[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Query on draft-ietf-ipsec-pki-req-03.txt

To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: Query on draft-ietf-ipsec-pki-req-03.txt
From: "Walker, Jesse" <jesse.walker@intel.com>
Date: Tue, 19 Oct 1999 07:55:54 -0700
Sender: owner-ipsec@lists.tislabs.com

Gents,

The draft includes the following text in Section 2:
	IKE systems conforming to this profile MUST check the
	revocation statusof any certificate on which they rely, using
	the algorithm described inthe PKIX certificate profile. Thus,
	every conforming IKE system MUSThave a method for
	receiving up-to-date revocation information for thecertificates
	it is validating.
What do you intend this to mean in the remote access case? One normal
operational scenario will have the CRL distribution point the remote IPSec
host needs to validate the security gateway's certificate behind the
security gateway. In such a case, unless it has already obtained the CRL via
an alternate channel, the remote host will be unable to meet the above
requirement. Seemingly the best that it could be able to do is to establish
IKE and IPSec security associations, then attempt to obtain the CRL, and
then decide what to do on the basis of whether or not it could get the CRL
or the security gateway's cert gets validated. Maybe we need to require
implementations to send the latest CRL known to them during the IKE phase 1
negotiation?

Follow-Ups:

Re: Query on draft-ietf-ipsec-pki-req-03.txt

From: Paul Hoffman <paul.hoffman@vpnc.org>

Prev by Date: I-D ACTION:draft-kelly-ipsra-userauth-00.txt
Next by Date: Another query on draft-ietf-ipsec-pki-req-03.txt
Prev by thread: I-D ACTION:draft-kelly-ipsra-userauth-00.txt
Next by thread: Re: Query on draft-ietf-ipsec-pki-req-03.txt
Index(es):
- Main
- Thread