[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Re: [Pki4ipsec] OCSP in IKEv2



Your I-D actually cleared up some confusion in the KRB WG over the
meaning of "OCSP tunnelling" and led to achievement of consensus on how
to add support for OCSP to PKINIT.  Thank you.

Nico
-- 

On Sat, Aug 07, 2004 at 10:21:32AM -0700, Michael Myers wrote:
> All,
> 
> The intersection of IPSEC with PKI is of recent interest.  Towards that
> dialog, Hannes Tschofenig and I have proposed how OCSP could be used to
> deliver certificate status in-band to IKEv2.  We were driven first to
> consider the important use case of EAP (i.e. the Road Warrior) but also
> considered the Peer-to-Peer case in order to develop a general solution.
> 
> This individual submission I-D can be found at:
> http://www.ietf.org/internet-drafts/draft-myers-ipsec-ikev2-oscp-00.txt
> 
> Two new certificate encoding types are proposed:  OCSP Responder Hash
> and OCSP Response.  An OCSP Responder Hash is sent in a CERTREQ,
> computed as trust anchor hashes are computed but sent in a separate
> CERTREQ.  A corresponding OCSP Response is sent back in its own CERT
> payload and in the context of the CERT payload carrying the
> participant's certificate.  That is, an IKEv2 participant sends both its
> cert and that cert's status in separate CERT payloads.
> 
> Hannes and I look forward to your comments and debate.  I've
> cross-posted due to intersecting interests but please post comments to
> the IPSEC list only.
> 
> Michael Myers
> 
> 
> _______________________________________________
> pki4ipsec mailing list
> pki4ipsec@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/pki4ipsec

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec