[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Request for Clarification of Usage of Certificate Request Payload to Maximimze Interoperability
Jan Vilhuber writes:
> On Tue, 25 Jan 2000 Allen_Rochkind@3com.com wrote:
> >
> >
> > At the recent VPN bakeoff, several vendors REQUIRED the peer to send a
> > Certificate Request payload during the IKE main mode exchange (using
> > signature authentication) in order for their system to send the peer its
> > certificate (i.e. no Certificate Request payload received results in no
> > certificate being sent back to the peer in the final main mode exchange).
>
> Makes sense to me. Certs can be large and I might have cached it the last
> time I asked you. If I don't ask you to send me one, don't send it.
Would this not potentially be a security hole on
the side that didn't request the certificate? Say,
the cert was password protected, or came from a
smart card or something like that, the cached cert
would be stale.
I'm not necessarily disagreeing with the conclusion,
except that maybe if it's allowed, that the potential
holes should be pointed out.
> issues raised at VPN interoperability workshop, Dan Harkins
> <dharkins@network-alchemy.com>, Tue, 18 Jan 2000 16:05:44 -0800 (PST)
>
> * What does an empty cert request payload mean?
>
> "give me a cert; any cert".
>
>
> Personally, I find that a bit hard to believe, since I might send you a
> certificate from CA FOOBAR, which you've never heard of, so I'm not sure what
> good an empty CERT_REQ will do you, but that was the consensus.
>
> I guess if you are willing to send empty CERT_REQs you are implying that you
> can handle EVERY possible known CA on the planet (and beyond!).
One possible use is where the distinguished name
and the signing CA are basically just for human
consumption. Take for example two IP Phones which
want to do end to end crypto, but where there isn't
an agreed upon authority to name the phones or the
user of the phone. The calling phone may want to
say: "give me cert x, cert y, or if all else fails
whatever you think is appropriate." In the latter
case, the phone would display the "whatever"
certificate to the user and they could make their
own decision -- sort of a glorified caller ID.
Mike
Follow-Ups:
References: