[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ike - Auth using digital signatures.



Hi 

We need some clarifications in IKE ( authentication using 
Digital Signature). 

Kivinen writes : 
> That is true, but it doesn't matter. Extra certificates are cheap
> inside the ike messages, if they save one extra ldap search from the
> directory...

It means that if at all a CERT payload comes in the exchange, we are 
just verifying the signature in the CERT payload. But dont we need to
verify the certificate  by looking at the CRLs using some directory 
service and finding out whether it is revoked or not ?

Some more questions : 

* When sending a CERT-REQ to the other peer, how do we decide which 
  is the CA to send in the body of the CERT-REQ payload ? means, the 
  CA which is commonly trusted by both the peers in a CA heirarchy..

If the certificates are issued by two different CAs to the peers
* How do we discover the path from our CA to the peer's CA? If the peers
  share the same CA, how do we know that? How do we know which CA is com-
  -mon to both the peers  in the heirarchy of CAs ? 
  How do we take care of cross-certified roots in path discovery?

* When the peer sends a CERT payload which consists of a chain, it consists 
  of multiple CERT payloads in any order (i.e., it doesnt need to send the
chain
  in a hierarchical fashion). In this case, how do we verify the chain?

* What does verification of a CERT chain mean anyway? The verification of 
  the signature that is part of every certificate using the public key of
the issuer?

-thanks
- ramana.