[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] RE: OCSP in IKEv2

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: [Ipsec] RE: OCSP in IKEv2
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Wed, 11 Aug 2004 16:49:53 -0400
Cc: ipsec@ietf.org, Michael Myers <mmyers@fastq.com>
In-reply-to: Your message of "Tue, 10 Aug 2004 18:41:45 PDT."<p06110404bd3f280fd95e@[10.20.30.249]>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Reply-to: sommerfeld@east.sun.com
Sender: ipsec-bounces@ietf.org

Experimental doesn't seem to fit; it seems to me more of a
*limited-applicability* standards track document..

I can see two obvious use cases for tunneling OCSP through IKE:

 1) the "PKI infrastructure servers inside the security perimeter"
    case discussed at some length within the pki4ipsec working group.

 2) when transport mode ipsec is used and you need to talk to the OCSP
    server itself.

Both of these break a possible chicken-and-egg dependancy cycle (need
IPsec to speak OCSP; need OCSP to establish IPsec SA).

							- Bill







_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] RE: OCSP in IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- [Ipsec] RE: OCSP in IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: [Ipsec] Paddding Issue in AES-XCBC-MAC-96 with IPSEC (RFC 3566)
Next by Date: Re: [Ipsec] HTTP question
Previous by thread: [Ipsec] RE: OCSP in IKEv2
Next by thread: Re: [Ipsec] RE: OCSP in IKEv2
Index(es):
- Date
- Thread