[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The CR payload still

To: "Brian Korver" <briank@briank.com>, <Charlie_Kaufman@notesdev.ibm.com>, "Paul Hoffman / VPNC" <paul.hoffman@vpnc.org>
Subject: Re: The CR payload still
From: "Valery Smyslov" <svan@trustworks.com>
Date: Thu, 6 Mar 2003 11:42:50 +0300
Cc: <ipsec@lists.tislabs.com>
References: <BA8B8AD8.4389%briank@briank.com> <p05210565ba8c1b110143@[63.202.92.157]>
Sender: owner-ipsec@lists.tislabs.com

> At 11:07 AM -0800 3/5/03, Brian Korver wrote:
> >Except for the case of opportunistic IPsec, I don't see the point
> >of telling your peer "I don't care".
> 
> There are other meanings than "I don't care". We need to be able to 
> say "send me a cert of type other than 4", namely types 11, 12, and 
> 13. Currently, we can't specify that.

Nor can we currently request a CRL(s). It's a pity, because either
it forces the other side to always send (probably huge) CRL(s), or leaves
us without critical revocation information in case we cannot get it from 
other sources.

> >   Therefore, I agree that an empty
> >CERTREQ should be prohibited in IKEv2, especially because it creates an
> >interoperability rat hole.
> 
> It won't do that if we scope it correctly.
> 
> --Paul Hoffman, Director
> --VPN Consortium

Regards,
Valery Smyslov.

References:
- Re: The CR payload still
  - From: Brian Korver <briank@briank.com>
- Re: The CR payload still
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: suites vs. a la carte and IPcomp in IKEv2-05
Next by Date: Re: The CR payload still
Prev by thread: Re: The CR payload still
Next by thread: Re: The CR payload still
Index(es):
- Date
- Thread