RE: Query on draft-ietf-ipsec-pki-req-03.txt

"Walker, Jesse" <jesse.walker@intel.com> Tue, 19 October 1999 18:50 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id LAA04209; Tue, 19 Oct 1999 11:50:55 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA21968 Tue, 19 Oct 1999 13:15:03 -0400 (EDT)
Message-ID: <392A357CE6FFD111AC3E00A0C99848B002242C5A@hdsmsx31.hd.intel.com>
From: "Walker, Jesse" <jesse.walker@intel.com>
To: 'Greg Carter' <greg.carter@entrust.com>, "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: RE: Query on draft-ietf-ipsec-pki-req-03.txt
Date: Tue, 19 Oct 1999 10:17:04 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Greg,

Yes, I know; a lot of implementations do forward CRLs as part of their
negotiations. The question is whether this must be required. If the draft
requires all implementations do certificate validation, then I don't see how
conformance is possible unless the draft also requires implementations to
pass CRLs.

-- Jesse

-----Original Message-----
From: Greg Carter [mailto:greg.carter@entrust.com]
Sent: Tuesday, October 19, 1999 9:33 AM
To: 'Walker, Jesse'; 'ipsec@lists.tislabs.com'
Subject: RE: Query on draft-ietf-ipsec-pki-req-03.txt


Hi Jesse,

Yes if you receive a certificate request with type CRL then you should send
the CRL that your certificate would be put on were it to be revoked (follow?
:) ).  Many implementations are doing this.  Of course this requires that at
least one end of the negotiation has access to the CRL repository.
Bye.

Greg Carter
Entrust Technologies - http://www.entrust.com
http://www.ford-trucks.com/articles/buildup/dana60.html


-----Original Message-----
From: Walker, Jesse [mailto:jesse.walker@intel.com]
Sent: Tuesday, October 19, 1999 10:56 AM
To: 'ipsec@lists.tislabs.com'
Subject: Query on draft-ietf-ipsec-pki-req-03.txt


or the security gateway's cert gets validated. Maybe we need to require
implementations to send the latest CRL known to them during the IKE phase 1
negotiation?