[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple certs in an IKE Certificate Payload

To: ipsec@lists.tislabs.com
Subject: Multiple certs in an IKE Certificate Payload
From: porcher@tril-inc.com
Date: Mon, 9 Jul 2001 13:47:35 -0400
Sender: owner-ipsec@lists.tislabs.com

I'm looking for information on how to deal with the multiple X.509 certificates in the PKCS#7-wrapped Certificate Payload in IKE (RFC 2408).

If the PKCS#7 data contains a single X.509 certificate, it is clear that this is the peer's certificate. But if there are more than one, it is not clear which of them is the peer's certificate and which have been included for the certificate path.

There is no explicit ordering to the list of certs sent by the peer. Is there a standard mechanism for selecting the peer's certificate?

It is possible that the peer's identity is only known by IP address at the time I get a Certificate Payload. The only way to match a certificate with an IP address is with the X.509v3 Extended Attribute of SubjectAltName, with an IPAddress or DNSname component of the GeneralNames. Should such a SubjectAltName be required in this case?

If there are any RFC/draft/memo references to which anyone could direct me that would be most helpful.

Thanks!!
----
Tom Porcher | porcher@tril-inc.com voice: 978.371.3980 x108
Software Consultant | http://www.tril-inc.com fax: 978.371.3990
Trilogy, Inc. .: | Concord, Massachusetts, USA, Earth

Follow-Ups:

Re: Multiple certs in an IKE Certificate Payload

From: "Scott Fanning" <sfanning@cisco.com>

Prev by Date: Re: per-host keying
Next by Date: Re: Multiple certs in an IKE Certificate Payload
Prev by thread: I-D ACTION:draft-ietf-ipsec-dpd-00.txt
Next by thread: Re: Multiple certs in an IKE Certificate Payload
Index(es):
- Main
- Thread