[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] certificate encoding type in IKEv2

To: <vjyothi@intoto.com>, <ipsec@ietf.org>
Subject: RE: [Ipsec] certificate encoding type in IKEv2
From: Pasi.Eronen@nokia.com
Date: Thu, 8 Jul 2004 15:26:34 +0300
Cc:
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org
Thread-index: AcRj9cGXOQaWOTifQXKcoBKkses8ZAA7uT9g
Thread-topic: [Ipsec] certificate encoding type in IKEv2


Hi,

IKEv2 Section 3.6 says that 

   "Implementations MUST be capable of being configured to send
   and accept up to four X.509 certificates in support of
   authentication.  Implementations SHOULD be capable of being
   configured to send and accept Raw RSA keys and the first two
   Hash and URL formats."

This MUST requirement seems to refer to the "X.509 Certificate - 
Signature" type; so you answered your own question :-).

The possible ambiguity concerning "PKCS #7 wrapped X.509
certificate" type is resolved by draft-ietf-pki4ipsec-ikecert-
profile-00: it says that "Implementations SHOULD NOT generate 
CERTs that contain this type".

If you have a certificate chain, then you use several
CERT payloads (note that they do not have to be in order,
except the first one must correspond to the key used
to sign the AUTH payload). Certificate bundle is just a set 
of certificates, not necessarily in any special order. I guess
usually a bundle will contain at least one chain.

Best regards,
Pasi

-----Original Message-----
From: ipsec-bounces@ietf.org On Behalf Of vjyothi@intoto.com
Sent: Wednesday, July 07, 2004 9:02 AM
To: ipsec@ietf.org
Subject: [Ipsec] certificate encoding type in IKEv2

Hi all,

In draft-ietf-ipsec-ikev2-14.txt, section 3.6 following certificate 
encoding types are defined:

           PKCS #7 wrapped X.509 certificate    1
           PGP Certificate                      2
           DNS Signed Key                       3
           X.509 Certificate - Signature        4
           Kerberos Token                       6
           Certificate Revocation List (CRL)    7
           Authority Revocation List (ARL)      8
           SPKI Certificate                     9
           X.509 Certificate - Attribute       10
           Raw RSA Key                         11
           Hash and URL of X.509 certificate   12
           Hash and URL of X.509 bundle        13

I would like to what is MUST in above defined types. 
In IKEv2, it is X.509 certificate-signature.

I would also like to know what is cert bundle which is defined in 
page 58. Is it related to certificate chain??

How can we use certificate chains in IKEv2??

Many thanks in advance,
Jyothi

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Prev by Date: RE: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Next by Date: [Ipsec] Re: Document
Previous by thread: [Ipsec] certificate encoding type in IKEv2
Next by thread: RE: [Ipsec] certificate encoding type in IKEv2
Index(es):
- Date
- Thread