[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IKE Public Key Encryption
Hello All,
I know this has been discussed, and I attempted to find the previous
discussion in the list archives - needless to say, I was unsuccessful.
--------------------------Question---------------------
In the third message of MM with Public key authentication
(non-revised shown - but same issue for both):
Initiator Responder
----------- -----------
HDR, SA -->
<-- HDR, SA
HDR, KE, [ HASH(1), ]
<IDi1_b>PubKey_r,
<Ni_b>PubKey_r -->
HDR, KE, <IDr1_b>PubKey_i,
<-- <Nr_b>PubKey_i
HDR*, HASH_I -->
<-- HDR*, HASH_R
My question is about the use of HASH(1):
"Where HASH(1) is the optional hash of the certificate which
contained Pubkey_r." <draft-ietf-ipsec-ike-01.txt>
Shouldn't the [ HASH(1), ] be required? The responder may need to
know which certificate/public key the initiator is using in the
event several certificates are assigned to the responder. In some
cases, if not included, wouldn't it pose a similar issue we see
with shared secret authentication? In shared secret the password
must be looked up by the initiator's IP address. Doesn't the same
"issue" apply for the responder to determine which public key to
use? I'm not insinuating that a public key is being used for each
individual initiator, for argument sake lets say different networks
have their own certificates. Nonetheless, how does the responder
determine which key to use if several are maintained?
I could provide some examples, but prefer to remain brief and I'm
assured that this is not a new question and has been answered in the
past - and with that note I do apologize for any repetition - and
please provide the subject of the elusive previous discussions.
Best regards,
Jim