Re: [IPsec] #119: Which certificate types can be mixed in one exchange?

Yaron Sheffer <> Tue, 24 November 2009 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 315973A6B6F for <>; Tue, 24 Nov 2009 09:10:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.503
X-Spam-Status: No, score=-3.503 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kRL-7kL4mYq7 for <>; Tue, 24 Nov 2009 09:10:35 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0406828C129 for <>; Tue, 24 Nov 2009 09:10:32 -0800 (PST)
Received: from (localhost []) by (8.12.10+Sun/8.12.10) with ESMTP id nAOH9JGs011035 for <>; Tue, 24 Nov 2009 19:09:21 +0200 (IST)
Received: from ([]) by ([]) with mapi; Tue, 24 Nov 2009 19:09:26 +0200
From: Yaron Sheffer <>
To: IPsecme WG <>
Date: Tue, 24 Nov 2009 19:09:25 +0200
Thread-Topic: #119: Which certificate types can be mixed in one exchange?
Thread-Index: AcpY7RujsaPOPWKnQK+8SRjY4rhHTgUOhcVA
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE3ilex01adche_"
MIME-Version: 1.0
Subject: Re: [IPsec] #119: Which certificate types can be mixed in one exchange?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Nov 2009 17:10:40 -0000

There was very limited discussion of this issue, which I see as the main reason why Sec. 3.6 is underspecified. If my proposal below is too restrictive we can expand it somewhat but still keep the number of possible combinations at a level where testing (and interoperability) is possible.

David also asked whether we'd want to fold RFC 4806 (OCSP extensions to IKEv2) into -bis. My personal opinion is No, despite the fact that it is a Proposed Standard.

From: [] On Behalf Of Yaron Sheffer
Sent: Friday, October 30, 2009 1:18
To: IPsecme WG
Subject: [IPsec] #119: Which certificate types can be mixed in one exchange?

Should be added to Sec. 3.6, probably as a new subsection.

One Hash & URL (H&U) bundle only. Or...

One Raw RSA key, or...

One or more cert payloads of either type 4 or H&U (type 12)

Can have one or more CRLs and/or OCSP content (RFC 4806<>;) added to any of the above, except for Raw RSA.

Scanned by Check Point Total Security Gateway.