Well, I thought I would start a thread on one
issue that came up at the VPN Workshop, and that is the usage of the
CERT_REQ_PAYLOAD or CRP.
RFC 2408 states
The Certificate Request Payload
provides a means to request
certificates via ISAKMP and can
appear in any message. Certificate
Request payloads
SHOULD be included in an exchange whenever an
appropriate
directory service (e.g. Secure DNS [DNSSEC]) is not
available to distribute certificates.
and
If multiple certificates are
required,
then multiple Certificate Request payloads SHOULD be
transmitted.
The behaviour I saw was one of the
following.
1) Initiator sends CRP per cert required, and
responder replies with the appropriate certificates.
2) Initiator sends 1 CRP, and the responder sends
all certs.
3) Initiator does not send CRP, but wants all
certs because RSA was negotiated.
I am sure there are others. I would like to
recommend that option 1 is the best option, and the simplest. This has caused
many interop issues, and the vague wording does not help. I would like to
tighten up the rules if possible.
Comments?
Regards
Scott
Fanning