[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] OCSP in IKEv2

To: <ipsec@ietf.org>
Subject: [Ipsec] OCSP in IKEv2
From: "Michael Myers" <mmyers@fastq.com>
Date: Sat, 7 Aug 2004 10:21:32 -0700
Cc: "Ietf-Pkix@Imc. Org" <ietf-pkix@imc.org>, "Pki4ipsec@Honor. Icsalabs. Com" <pki4ipsec@honor.icsalabs.com>
Importance: Normal
In-reply-to: <p06110402bd36e8023a47@[130.129.131.20]>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org

All,

The intersection of IPSEC with PKI is of recent interest.  Towards that
dialog, Hannes Tschofenig and I have proposed how OCSP could be used to
deliver certificate status in-band to IKEv2.  We were driven first to
consider the important use case of EAP (i.e. the Road Warrior) but also
considered the Peer-to-Peer case in order to develop a general solution.

This individual submission I-D can be found at:
http://www.ietf.org/internet-drafts/draft-myers-ipsec-ikev2-oscp-00.txt

Two new certificate encoding types are proposed:  OCSP Responder Hash
and OCSP Response.  An OCSP Responder Hash is sent in a CERTREQ,
computed as trust anchor hashes are computed but sent in a separate
CERTREQ.  A corresponding OCSP Response is sent back in its own CERT
payload and in the context of the CERT payload carrying the
participant's certificate.  That is, an IKEv2 participant sends both its
cert and that cert's status in separate CERT payloads.

Hannes and I look forward to your comments and debate.  I've
cross-posted due to intersecting interests but please post comments to
the IPSEC list only.

Michael Myers



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- RE: [Ipsec] OCSP in IKEv2
  - From: "William Dixon" <ietf-wd@v6security.com>
- [Ipsec] RE: OCSP in IKEv2
  - From: "Michael Myers" <mmyers@fastq.com>
- [Ipsec] Re: [Pki4ipsec] OCSP in IKEv2
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

References:
- Re: [ipsec] Nested SAs in 2401bis
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: [ipsec] Nested SAs in 2401bis
Next by Date: RE: [Ipsec] OCSP in IKEv2
Previous by thread: Re: [ipsec] Nested SAs in 2401bis
Next by thread: RE: [Ipsec] OCSP in IKEv2
Index(es):
- Date
- Thread