Re: PGP keys in IKE

[Tero Kivinen <kivinen@ssh.fi>]

Will Price writes:
> * It is recommended that a Certificate Request payload be sent with
> the PGP identifier so as to make sure there is no confusion over
> certificate types.  With the imminent advent of DNS keys in IKE and
> some people using X.509 now, I think this is going to be important
> for all implementations.

What is the contents of the certificate request, i.e. what does the
certificate authority field contain, and in what format? Empty?

> * The Phase 1 ID must be (regardless of whether you are using PGP or
> X.509 or ...) based from the certificate.  In the case of PGP, it
> must be the primary user ID.

What identity type you are using? ID_USER_FQDN? But that cannot
contain the comment field that is usually present in the pgp-keys
("Tero Kivinen <kivinen@ssh.fi>"), it can only contain
"kivinen@ssh.fi". Actually the definition in the DOI says
"fully-qualified username string", so I am not sure if it can contain
comment fields also... 

Another possibility could be the ID_KEY_ID with the key binary key ID
of the pgp key.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

Follow-Ups:

• Re: PGP keys in IKE
• From: Paul Koning <pkoning@xedia.com>
• Re: PGP keys in IKE
• From: Will Price <wprice@cyphers.net>

References:

• PGP keys in IKE
• From: "Josef Pojsl" <josef.pojsl@skynet.cz>
• Re: PGP keys in IKE
• From: Will Price <wprice@cyphers.net>

---

• Prev by Date: Re: A problem with public key encrption in IKE
• Next by Date: Re: fqdn and trailing dot in IDs
• Prev by thread: Re: PGP keys in IKE
• Next by thread: Re: PGP keys in IKE
• Index(es):
  • Main
  • Thread