[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Choosing between IKEv2 and JFK

To: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
Subject: Re: Choosing between IKEv2 and JFK
From: Stephen Kent <kent@bbn.com>
Date: Fri, 8 Mar 2002 12:06:44 -0500
Cc: Jan Vilhuber <vilhuber@cisco.com>, Eric Rescorla <ekr@rtfm.com>, ipsec@lists.tislabs.com
In-Reply-To: <200203071949.g27JnEUe003226@nyarlathotep.keromytis.org>
References: <200203071949.g27JnEUe003226@nyarlathotep.keromytis.org>
Sender: owner-ipsec@lists.tislabs.com


		<SNIP>

>
>You don't cache the certificates, you cache the result of the verification of
>the certificates. If you received the same set of certificates as an hour ago
>(when you established the SA last), and you verified all the signatures then,
>you don't need to re-check the signatures. You need to verify the 
>RSA signature
>on the message itself.

Angelos,

In many cases, caching validated certs is appropriate, because one 
may have an opportunity to reuse CA certs that were part of the cert 
path.

Steve

Follow-Ups:
- Re: Choosing between IKEv2 and JFK
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

References:
- Re: Choosing between IKEv2 and JFK
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

Prev by Date: RE: NAT Traversal
Next by Date: Re: Problem about reassembly and fragmentation
Prev by thread: Re: Choosing between IKEv2 and JFK
Next by thread: Re: Choosing between IKEv2 and JFK
Index(es):
- Date
- Thread