[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] OCSP in IKEv2
Charlie,
Recent discussions in the PKI4IPSEC working group exposed a
disconnect between IKE's specification of CRLs and their utility
given likely CRL size. Towards in-band alternatives, OCSP as
developed by PKIX and defined by RFC 2560 is a viable option for
IKE in-band signaling of certificate revocation status.
OCSP did not exist as an RFC when IKE was originally drafted; it
was still an I-D at that stage of IKE's development. Its absence
in IKE's original specification is thus understandable. But
OCSP does now exist as an alternative to CRLs. Per a recent
PKIX poll, there are something like eight independent
implementations of OCSP.
I strongly encourage amendment of IKEv2 to accommodate OCSP.
TLS has already done so, as has the OWA community. Why not
IPSEC? I realize this notice is probably too late for -13 but
might consensus could be formed for inclusion in -14 of IKEv2?
Michael Myers
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec