IPSec Monitoring MIB draft
• From: Tim Jenkins <tjenkins@TimeStep.com>
• Re: New IPSec Monitoring MIB draft
• From: John Shriver <jas@shiva.com>
• Re: New IPSec Monitoring MIB draft
• From: Tero Kivinen <kivinen@ssh.fi>

---

• Prev by Date: Re: transport-friendly ESP
• Next by Date: Re: New IPSec Monitoring MIB draft
• Prev by thread: Re: New IPSec Monitoring MIB draft
• Next by thread: Re: New IPSec Monitoring MIB draft
• Index(es):
  • Main
  • Thread