[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CERT_REQ_PAYLOAD usage
Well, I thought I would start a thread on one issue
that came up at the VPN Workshop, and that is the usage of the CERT_REQ_PAYLOAD
or CRP.
RFC 2408 states
The Certificate Request Payload
provides a means to request
certificates via ISAKMP and can
appear in any message. Certificate
Request payloads SHOULD
be included in an exchange whenever an
appropriate directory
service (e.g. Secure DNS [DNSSEC]) is not
available to
distribute certificates.
and
If multiple certificates are
required,
then multiple Certificate Request payloads SHOULD be
transmitted.
The behaviour I saw was one of the
following.
1) Initiator sends CRP per cert required, and
responder replies with the appropriate certificates.
2) Initiator sends 1 CRP, and the responder sends
all certs.
3) Initiator does not send CRP, but wants all certs
because RSA was negotiated.
I am sure there are others. I would like to
recommend that option 1 is the best option, and the simplest. This has caused
many interop issues, and the vague wording does not help. I would like to
tighten up the rules if possible.
Comments?
Regards
Scott Fanning
Follow-Ups: