IETF Logo Mail Archive

Re: [IPsec] #120: CA indication with cert req - allowed types

Yaron Sheffer <yaronf@checkpoint.com> Tue, 24 November 2009 17:10 UTC

Return-Path: <yaronf@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 81DC028C139 for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 09:10:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.482
X-Spam-Level:
X-Spam-Status: No, score=-3.482 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08RmwE+2vFQb for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 09:10:30 -0800 (PST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id DBA7F3A693E for <ipsec@ietf.org>; Tue, 24 Nov 2009 09:10:29 -0800 (PST)
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nAOH9JGt011035 for <ipsec@ietf.org>; Tue, 24 Nov 2009 19:09:21 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 24 Nov 2009 19:09:26 +0200
From: Yaron Sheffer <yaronf@checkpoint.com>
To: IPsecme WG <ipsec@ietf.org>
Date: Tue, 24 Nov 2009 19:08:42 +0200
Thread-Topic: #120: CA indication with cert req - allowed types
Thread-Index: AcpY7aER8O2EnOH0ScGN8V+2YUNFTgUOt3LQ
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE4@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC@il-ex01.ad.checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC@il-ex01.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE4ilex01adche_"
MIME-Version: 1.0
Subject: Re: [IPsec] #120: CA indication with cert req - allowed types
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 17:10:39 -0000

Please also see Tero's follow-up here: http://www.ietf.org/mail-archive/web/ipsec/current/msg04990.html

________________________________
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: Friday, October 30, 2009 1:15
To: IPsecme WG
Subject: [IPsec] #120: CA indication with cert req - allowed types


Sec. 3.7 has:

The contents of the "Certification Authority" field are defined only for X.509 certificates, which are types 4, 10, 12, and 13. Other values SHOULD NOT be used until standards-track specifications that specify their use are published.

This excludes certificate requests of type 7, i.e. for CRLs. For requesting a specific CRL type 7 would make sense, in particular in chain situations. Should we add it to the list of allowed types here?

OTOH, this allows type 10, which is unspecified and should be removed.



Scanned by Check Point Total Security Gateway.

v2.23.0 | Report a Bug | By Email