[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Choosing between IKEv2 and JFK
Steve, yes -- I was simply pointing out that one can *also* cache the
result, to avoid re-verification.
-Angelos
In message <p0510031ab8ae9fd47c4b@[128.89.88.34]>, Stephen Kent writes:
>
> <SNIP>
>
>>
>>You don't cache the certificates, you cache the result of the verification of
>>the certificates. If you received the same set of certificates as an hour ago
>>(when you established the SA last), and you verified all the signatures then,
>>you don't need to re-check the signatures. You need to verify the
>>RSA signature
>>on the message itself.
>
>Angelos,
>
>In many cases, caching validated certs is appropriate, because one
>may have an opportunity to reuse CA certs that were part of the cert
>path.
>
>Steve