[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CERT_REQ_PAYLOAD usage
On Tue, 26 Sep 2000, William Dixon wrote:
> Tero, good ideas, one issue though:
>
> 4) When you receive certificate request you MUST send your own
> certificate for that CA.
>
> Your own IPSec policy typically includes what roots to use or what certs
> to send - so you have to enforce that, regardless of what the peer sends
> you. If the CRP's don't match the roots you are configured to use, then
> you are saying here you MUST fail. And that means that the peer MUST
> send a correct CRP for the credential you have - which of course isn't
> always possible.
>
Not sure I follow that: Why is this not possible? Common sense tells me that
I should send a CRP for ALL roots I know about (or all roots that I'm allowed
to use by some obscure local policy, or whatever). If you answer with the
ones that YOU have, we've got a non-empty intersection. If there's no
overlap, then the intersection IS empty, and we must fail, because we don't
share a root.
Is there something I'm missing?
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: