Re:-ipsec-pki-req-03 - certificate validity

[Stephen Kent <kent@po1.bbn.com>]

At 3:10 PM -0700 10/27/99, Paul Hoffman wrote:
>At 12:20 PM 10/27/99 +0200, Rodney Thayer wrote:
>>The original intent of this section was to require validity,
>>which we all agree we should worry about, as opposed to CRL's,
>>which many people don't use.  When the document was converted
>>to PKIX compatibility (such as it is) this mutated into a CRL
>>requirement.
>
>This is an interesting place to diverge from PKIX if this group wants to.
>We can define validity to mean "a chain to a trusted root" *without*
>checking for revocation. It would simplify a great deal in implementations,
>but it would also expose IKE systems to attacks they aren't susceptible to
>if they check revocation often.
>
>Personally, I think we should leave these two linked.

Not only would this diverge from  PKIX, but also from X.509, the NIST work
for US Government profiles, and essentially all other standards that
discuss what it means to validate a cert chain.  I strongly suggest that we
NOT try to redefine what it means to validate a cert chain path in the
IPsec context!  If one wants to provide an out so that an IPsec peer may
choose to operate with a cert chain that has not been checked wrt
revocation, I suggest that we provide some local, configurable means of
doing so, but don't fiddle with the fundamental defintions.

Steve

---

References:

• Re:-ipsec-pki-req-03 - certificate validity
• From: Rodney Thayer <rodney@ssh.fi>
• Re:-ipsec-pki-req-03 - certificate validity
• From: Paul Hoffman <paul.hoffman@vpnc.org>

---

• Prev by Date: Re: Another DoS attack.
• Next by Date: Re: Shared Secret mismatch in AM3/MM5
• Prev by thread: Re:-ipsec-pki-req-03 - certificate validity
• Next by thread: Last Call: The Use of HMAC-RIPEMD-160-96 within ESP and AH to Proposed Standard
• Index(es):
  • Main
  • Thread