[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The CR payload still
> At 11:07 AM -0800 3/5/03, Brian Korver wrote:
> >Except for the case of opportunistic IPsec, I don't see the point
> >of telling your peer "I don't care".
>
> There are other meanings than "I don't care". We need to be able to
> say "send me a cert of type other than 4", namely types 11, 12, and
> 13. Currently, we can't specify that.
Nor can we currently request a CRL(s). It's a pity, because either
it forces the other side to always send (probably huge) CRL(s), or leaves
us without critical revocation information in case we cannot get it from
other sources.
> > Therefore, I agree that an empty
> >CERTREQ should be prohibited in IKEv2, especially because it creates an
> >interoperability rat hole.
>
> It won't do that if we scope it correctly.
>
> --Paul Hoffman, Director
> --VPN Consortium
Regards,
Valery Smyslov.