[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: Adding revised identities to IKEv2
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 13 Nov 2002 23:46:04 +0200
Cc: ipsec@lists.tislabs.com
In-Reply-To: <p05200f16b9f838ba6acf@[165.227.249.18]>
Organization: SSH Communications Security Oy
References: <p05200f06b9edf48ac57b@[165.227.249.18]><15825.25361.887103.61323@ryijy.hel.fi.ssh.com><p05200f16b9f838ba6acf@[165.227.249.18]>
Sender: owner-ipsec@lists.tislabs.com

Paul Hoffman / VPNC writes:
> >>        Certificate bundle                  2
> >>           A simple ASN.1 sequence of PKIX certificates. A bundle can have
> >>           end-entity certificates and/or certificates from a chain to a
> >>           root. The first certificate in the bundle is the sender's
> >>           preferred identity certificate, but beyond that there is no
> >>           meaning to the ordering.
> The reason I proposed two was that some gateways would only want the 
> certificate of the other party because they would do all the 
> additional validation themselves. If you just say "I want a cert 
> bundle", the other party will always need to send the whole chain.

True. Actually I think bundle should be defined not to include the
root, so in normal case bundle and single cert will be same.

Also I think the SGW will always be using the url version, as it can
find, load and cache all those certificates quite easily.

> Either format seems fine. Every time I propose wrapping ASN.1 objects 
> like PKIX certs in non-ASN.1 wrappers, I catch grief. Every time I 
> create a new ASN.1 structure, I catch grief.

I was just worried about creating new ASN.1 structure, and I think
creating non-ASN.1 wrapper is easier for most of the people (i.e if
the encoding is some standard ASN.1 encoding (pkcs7) then it is easier
to just give that whole stuff to certificate manager library, but if
you need to manually parse that ASN.1 before giving the certificates
to the certificate manager library then it is easier to use non ASN.1
encoding). 

> Probably disagree. If I have two certs for the same public key that 
> lead to different trust anchors, you wouldn't be able to tell which I 
> was proposing to you.

And what difference does it make? You are going to use the public key
to verify my signature and it really doesn't matter which certificate
you used.

> By using just the public key, you are forcing the receiving party to
> search all paths for certs that match the public key.

It needs to do the same thing anyway. It needs to find the path from
the certificate to the some trusted root, and it doesn't really matter
if it does that based on the public key instead of certificate.
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- RE: Adding revised identities to IKEv2
  - From: "Max Pritikin" <pritikin@cisco.com>

References:
- Adding revised identities to IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- Re: Adding revised identities to IKEv2
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: Adding revised identities to IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: RE: Suites vs a-la-carte
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: RE: Adding revised identities to IKEv2
Index(es):
- Date
- Thread