[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The CR payload still
On 3/3/03 1:33 AM, "Pekka Riikonen" <priikone@iki.fi> wrote:
> Ted, to your call for people to write the text for their ideas, I shall
> reply to my own email with the text for this CERTREQ. :)
>
> It says,
>
> Empty (zero length) CA names MUST NOT be generated and SHOULD be
> ignorred.
>
> should be removed and later to say something like this,
>
> If empty CERTREQ payload is received the sender indicates that it does
> not require any specific certificate or certificate chain, but it may
> accept any certificate. If so the processor SHOULD send its local
> certificate or certificate chain it is going to use in the negotiation.
> The sender of this payload will later decide whether it will trust the
> certificate (by perhaps prompting first a human operator).
>
> or something like that...
>
> Pekka
> ___________________________________________________________________________
> Pekka Riikonen | Email: priikone@iki.fi
> SSH Communications Security Corp. | http://iki.fi/priikone/
> Tel. +358 (0)40 580 6673 | Snellmanninkatu 34 A 15, 70100 Kuopio
> PGP KeyID A924ED4F: http://iki.fi/~priikone/pubkey.asc
Pekka,
I understand what you are advocating and I am sympathetic to
opportunistic IPsec, but I don't think the zero-length CERTREQ
payloads should be permitted in the non-opportunistic case
because they do not make sense in any other context.
- brian
briank@briank.com