[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ike - Auth using digital signatures.
Hi
We need some clarifications in IKE ( authentication using
Digital Signature).
Kivinen writes :
> That is true, but it doesn't matter. Extra certificates are cheap
> inside the ike messages, if they save one extra ldap search from the
> directory...
It means that if at all a CERT payload comes in the exchange, we are
just verifying the signature in the CERT payload. But dont we need to
verify the certificate by looking at the CRLs using some directory
service and finding out whether it is revoked or not ?
Some more questions :
* When sending a CERT-REQ to the other peer, how do we decide which
is the CA to send in the body of the CERT-REQ payload ? means, the
CA which is commonly trusted by both the peers in a CA heirarchy..
If the certificates are issued by two different CAs to the peers
* How do we discover the path from our CA to the peer's CA? If the peers
share the same CA, how do we know that? How do we know which CA is com-
-mon to both the peers in the heirarchy of CAs ?
How do we take care of cross-certified roots in path discovery?
* When the peer sends a CERT payload which consists of a chain, it consists
of multiple CERT payloads in any order (i.e., it doesnt need to send the
chain
in a hierarchical fashion). In this case, how do we verify the chain?
* What does verification of a CERT chain mean anyway? The verification of
the signature that is part of every certificate using the public key of
the issuer?
-thanks
- ramana.