[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 CERT #13

To: ipsec@lists.tislabs.com
Subject: IKEv2 CERT #13
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Wed, 30 Jul 2003 17:30:59 +0200
Sender: owner-ipsec@lists.tislabs.com

In draft-ietf-ipsec-ikev2-08.txt there are some new certificate
encodings, include the "Hash and URL of PKIX bundle" #13.
The text is more accurate than in IKEv1, for instance the common
#4 (X.509 Certificate - Signature) is defined as the BER encoding of
a X.509 certificate (a "X.509 public key certificate" would be perfect).
The #13 content is defined by:
      Hash and URL of PKIX bundle (13) contains a 20 octet SHA-1 hash of
      a PKIX certificate bundle followed by a variable length URL the
      resolves to the BER encoded certificate bundle itself. The bundle
      is a BER encoded SEQUENCE of certificates and CRLs.
I have a concern with the last statement: a SEQUENCE of certificates
and CRLs is not a valid ASN.1 definition, even as interpreted as
a SEQUENCE of CHOICES between certificates and CRLs because both
certificates and CRLs are SIGNED SEQUENCEs. Note that nearly
anything more specified should work, so this is easy to fix:
my concern is this has to be fixed.

Regards

Francis.Dupont@enst-bretagne.fr

PS: a SET seems to be better than a SEQUENCE (and avoid the
"what is in front" question).
PPS: questions for IKEv1 implementors: how do you handle multiple
certificates (aka certificate chains). Type #1 (pkcs7 aka CMS)
is an obvious answer, if it is heavily used why not move to
last CMS specs, i.e., RFC 3369?

Prev by Date: I-D ACTION:draft-ietf-ipsec-ui-suites-02.txt
Next by Date: Re: revised IPsec processing model: Q: VID and forwarding function
Prev by thread: I-D ACTION:draft-ietf-ipsec-ui-suites-02.txt
Next by thread: NAT-T, IKEv2, Vendor ID, port floating??
Index(es):
- Date
- Thread