Re: draft-ietf-ipsec-pki-profile-01.txt
"Housley, Russ" <rhousley@rsasecurity.com> Fri, 15 November 2002 21:04 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id gAFL49g10662; Fri, 15 Nov 2002 13:04:09 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA27367 Fri, 15 Nov 2002 15:41:59 -0500 (EST)
From: "Housley, Russ" <rhousley@rsasecurity.com>
To: Brian Korver <briank@xythos.com>
Cc: ipsec@lists.tislabs.com
Message-Id: <5.1.0.14.2.20021115153451.03449648@exna07.securitydynamics.com>
X-Sender: rhousley@exna07.securitydynamics.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 15 Nov 2002 15:38:54 -0500
Subject: Re: draft-ietf-ipsec-pki-profile-01.txt
In-Reply-To: <B482E888-F8D4-11D6-A746-000393751598@xythos.com>
References: <5.1.0.14.2.20021115115152.03435ac8@exna07.securitydynamics.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Brian:
Ref: section 3.3.11.3
>If trust anchors can be self-signed, what is wrong with
>pointing this out? IMHO it makes the example clearer,
>as I'm pointing out that CA3 may actually NOT be
>self-signed.
The document says:
Imagine that an implementation has previously received and cached the
peer certificate chain R->CA1->CA2->EE. If during a subsequent
exchange this implementation sends a CERTREQ containing the Subject
Name in certificate R, this implementation is requesting that the
peer send at least 3 certificates: CA1, CA2, and EE. On the other
hand, if this implementation also sends a CERTREQ containing the Sub-
ject Name of CA2, the implementation is providing a hint that only 1
certificate needs to be sent: EE.
This is fine. For some reason, I misread it, and thought that in the first
case the certificate for R was being transmitted. Upon rereading it, I see
otherwise. My objections dealt with the transmission of the certificate for R.
Sorry for the confusion,
Russ
- draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Paul Hoffman / VPNC
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Paul Hoffman / VPNC
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt khaja.ahmed
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Brian Korver
- Re: draft-ietf-ipsec-pki-profile-01.txt Housley, Russ
- RE: draft-ietf-ipsec-pki-profile-01.txt juha.ollila