[Ipsec] Re: [Pki4ipsec] HASH and URL

[Tero Kivinen <kivinen@iki.fi>]

Michael Richardson writes:
>   Worse, given NAT/firewall, you can't tell the peer to "get it from 
> http://me:1234/mycert.pem";

But you can normally say "get it from my home-www server
http://www.my-home.net/username/mycert.cer";. For VPN style usage,
that is quite right, and you quite often assume that http over port 80
will work through the firewalls/nat, especially when there is nothing
special going on (meaning proxies etc can work properly with the url). 

>   It would be best if we had an option in the CERT REQ which told the
> peer to please do an HTTP POST to some URL. 
>   A responder would then be in a position to know if it can provide for
> this service or not.

That would work for the one way, but would not work for the other way
around. I.e. if the initiator is behind NAT, and claims that the
servers certificate should be posted to url http://10.0.0.22:1234/, it
would not really work...

So we would need keep the normal get also, and I think we can most
likely organize things so that there will be some place you can
connect to get the certificate, and if not, then send it inband...
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec