RE: [Ipsec] RE: OCSP in IKEv2

["Michael Myers" <mmyers@fastq.com>]

Dave,

Your clarifications below sound much more like a PKI problem than an
IPSEC need.  It is not my intent to use this I-D to patch around known
difficulties in configuring and managing a PKI.  So I think these two
points are out of scope.  I am willing be convinced otherwise but that
would take some discussion from folks on the IPSEC side of this I-D.

Mike



-----Original Message-----
From: David Engberg
Sent: Tuesday, August 24, 2004 5:02 AM

. . .

b) Specify responders by name or key hash instead of cert hash
. . .

The lifecycle for a responder certificate could be much more dynamic
[than a root CA cert].
Responder certs don't have any way to do "rollover" to a new cert with
implicit trust for existing clients.  This means that any change to the
responder cert requires a local change on every peer device.

c) Permit "delegated" responders (OCSPSigning) without explicit trust at
the relying party

[By that I mean] it would be useful to allow the "service" side to send
an OCSPResponse along with a delegated/chained responder cert that isn't
explicitly known to the "client" before the transaction starts. . . .
This permits the greatest flexibility in the responder
management without introducing another hard-coded trust point in every
client.



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec