[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] RE: OCSP in IKEv2

To: "Dave Engberg" <dengberg@corestreet.com>, <ipsec@ietf.org>
Subject: RE: [Ipsec] RE: OCSP in IKEv2
From: "Michael Myers" <mmyers@fastq.com>
Date: Mon, 23 Aug 2004 21:12:06 -0700
Cc:
Importance: Normal
In-reply-to: <E2339D02A340A546998AD2E6251332D63CF3C0@csexchange1.corestreet.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org

Dave,

It is better to think of this as OCSP-in-IKE, not OCSP-over-IKE.  That
said:

> From: Dave Engberg
> Sent: Monday, August 16, 2004 10:26 AM
>
> . . .
>
> I would suggest modifying the IKEv2 proposal to permit requests with:
>
> a) More than one responder

The I-D currently reads "Where it is useful to identify more than one
trusted OCSP responder, each such identification SHALL be transmitted
via separate OCSP Responder Hash CERTREQ payloads."  Is this sufficient?

> b) Specify responders by name or key hash instead of cert hash

My intent is to keep this as close as possible to the way IKEv2 does
things, especially given our SAAG discussion in San Diego re: PKI
complexity.  Hence the Responder Hash "SHALL be computed and produced in
a manner identical to that of trust anchor hashes as documented in
Section 3.7 of [IKEv2]".  I do not recall anybody having any problem
with that means of identifying CA certificates.  So why not OCSP
Responder certificates?

> c) Permit "delegated" responders (OCSPSigning) without
>    explicit trust at the relying party

Such is not excluded by the I-D.  We make no assertions about what is at
the other end of that Responder Hash.  If an environment wants that
certificate to contain the indicator for explicit delegation of OCSP
signing, it is free to do so.  Or did I miss your point?



Mike




_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] RE: OCSP in IKEv2
  - From: David Engberg <dengberg@corestreet.com>

References:
- [Ipsec] RE: OCSP in IKEv2
  - From: "Dave Engberg" <dengberg@corestreet.com>

Prev by Date: [Ipsec] I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-02.txt
Next by Date: RE: [Ipsec] Number of Proposals in IKE_SA_INIT exchange for IKE_SAandfirst CHILD_SA ??
Previous by thread: [Ipsec] RE: OCSP in IKEv2
Next by thread: Re: [Ipsec] RE: OCSP in IKEv2
Index(es):
- Date
- Thread