[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Questions about Certificates

To: ipsec@tis.com
Subject: Re: Questions about Certificates
From: Joern Sierwald <joern.sierwald@datafellows.com>
Date: Mon, 08 Feb 1999 14:33:35 +0200
In-Reply-To: <3.0.1.32.19990208163100.006a2c58@172.16.1.10>
Sender: owner-ipsec@ex.tis.com

At 16:31 8.2.1999 +0500, you wrote:
>Hi,
>
>I have some doubts regarding handling of certificates is concern.
>
>* If we support multiple certificates (issued by different CAs)
>and we get CERT-REQ payloads of all those CAs, is  it necessary
>to send all the certificates or just one is sufficient ? If one is
>sufficient,is it ok to send the reply to the first matching CA ?
>
I suppose you're talking about X.509 certificates for authentication
here. For SPKI, things have to be handled differently.

Just send the first matching certificate.

>* If the responder to the CERT-REQ payloads sents out two CERT
>payloads issued by two different CAs and one of the certificate is
>invalid (certificate is expired ..) whereas the other one is a valid one, 
>do we abort the connection as there is some error in the certificate
>or can we proceed with the valid certificate ?
>
Proceed, but you should log the error.

>* If we get a CERT-REQ payload and we dont have a certificate issued
>by that particular CA, can we abort the connection or can we send some
>other certificate issued by a different CA ?
>
If this happens for just one CERT-REQ, never mind. 
The question is, what do we do if we can't answer any of the
requests at all? I'd send my default certificate. Maybe it'll work.
Maybe the other side trusts all certificates.

>* If we dont get a CERT-REQ payload at all in the IKE exchange and we
>support multiple certificates (issued by different CAs), can we send all
>the certificates issued by those CAs, or it is ok if we send one of the 
>certficate ? If one is ok, how do we select which of the certificate to
send ?
>
You may send as many certificates as you want. And you can implement this in
any way you want. Or avoid the decision: let the end user decide.

>*If we get a CERT-REQ payload with the certificate type as a CRL and we
>dont have a CRL on our side, can we abort the connection ? or we have
>to send the CRL some how (getting CRL from the CA using LDAP) ?
>
Just ignore the CERT-REQ.

>Thank U
>- Srinu
>

Jörn Sierwald

References:

Questions about Certificates

From: "S. B. Kulkarni" <srinu@trinc.com>

Prev by Date: Questions about Certificates
Next by Date: HELP
Prev by thread: Questions about Certificates
Next by thread: HELP
Index(es):
- Main
- Thread