Re: [IPsec] #118: Reference for PKCS #7
Tero Kivinen <kivinen@iki.fi> Wed, 25 November 2009 15:14 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CDF1E3A684D for <ipsec@core3.amsl.com>; Wed, 25 Nov 2009 07:14:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Level:
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5h203vWZIZG for <ipsec@core3.amsl.com>; Wed, 25 Nov 2009 07:14:20 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 2427A3A6863 for <ipsec@ietf.org>; Wed, 25 Nov 2009 07:14:19 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nAPFE5Ps016270 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Nov 2009 17:14:05 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nAPFE5OT014757; Wed, 25 Nov 2009 17:14:05 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19213.18877.502688.416220@fireball.kivinen.iki.fi>
Date: Wed, 25 Nov 2009 17:14:05 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf@checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E012E@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAA@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE2@il-ex01.ad.checkpoint.com> <19213.7316.277814.1281@fireball.kivinen.iki.fi> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E012E@il-ex01.ad.checkpoint.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 15 min
X-Total-Time: 72 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] #118: Reference for PKCS #7
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 15:14:22 -0000
Yaron Sheffer writes: > No, Sec. 1.1.1 of RFC 5652 (which you are quoting) only describes > the differences between the original PKCS #7 v1.5 and RFC 2630. I took the text from RFC2630 Abstract, didn't check the later ones in that much detail to find out the changes since sections... :) > There follow a few more sections with other bells and whistles > leading to RFC 5652. Yes, but I do not think we need any of those bells and whistles. > Besides, even if the later RFCs are (mostly) *backward compatible* > with RFC 2315, they may still be adding useful stuff. This is just > speculation on my part, not actual knowledge. The PKCS#7 has been used to just put together buch of certificates and send them to other end in format that other ends certificate library can easily parse, and then take the certificates out from the PKCS#7 container and use them to validate the certificate used in the authentication. This is how it was used in IKEv1 and this is how I expect it to be used in IKEv2. I.e. it was mostly what we now have with the certificate bundle, but that ASN.1 blob was sent inband and using different format. In our IKEv1 code we just recursively went through the PKCS#7 blob and added all certificate and CRLs we found from there to the certificate manager and then tried to find suitable valid certificate based on the ID. We never had any code to send those PKCS#7 wrapped blobs, but I do remember that for some vendors that was almost the only format they supported (for certificate chains). My old isakmp test site seemed to have 26 connections using pkcs#7 format to send certs in from 5 different hosts. -- kivinen@iki.fi
- [IPsec] #118: Reference for PKCS #7 Yaron Sheffer
- Re: [IPsec] #118: Reference for PKCS #7 Russ Housley
- Re: [IPsec] #118: Reference for PKCS #7 Yaron Sheffer
- Re: [IPsec] #118: Reference for PKCS #7 Paul Hoffman
- Re: [IPsec] #118: Reference for PKCS #7 Tero Kivinen
- Re: [IPsec] #118: Reference for PKCS #7 Yaron Sheffer
- Re: [IPsec] #118: Reference for PKCS #7 Tero Kivinen