[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CERT_REQ_PAYLOAD usage

To: William Dixon <wdixon@Exchange.Microsoft.com>
Subject: RE: CERT_REQ_PAYLOAD usage
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Tue, 26 Sep 2000 16:50:47 -0700 (PDT)
cc: Tero Kivinen <kivinen@ssh.fi>, Scott Fanning <sfanning@cisco.com>, IPsec List <ipsec@lists.tislabs.com>
In-Reply-To: <6A05D00595BE644E9F435BE5947423F2FFC60A@fifi.platinum.corp.microsoft.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 26 Sep 2000, William Dixon wrote:

> Tero, good ideas, one issue though:
> 
> 	4) When you receive certificate request you MUST send your own
> 	certificate for that CA.
> 
> Your own IPSec policy typically includes what roots to use or what certs
> to send - so you have to enforce that, regardless of what the peer sends
> you.  If the CRP's don't match the roots you are configured to use, then
> you are saying here you MUST fail.  And that means that the peer MUST
> send a correct CRP for the credential you have - which of course isn't
> always possible.
> 
Not sure I follow that: Why is this not possible? Common sense tells me that
I should send a CRP for ALL roots I know about (or all roots that I'm allowed
to use by some obscure local policy, or whatever). If you answer with the
ones that YOU have, we've got a non-empty intersection. If there's no
overlap, then the intersection IS empty, and we must fail, because we don't
share a root.

Is there something I'm missing?

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:

RE: CERT_REQ_PAYLOAD usage

From: "William Dixon" <wdixon@Exchange.Microsoft.com>

Prev by Date: RE: CERT_REQ_PAYLOAD usage
Next by Date: RE: CERT_REQ_PAYLOAD usage
Prev by thread: RE: CERT_REQ_PAYLOAD usage
Next by thread: RE: CERT_REQ_PAYLOAD usage
Index(es):
- Main
- Thread