[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Aggressive/Base Mode Signature Queries

To: "Walker, Jesse" <jesse.walker@intel.com>
Subject: Aggressive/Base Mode Signature Queries
From: Tero Kivinen <kivinen@ssh.fi>
Date: Sat, 6 Jan 2001 23:42:55 +0200
Cc: ipsec@lists.tislabs.com
In-Reply-To: <10C8636AE359D4119118009027AE9987064C41AC@FMSMSX34>
Organization: SSH Communications Security Oy
References: <10C8636AE359D4119118009027AE9987064C41AC@FMSMSX34>
Sender: owner-ipsec@lists.tislabs.com

Walker, Jesse writes:
> (1)	HDR, SA, KE, Ni, IDii(A1), CertReq(C1) ---->
> (2)	<---- Hdr, SA, KE, Nr, IDrr(B1), Cert(B1,C1), Sig(B1), CertReq(C2)
> In the third message the protocol says you are supposed to send
> (3)	HDR, Sig(A2), Cert(A2,C2) ---->

No. You are supposed to send

(3) HDR, Sig(A1), Cert(A1,C1) ---->

The signature must be using the certificate that matches the identity
you already sent. If the responder does not trust the C1, then it will
reject the negotiation. If it trusts C1, then the negotiation will
succeed. 

If you selecteded wrong CA in the first place, then you need to use
main mode instead of aggressive mode. Aggressive mode does not offer
you an option to negotiate which CA to use.
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

Aggressive/Base Mode Signature Queries

From: "Walker, Jesse" <jesse.walker@intel.com>

Prev by Date: Aggressive/Base Mode Signature Queries
Next by Date: Re: Mobile IPv6 - IPsec interaction.
Prev by thread: Aggressive/Base Mode Signature Queries
Next by thread: RE: Aggressive/Base Mode Signature Queries
Index(es):
- Main
- Thread