[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv1: use of CERTREQ

To: <ipsec@lists.tislabs.com>
Subject: IKEv1: use of CERTREQ
From: juha.ollila@nokia.com
Date: Mon, 27 Oct 2003 11:38:09 +0200
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcOcbghi8XZKdOO6ThemeMHeqsq3pw==
Thread-Topic: IKEv1: use of CERTREQ

	Hello all,

The usage of CERTREQs is not very well specified. I know that there
is a pki-profile draft. 

Two IKE implementations want to negotiate security associations.
Let's assume the following:
- There are two security domains
- Each domain has own CA
- CAs has cross-certified each other
- IKE implementations belong different security domains i.e.
they have not peer's certificate.

What is the *current practice* in this situation?

There are at least 4 possibilities, when certificate based
authentication is used in IKE:

1) IKE does not send a CERTREQ at all
- This contradicts with the pki-profile draft, because in-band
exchange of certificates is desired.

2) IKE sends an empty CERTREQ
- This contradicts with the pki-profile draft.

3) Several CA names are configured and IKE sends multiple CERTREQs
- This has privacy problem, if security domains don't want to
reveal their trust relationships.

4) CA name is configured for each ISAKMP policy and IKE send one
CERTREQ
- Is this supported in the current implementations?

BR,
Juha Ollila

Follow-Ups:
- Re: IKEv1: use of CERTREQ
  - From: Brian Korver <briank@briank.com>

Prev by Date: Re: 2401bis Issue # 90 -- Remove the selector "data sensitivity level"
Next by Date: Re: IPv6 RH (was Re: SPD issues)
Prev by thread: BOF: pki4ipsec
Next by thread: Re: IKEv1: use of CERTREQ
Index(es):
- Date
- Thread