[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] OCSP in IKEv2

To: <ipsec@ietf.org>
Subject: [Ipsec] OCSP in IKEv2
From: "Michael Myers" <mmyers@fastq.com>
Date: Wed, 19 May 2004 13:24:09 -0700
Importance: Normal
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-admin@ietf.org

Charlie,

Recent discussions in the PKI4IPSEC working group exposed a
disconnect between IKE's specification of CRLs and their utility
given likely CRL size.  Towards in-band alternatives, OCSP as
developed by PKIX and defined by RFC 2560 is a viable option for
IKE in-band signaling of certificate revocation status.

OCSP did not exist as an RFC when IKE was originally drafted; it
was still an I-D at that stage of IKE's development. Its absence
in IKE's original specification is thus understandable.  But
OCSP does now exist as an alternative to CRLs.  Per a recent
PKIX poll, there are something like eight independent
implementations of OCSP.

I strongly encourage amendment of IKEv2 to accommodate OCSP.
TLS has already done so, as has the OWA community.  Why not
IPSEC?  I realize this notice is probably too late for -13 but
might consensus could be formed for inclusion in -14 of IKEv2?

Michael Myers



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] OCSP in IKEv2
  - From: Eric Rescorla <ekr@rtfm.com>

Prev by Date: [Ipsec] RE: OCSP in IKEv2
Next by Date: Re: [Ipsec] OCSP in IKEv2
Previous by thread: [Ipsec] RE: OCSP in IKEv2
Next by thread: Re: [Ipsec] OCSP in IKEv2
Index(es):
- Date
- Thread