ISAKMP/Oakley - Certificate exchange
"John Irish" <irishjd@erols.com> Wed, 25 November 1998 15:36 UTC
Received: by portal.ex.tis.com (8.9.1/8.9.1) id KAA19464 for ipsec-outgoing; Wed, 25 Nov 1998 10:36:29 -0500 (EST)
Message-ID: <001601be188b$ebcc2d20$0100010a@irish1>
From: John Irish <irishjd@erols.com>
To: Dave Clark <dac@lucent.com>
Cc: IPSEC <ipsec@tis.com>
Subject: ISAKMP/Oakley - Certificate exchange
Date: Wed, 25 Nov 1998 10:54:42 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.1
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
(I changed the Subject description to better reflect the change in topic) Within the IKE spec <draft-ietf-ipsec-isakmp-oakley-08.txt>, Section 5.2 - Authentication with Public Key Encryption, the 2nd paragraph states: "In order to perform public key encryption, the initiator must already have the responder's public key." My statement should have indicated that the initiator can not issue a certificate request based upon the statement above. It would appear, although it is not stated, that in Main mode the responder could include a certificate request with the first response packet which includes the SA payload. It is not clear why the initiator could not include a certificate request with the very first packet, and the responder include its certificate plus a certificate request in the first response packet. Part of the reason may be that system identities would be revealed by the certificate exchange in Main mode. In addition, the certificate needed by the initiator may depend upon the proposal selected by the responder, thus making a certificate request in the first packet premature (I'm guessing here). Does anyone have an answer to this? HDR, SA, CertReq --> <-- HDR, SA, CERT, CertReq HDR, KE, CERT, <IDii_b>PubKey_r, <Ni_b>PubKey_r --> <-- HDR, KE, <IDir_b>PubKey_i, <Nr_b>PubKey_i HDR, HASH_I --> <-- HDR, HASH_R John -----Original Message----- From: Dave Clark <dac@lucent.com> To: John Irish <irishjd@erols.com> Date: Wednesday, November 25, 1998 9:27 AM Subject: Re: ISAKMP Extended Authentication Hello John; At 04:00 PM 11/24/98 , you wrote: >Assuming a certificate push were permitted with the first "HDR, SA" packet, >how would the initiator know which CA and certificate type was acceptable to >the responder? Per the IKE spec, issuing a certificate request, when using >public key encryption for authentication in Phase 1, is not supported. I'm new to IKE; forgive me if the answer to this question is obvious ;-) ... where does it say this in the IKE spec? - thanks for your help; Dave Clark
- ISAKMP/Oakley - Certificate exchange John Irish
- ISAKMP/Oakley - Certificate exchange Tero Kivinen