RE: CERT_REQ_PAYLOAD usage

To: "'Scott Fanning'" <sfanning@cisco.com>, "'IPsec List'" <ipsec@lists.tislabs.com>

Subject: RE: CERT_REQ_PAYLOAD usage

From: kaijun gu <kaijun_gu@rapidstream.com>

Date: Tue, 26 Sep 2000 13:42:58 -0700

In my opinion, CRP provides a way to establish a trusted CA domain so that both the initiator and responder can understand they have the ability to validate the certificate send over through the certificate payload. As the initiator, if it has multiple certificates issued by different CA's, it SHOULD send multiple CRPs which contain the different CA DN. As a responder, when it receives the CRPs, it SHOULD check if it holds any certificate issued by those CA's, then it has the option to send the certificates which may be validated by initiator. Otherwise, a certificate received in the certificate payload may not be validated because the other party doesn't have the right CA certificate.

Regards!

Kaijun

-----Original Message-----
From: Scott Fanning [mailto:sfanning@cisco.com]
Sent: Tuesday, September 26, 2000 10:49 AM
To: 'IPsec List'
Subject: CERT_REQ_PAYLOAD usage

Well, I thought I would start a thread on one issue that came up at the VPN Workshop, and that is the usage of the CERT_REQ_PAYLOAD or CRP.

RFC 2408 states

   The Certificate Request Payload provides a means to request
   certificates via ISAKMP and can appear in any message. Certificate
   Request payloads SHOULD be included in an exchange whenever an
   appropriate directory service (e.g. Secure DNS [DNSSEC]) is not
   available to distribute certificates.

and

If multiple certificates are required,
then multiple Certificate Request payloads SHOULD be transmitted.

The behaviour I saw was one of the following.

1) Initiator sends CRP per cert required, and responder replies with the appropriate certificates.

2) Initiator sends 1 CRP, and the responder sends all certs.

3) Initiator does not send CRP, but wants all certs because RSA was negotiated.

I am sure there are others. I would like to recommend that option 1 is the best option, and the simplest. This has caused many interop issues, and the vague wording does not help. I would like to tighten up the rules if possible.

Comments?

Regards

Scott Fanning