[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CERT_REQ_PAYLOAD usage

To: "Tero Kivinen" <kivinen@ssh.fi>, "Scott Fanning" <sfanning@cisco.com>
Subject: RE: CERT_REQ_PAYLOAD usage
From: "William Dixon" <wdixon@Exchange.Microsoft.com>
Date: Tue, 26 Sep 2000 16:30:02 -0700
Cc: "IPsec List" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcAn/JVEjdweSxv8TGu56cmUn+CyygAEcIlA
Thread-Topic: CERT_REQ_PAYLOAD usage

Title: RE: CERT_REQ_PAYLOAD usage

Tero, good ideas, one issue though:

4) When you receive certificate request you MUST send your own
certificate for that CA.

Your own IPSec policy typically includes what roots to use or what certs to send - so you have to enforce that, regardless of what the peer sends you. If the CRP's don't match the roots you are configured to use, then you are saying here you MUST fail. And that means that the peer MUST send a correct CRP for the credential you have - which of course isn't always possible.

Follow-Ups:

RE: CERT_REQ_PAYLOAD usage

From: Jan Vilhuber <vilhuber@cisco.com>

RE: CERT_REQ_PAYLOAD usage

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: RE: CERT_REQ_PAYLOAD usage
Next by Date: RE: CERT_REQ_PAYLOAD usage
Prev by thread: RE: CERT_REQ_PAYLOAD usage
Next by thread: RE: CERT_REQ_PAYLOAD usage
Index(es):
- Main
- Thread