[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The CR payload still

To: ipsec@lists.tislabs.com
Subject: Re: The CR payload still
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 05 Mar 2003 13:54:09 -0500
In-reply-to: Your message of "Tue, 04 Mar 2003 22:28:02 EST." <OFA5F7B56E.46AADFAC-ON85256CE0.0011C45C-85256CE0.00130BE0@notesdev.ibm.com>
Sender: owner-ipsec@lists.tislabs.com


>>>>> "Charlie" == Charlie Kaufman <Charlie_Kaufman@notesdev.ibm.com> writes:
    Charlie> An empty CERTREQ payload is requesting any certificate or
    Charlie> certificate chain the other side has without giving any hints as
    Charlie> to what certificates are preferred.

    Charlie> A missing CERTREQ payload is requesting that the other side not
    Charlie> bother sending any certificates.

    Charlie> When would an IKE implementation want to express the second
    Charlie> request? I had assumed that if CERTREQ was missing that the

  1) when it isn't using certificates
  2) when it already has, preconfigured the right things

    Charlie> If someone has a use for requesting no certificates, I think
    Charlie> this is a fine way to encode it. But I'm reluctant to add a
    Charlie> feature unless someone thinks they need it.

  Charlie, you seem to have fallen into the trap of making IKEv2 depend
way too heavily upon PKIX. 

  There is significant deployment of RSA keys that does not use that stuff.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

References:
- Re: The CR payload still
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: RE: QoS and IKEv2
Next by Date: Re: The CR payload still
Prev by thread: Re: The CR payload still
Next by thread: Re: The CR payload still
Index(es):
- Date
- Thread