[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-pki-profile-01.txt

To: Brian Korver <briank@xythos.com>
Subject: Re: draft-ietf-ipsec-pki-profile-01.txt
From: "Housley, Russ" <rhousley@rsasecurity.com>
Date: Fri, 15 Nov 2002 15:38:54 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <B482E888-F8D4-11D6-A746-000393751598@xythos.com>
References: <5.1.0.14.2.20021115115152.03435ac8@exna07.securitydynamics.com>
Sender: owner-ipsec@lists.tislabs.com

Brian:

Ref: section 3.3.11.3

>If trust anchors can be self-signed, what is wrong with
>pointing this out?  IMHO it makes the example clearer,
>as I'm pointing out that CA3 may actually NOT be
>self-signed.

The document says:

    Imagine that an implementation has previously received and cached the
    peer certificate chain R->CA1->CA2->EE. If during a subsequent
    exchange this implementation sends a CERTREQ containing the Subject
    Name in certificate R, this implementation is requesting that the
    peer send at least 3 certificates: CA1, CA2, and EE. On the other
    hand, if this implementation also sends a CERTREQ containing the Sub-
    ject Name of CA2, the implementation is providing a hint that only 1
    certificate needs to be sent: EE.

This is fine.  For some reason, I misread it, and thought that in the first 
case the certificate for R was being transmitted.  Upon rereading it, I see 
otherwise.  My objections dealt with the transmission of the certificate for R.

Sorry for the confusion,
   Russ

References:
- Re: draft-ietf-ipsec-pki-profile-01.txt
  - From: "Housley, Russ" <rhousley@rsasecurity.com>
- Re: draft-ietf-ipsec-pki-profile-01.txt
  - From: Brian Korver <briank@xythos.com>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: Traffic Selectors
Prev by thread: Re: draft-ietf-ipsec-pki-profile-01.txt
Next by thread: Re: draft-ietf-ipsec-pki-profile-01.txt
Index(es):
- Date
- Thread