[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Work around using SPKI certificates instead of X509
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "SALLE" == SALLE Mathias <matsal@hplb.hpl.hp.com> writes:
SALLE> REFERENCE: ipsec drafts, SPKI drafts PROBLEM: Is it
SALLE> possible to use ISAKMP/Oakley to establish an SA and at the
SALLE> same time exchange users SPKI certificates, this in a
SALLE> context of a Host to Host mode.
SALLE> QUESTION: Is there any work around using SPKI certificates
SALLE> instead of X509 certificates in ISAKMP?
SALLE> If no, would it be possible to use Certificate Request
SALLE> Payload and Certificate Payload to exchange SPKI
SALLE> certificates? Is there any drafts on that?
There is a certificate type in ISAKMP for SPKI. The format of it has
not been defined. I would suggest that one could either put multiple
SPKI certs (in binary form), just pasted together, or better, a
(sequence ...) of them.
See isakmp-10, page 34.
A draft defining a SPKI certificate tag for IPsec SA's would be a
wonderful thing.
] Internet Security. Have encryption, will travel |1 Fish/2 Fish[
] Michael Richardson, Sandelman Software Works, Ottawa, ON |Red F./Blow F[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQBVAwUBNlYI5B4XQavxnHg9AQFjGAH/U9TqPbOfjpI8X8GTO/fbqe8mBfoihf6/
O2rgrDzlEQGw9GxmBat7hI5AvfSRG01s5Sik1rPGdHlKPi+dQToSFQ==
=Pxxs
-----END PGP SIGNATURE-----