RE: Aggressive/Base Mode Signature Queries

[Tero Kivinen <kivinen@ssh.fi>]

Mason, David writes:
> For certificate based exchanges, I have always believed that the certificate
> is the best identifier of the peer and that the phase 1 ID payload is
> generally superfluous dead weight. Although I could see that specifying
> different parts of the cert within the ID payload for different connection
> requirements could perhaps be used to indicate something useful.  

How do you find that certificate for the peer. The other end might
send multiple certificates some of them might be usefull, some of the
might not be usefull. Some of them might be certificates for the
intermediate CAs etc. It is very easy to assume that the other end
only sends exactly one certificate that is their certificate, and then
you can remove the ID payload.

If you follow the RFCs then the other end can send multiple
certificates to you and then you do need the ID payload to verify
which certificate to use. Another option is that you take all
certificates sent by the other end and try to verify the signature
with each of them, but that is not an very efficient option...
-- 
kivinen@ssh.fi                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

References:

• RE: Aggressive/Base Mode Signature Queries
• From: "Mason, David" <David_Mason@nai.com>

---

• Prev by Date: RE: Aggressive/Base Mode Signature Queries
• Next by Date: RE: Aggressive/Base Mode Signature Queries
• Prev by thread: RE: Aggressive/Base Mode Signature Queries
• Next by thread: Re: Aggressive/Base Mode Signature Queries
• Index(es):
  • Main
  • Thread