[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Position of certificate payload in IKE Aggressive Mode as Initiator
One of the things I talked about in my improveike presentation was
simplifying parsing by restricting the messages in which certain payloads
can appear. I specifically mentioned certreq and vendorid, but I would
suggest that this be applied to the certificate payload as well.
Let me put it this way:
If you put the certificate in the 3rd message, EVERYONE will handle it.
If you put the certificate in the 1st message, many people WILL NOT handle
it, and even if they do, you are relying on mostly untested code.
Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of jyothi
> Sent: Thursday, August 09, 2001 12:42 PM
> To: ipsec@lists.tislabs.com
> Subject: Position of certificate payload in IKE Aggressive Mode as
> Initiator
>
>
> Hi,
> Kindly clarify the following doubt.
>
> Scenario : IKE Phase 1 Negotiation (Aggressive Mode)
> authenticated
> with signatures
> As an Initiator, can the certificate payload be sent in
> first message
> or is it mandatory to be sent in third message only. In the subsection
> Certificate Payload of section ISAKMP Payloads contained in
> RFC 2408, the
> following statement is present. "The Certificate Payload MUST
> be accepted at
> any point during an exchange". I understand from this
> statement that the
> responder has to accept Certificate payload either in first
> message or third
> message, which in turn provides the base for the assunption
> that initiator
> can send the certificate payload in first msg or third msg.
>
> thanks
> sankar
>
>
References: