IETF Logo Mail Archive

[IPsec] #120: CA indication with cert req - allowed types

Yaron Sheffer <yaronf@checkpoint.com> Thu, 29 October 2009 23:38 UTC

Return-Path: <yaronf@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 832FA28C110 for <ipsec@core3.amsl.com>; Thu, 29 Oct 2009 16:38:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.657
X-Spam-Level:
X-Spam-Status: No, score=-3.657 tagged_above=-999 required=5 tests=[AWL=-0.059, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHBdSnoKs-KN for <ipsec@core3.amsl.com>; Thu, 29 Oct 2009 16:38:18 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 5ABF728C0CF for <ipsec@ietf.org>; Thu, 29 Oct 2009 16:38:18 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n9TNIShu020107 for <ipsec@ietf.org>; Fri, 30 Oct 2009 01:18:28 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Fri, 30 Oct 2009 01:18:30 +0200
From: Yaron Sheffer <yaronf@checkpoint.com>
To: IPsecme WG <ipsec@ietf.org>
Date: Fri, 30 Oct 2009 01:14:56 +0200
Thread-Topic: #120: CA indication with cert req - allowed types
Thread-Index: AcpY7aER8O2EnOH0ScGN8V+2YUNFTg==
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC@il-ex01.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EACilex01adche_"
MIME-Version: 1.0
Subject: [IPsec] #120: CA indication with cert req - allowed types
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2009 23:38:19 -0000

Sec. 3.7 has:

The contents of the "Certification Authority" field are defined only for X.509 certificates, which are types 4, 10, 12, and 13. Other values SHOULD NOT be used until standards-track specifications that specify their use are published.

This excludes certificate requests of type 7, i.e. for CRLs. For requesting a specific CRL type 7 would make sense, in particular in chain situations. Should we add it to the list of allowed types here?

OTOH, this allows type 10, which is unspecified and should be removed.

v2.23.0 | Report a Bug | By Email