[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The CR payload still
: > Opinions expressed may not even be mine by the time you read them, and
: > certainly don't reflect those of any other entity (legal or otherwise).
:
: Carlie,
:
: As you point out, no CERTREQ means "don't bother to send any CERTs",
: but the question remains as to what an empty CERTREQ means. ISAKMP
: states that an empty CERTREQ means "send any CERTs you want, I don't
: care".
:
: Except for the case of opportunistic IPsec, I don't see the point
: of telling your peer "I don't care". Therefore, I agree that an empty
: CERTREQ should be prohibited in IKEv2, especially because it creates an
: interoperability rat hole.
:
I can respect that but I don't understand what is the interoperability
problem. If it is stated explicitly there are no problems. The current
one is bigger problem since pki-profile provides a loophole for this
(allowing empty CR's) and that will cause confusion unless that too is
fixed to include MUST NOT explicitly.
There is also other than "opportunistic crypto" cases. You have to
remember that someone may not want to trust some CA just because it wants
to talk to you (it don't want to trust everybody). Some implementation
may want to always use only self-signed certs and there are no CAs in this
case. By not allowing "give me ANY cert you are using now" disallows the
use of self-signed certs in IKEv2, or rather you MAY receive it during
IKE, or may not.
Pekka
___________________________________________________________________________
Pekka Riikonen | Email: priikone@iki.fi
SSH Communications Security Corp. | http://iki.fi/priikone/
Tel. +358 (0)40 580 6673 | Snellmanninkatu 34 A 15, 70100 Kuopio
PGP KeyID A924ED4F: http://iki.fi/~priikone/pubkey.asc