[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
From: Michael Thomas <mat@cisco.com>
Date: Wed, 26 Jan 2000 08:06:07 -0800 (PST)
Cc: Allen_Rochkind@3com.com, ipsec@lists.tislabs.com
In-Reply-To: <Pine.SOL.3.96.1000125211312.19824B-100000@jvilhube-ss20.cisco.com>
References: <88256872.001A83D8.00@hqoutbound.ops.3com.com><Pine.SOL.3.96.1000125211312.19824B-100000@jvilhube-ss20.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Jan Vilhuber writes:
 > On Tue, 25 Jan 2000 Allen_Rochkind@3com.com wrote:
 > > 
 > > 
 > > At the recent VPN bakeoff, several vendors REQUIRED the peer to send a
 > > Certificate Request payload during the IKE main mode exchange (using
 > > signature authentication) in order for their system to send the peer its
 > > certificate (i.e.  no Certificate Request payload received results in no
 > > certificate being sent back to the peer in the final main mode exchange).
 > 
 > Makes sense to me. Certs can be large and I might have cached it the last
 > time I asked you. If I don't ask you to send me one, don't send it.

   Would this not potentially be a security hole on
   the side that didn't request the certificate? Say,
   the cert was password protected, or came from a
   smart card or something like that, the cached cert
   would be stale.

   I'm not necessarily disagreeing with the conclusion,
   except that maybe if it's allowed, that the potential
   holes should be pointed out.

 >      issues raised at VPN interoperability workshop, Dan Harkins
 >      <dharkins@network-alchemy.com>, Tue, 18 Jan 2000 16:05:44 -0800 (PST)
 > 
 >        * What does an empty cert request payload mean?
 > 
 >        "give me a cert; any cert".
 > 
 >      
 > Personally, I find that a bit hard to believe, since I might send you a
 > certificate from CA FOOBAR, which you've never heard of, so I'm not sure what
 > good an empty CERT_REQ will do you, but that was the consensus.
 > 
 > I guess if you are willing to send empty CERT_REQs you are implying that you
 > can handle EVERY possible known CA on the planet (and beyond!).

   One possible use is where the distinguished name
   and the signing CA are basically just for human
   consumption. Take for example two IP Phones which
   want to do end to end crypto, but where there isn't
   an agreed upon authority to name the phones or the
   user of the phone. The calling phone may want to
   say: "give me cert x, cert y, or if all else fails
   whatever you think is appropriate." In the latter
   case, the phone would display the "whatever"
   certificate to the user and they could make their
   own decision -- sort of a glorified caller ID.

		Mike

Follow-Ups:

Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability

From: Paul Hoffman <paul.hoffman@vpnc.org>

References:

Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability

From: Allen_Rochkind@3com.com

Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: from Lotus Notes
Next by Date: IPsec & SNMP
Prev by thread: Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
Next by thread: Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
Index(es):
- Main
- Thread