[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CERT_REQ_PAYLOAD usage



 
Well, I thought I would start a thread on one issue that came up at the VPN Workshop, and that is the usage of the CERT_REQ_PAYLOAD or CRP.
 
RFC 2408 states
 
   The Certificate Request Payload provides a means to request
   certificates via ISAKMP and can appear in any message.  Certificate
   Request payloads SHOULD be included in an exchange whenever an
   appropriate directory service (e.g.  Secure DNS [DNSSEC]) is not
   available to distribute certificates. 
 
and
 
  If multiple certificates are required,
   then multiple Certificate Request payloads SHOULD be transmitted.
  
 
The behaviour I saw was one of the following.
 
1) Initiator sends CRP per cert required, and responder replies with the appropriate certificates.
 
2) Initiator sends 1 CRP, and the responder sends all certs.
 
3) Initiator does not send CRP, but wants all certs because RSA was negotiated.
 
I am sure there are others. I would like to recommend that option 1 is the best option, and the simplest. This has caused many interop issues, and the vague wording does not help. I would like to tighten up the rules if possible.
 
Comments?
 
Regards
Scott Fanning

Follow-Ups: