[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

To: ipsec@lists.tislabs.com
From: "David Wierbowski" <wierbows@us.ibm.com>
Date: Mon, 8 Jan 2001 10:24:41 -0500
Importance: Normal
Sender: owner-ipsec@lists.tislabs.com

>Walker, Jesse writes:
>> (1)    HDR, SA, KE, Ni, IDii(A1), CertReq(C1) ---->
>> (2)    <---- Hdr, SA, KE, Nr, IDrr(B1), Cert(B1,C1), Sig(B1),
CertReq(C2)
>> In the third message the protocol says you are supposed to send
>> (3)    HDR, Sig(A2), Cert(A2,C2) ---->

>No. You are supposed to send

>(3) HDR, Sig(A1), Cert(A1,C1) ---->

I don't agree.  If message 2 contained a CertReq for C2 and you don't have
a cert signed by C2 that contains the ID A1, then you should send a Notify
containing INVALID-CERT-AUTHORITY error.

>Aggressive mode does not offer you an option to negotiate which CA to use.

I'm not sure how aggressive mode differs in the ability to negotiate a CA
from main mode.  I think you are really referring to is ID in this case
(which admittedly does impact which CertReq you might be able to honor). In
main mode you have the flexibility of sending a different ID.  In either
case though, "negotiation" of the CA was accomplished via CertReqs.

Dave Wierbowski

Prev by Date: RE: Aggressive/Base Mode Signature Queries
Next by Date: RE: Aggressive/Base Mode Signature Queries
Prev by thread: Re: IPv6 Neighbour Solicitation messages and IPsec
Next by thread: Document Action: IPsec Interactions with ECN to Informational
Index(es):
- Main
- Thread