[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability

To: ipsec@lists.tislabs.com
Subject: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
From: Allen_Rochkind@3com.com
Date: Tue, 25 Jan 2000 20:52:37 -0800
Sender: owner-ipsec@lists.tislabs.com



At the recent VPN bakeoff, several vendors REQUIRED the peer to send a
Certificate Request payload during the IKE main mode exchange (using signature
authentication) in order for their system to send the peer its certificate (i.e.
no Certificate Request payload received results in no certificate being sent
back to the peer in the final main mode exchange).  Looking at the ISAKMP spec
(Section 3.10) it appears that only one Certificate Authority DER encoded
distinguished name (for X.509 certificate type) can appear in the certificate
request payload.  Normally if the 2 systems in the exchange were in the same
security domain governed by a single root CA, one peer would put the
distinguished name of that CA's certificate subject in the payload and the other
system would then choose to send back a chain of certs rooted on that CA.
However, in the case of extranet interaction in which it is possible that a
given system might interact with several different security domains (each with
its own CA) it is unclear what certificate authority distinguished name should
be put in the certificate request payload.  E.g. it may be possible that the
local system trusts several different roots to handle the diversity of different
extranet security domains it wants to deal with.  In any given IKE exchange it
would not know in advance which certificate authority it should ask in the
certificate payload to be the root of the returned certificate requested unless
there is some elaborate policy mapping between identities and trusted root CAs
at the other end.

To maximize interoperability, should one send multiple certificate requests,
each corresponding to a CA that is trusted, and hope that the responder will
find in one of the certificate request payloads the distinguished name for the
root certificate that its end entity certificate is based on?  Alternatively
ISAKMP says, "If there is no specific certificate authority requested, this
field [the Certificate Authority field] SHOULD not be included."  Then would it
be safer to ensure interoperability to simply send one certificate request
always with no "Certificate Authority" field entered in the certificate request
payload?  If that is so, what good does sending a certificate request payload
do?  What is the practice of the various vendors that send certificate request
payloads or expect other vendors to send them in order to send back their own
certificate chains in the IKE exchange?

I would thank you for any clarification of this matter.

Follow-Ups:

Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: IPsec/IKE testing at Connectathon?
Next by Date: Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
Prev by thread: Connected Notify
Next by thread: Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
Index(es):
- Main
- Thread