Dan Harkins wrote:
[snip]
>*) Certificate Requests
>
> - Is a NULL certificate request valid? What does it mean? Apparently it is valid
> but there was discussion on what it meant. "Send me all your certs" seemed
> to be the winner. The trust model for such behavior was not well explained
> though. This is really an item for the WG to decide.
In sig mode, by the time the recipient receives this message, the recipient
already knows they are in sig mode and thus will need to send certificates.
Becuase a NULL CERTREQ must mean "send me all your certs" (and I believe this
is consistent with the ISAKMP spec), I propose adding language to the
spec like:
A CERTREQ message with an empty payload conveys to the recipient that an
entire certificate chain should be returned (optionally excluding the root,
which must already be shared for authentication to succeed). However,
absent knowledge that the recipient unambiguously knows which chain to
use, the sender of the CERTREQ message SHOULD include a name in the
CERTREQ message. Absent other CERTREQ messages, the recipient of an
empty CERTREQ message MUST respond with their entire certificate chain
(again, optionally exluding the root).
>
> - If a certificate request is issued in the first message of Main Mode should
> the peer respond back with his certs in the 2nd message and thereby break the
> identity protection feature of Main Mode? The consensus was no. RFC2408 doesn't
> seem to say that the certs have to be in the _next_ message only that they
> have to be sent.
Agreed.
>
> - What is the order of certs in a chain and does it make any difference? The
> consensus was that there is no order and it doesn't make any difference.
Agreed.
brian
briank@cs.stanford.edu (play)
briank@network-alchemy.com (work)