[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Work around using SPKI certificates instead of X509


>>>>> "SALLE" == SALLE Mathias <matsal@hplb.hpl.hp.com> writes:
    SALLE> REFERENCE: ipsec drafts, SPKI drafts PROBLEM: Is it
    SALLE> possible to use ISAKMP/Oakley to establish an SA and at the
    SALLE> same time exchange users SPKI certificates, this in a
    SALLE> context of a Host to Host mode.

    SALLE> QUESTION: Is there any work around using SPKI certificates
    SALLE> instead of X509 certificates in ISAKMP?

    SALLE>  If no, would it be possible to use Certificate Request
    SALLE> Payload and Certificate Payload to exchange SPKI
    SALLE> certificates? Is there any drafts on that?

  There is a certificate type in ISAKMP for SPKI. The format of it has
not been defined. I would suggest that one could either put multiple
SPKI certs (in binary form), just pasted together, or better, a
(sequence ...) of them.

  See isakmp-10, page 34.

  A draft defining a SPKI certificate tag for IPsec SA's would be a
wonderful thing.

]     Internet Security. Have encryption, will travel           |1 Fish/2 Fish[
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |Red F./Blow F[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface