Hello,
Yes you are correct. The single cert per payload seems to be the most used, at least when I doing interop testing (a while back now). The reason for this is that the PKCS#7 wrapping adds no new information, is only additional overhead and adds yet another format that the IPSEC device would need to understand. PKCS#7 does not mandate any particular order of the certificate chain, so there is no advantage to using it.
Greg Carter
Entrust Technologies - http://www.entrust.com
-----Original Message-----
From: Eissa, Mohamed [mailto:mohamed.eissa@intel.com]
Sent: Friday, August 24, 2001 1:11 PM
To: ipsec@lists.tislabs.com
Subject: IKE and certificate chains
Hi,
Regarding the certificate chains within the IKE certificate payload, looks
like there are two ways to achieve this. First, the certificate encoding
field is set to "X509 Certificate" and multiple certificate payloads carry
the chain, one certificate per payload. Second, the certificate encoded
field is set to "PKCS#7 wrapper" and one payload will be used to carry the
whole chain.