[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Ipsec] RE: OCSP in IKEv2
Dave,
Your clarifications below sound much more like a PKI problem than an
IPSEC need. It is not my intent to use this I-D to patch around known
difficulties in configuring and managing a PKI. So I think these two
points are out of scope. I am willing be convinced otherwise but that
would take some discussion from folks on the IPSEC side of this I-D.
Mike
-----Original Message-----
From: David Engberg
Sent: Tuesday, August 24, 2004 5:02 AM
. . .
b) Specify responders by name or key hash instead of cert hash
. . .
The lifecycle for a responder certificate could be much more dynamic
[than a root CA cert].
Responder certs don't have any way to do "rollover" to a new cert with
implicit trust for existing clients. This means that any change to the
responder cert requires a local change on every peer device.
c) Permit "delegated" responders (OCSPSigning) without explicit trust at
the relying party
[By that I mean] it would be useful to allow the "service" side to send
an OCSPResponse along with a delegated/chained responder cert that isn't
explicitly known to the "client" before the transaction starts. . . .
This permits the greatest flexibility in the responder
management without introducing another hard-coded trust point in every
client.
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec