[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CRLs

To: Greg Carter <greg.carter@entrust.com>
Subject: CRLs
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 27 Oct 1999 17:18:45 +0300 (EET DST)
Cc: "'Paul Hoffman'" <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
In-Reply-To: <01E1D01C12D7D211AFC70090273D20B10197D780@sothmxs06.entrust.com>
Organization: SSH Communications Security Oy
References: <01E1D01C12D7D211AFC70090273D20B10197D780@sothmxs06.entrust.com>
Sender: owner-ipsec@lists.tislabs.com

Greg Carter writes:
> So don't send it unless asked, if asked the above covers how. If they ask
> then they can process, so there shouldn't be interop problems.  If they ask

If they cannot process CRLs inside the IKE then the implementation is
broken, and does not follow the ISAKMP RFC. The ISAKMP RFC says very
clearly that certificate payload MUST be accepted at any point during
an exchange. The implementation can throw the CRL it received away,
but it must be able to receive certificate payloads anywhere.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

CRLs

From: Greg Carter <greg.carter@entrust.com>

Prev by Date: Re: Comments on CRACK
Next by Date: RE: Comments on CRACK
Prev by thread: Re: CRLs
Next by thread: Re:-ipsec-pki-req-03 - intro
Index(es):
- Main
- Thread