[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CERT_REQ_PAYLOAD usage



William Dixon writes:
> 	4) When you receive certificate request you MUST send your own
> 	certificate for that CA.
> Your own IPSec policy typically includes what roots to use or what certs
> to send - so you have to enforce that, regardless of what the peer sends
> you.  If the CRP's don't match the roots you are configured to use, then
> you are saying here you MUST fail.

No, I didn't say you MUST fail. I said you MUST send your own
certificate for that CA. If you don't have certificate for that CA,
then you just ignore the certificate request payload. If you ended up
ignoring all certificate request payloads (you don't have certificate
to any of them), then you can just send all certificates you have, in
case that helps (most likely it does not, the authentication is going
to fail anyways). 

> And that means that the peer MUST send a correct CRP for the
> credential you have - which of course isn't always possible.

The other end typically sends multiple certificate request payloads
and you typically only answer to ONE. In most cases you cannot answer
to all of them because your private key might be different for each
CA, so you cannot mix those certificates. 
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/


References: