Re: [IPsec] #119: Which certificate types can be mixed in one exchange?
David Wierbowski <wierbows@us.ibm.com> Fri, 30 October 2009 22:24 UTC
Return-Path: <wierbows@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 196473A6A57 for <ipsec@core3.amsl.com>; Fri, 30 Oct 2009 15:24:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.926
X-Spam-Level:
X-Spam-Status: No, score=-4.926 tagged_above=-999 required=5 tests=[AWL=1.072, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_63=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDl-fO5r7OI3 for <ipsec@core3.amsl.com>; Fri, 30 Oct 2009 15:24:07 -0700 (PDT)
Received: from e2.ny.us.ibm.com (e2.ny.us.ibm.com [32.97.182.142]) by core3.amsl.com (Postfix) with ESMTP id 2ED913A6A36 for <ipsec@ietf.org>; Fri, 30 Oct 2009 15:24:07 -0700 (PDT)
Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237]) by e2.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id n9UMGndt003600 for <ipsec@ietf.org>; Fri, 30 Oct 2009 18:16:49 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id n9UMOKPs108012 for <ipsec@ietf.org>; Fri, 30 Oct 2009 18:24:24 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id n9UMOKWA028147 for <ipsec@ietf.org>; Fri, 30 Oct 2009 18:24:20 -0400
Received: from d01ml084.pok.ibm.com (d01ml084.pok.ibm.com [9.63.10.23]) by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id n9UMOKSn028141 for <ipsec@ietf.org>; Fri, 30 Oct 2009 18:24:20 -0400
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAB@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAB@il-ex01.ad.checkpoint.com>
X-KeepSent: FDC7DB5B:2E4486DD-8525765F:00791E79; type=4; name=$KeepSent
To: IPsecme WG <ipsec@ietf.org>
X-Mailer: Lotus Notes Release 8.0.2FP1 SHF149 July 17, 2009
Message-ID: <OFFDC7DB5B.2E4486DD-ON8525765F.00791E79-8525765F.007B12D7@us.ibm.com>
From: David Wierbowski <wierbows@us.ibm.com>
Date: Fri, 30 Oct 2009 18:24:18 -0400
X-MIMETrack: Serialize by Router on D01ML084/01/M/IBM(Release 8.0.2FP1|November 13, 2008) at 10/30/2009 18:24:20
MIME-Version: 1.0
Content-type: multipart/alternative; Boundary="0__=0ABBFCCCDFEA98E98f9e8a93df938690918c0ABBFCCCDFEA98E9"
Content-Disposition: inline
Subject: Re: [IPsec] #119: Which certificate types can be mixed in one exchange?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2009 22:24:08 -0000
> Should be added to Sec. 3.6, probably as a new subsection.
> One Hash & URL (H&U) bundle only. Or...
> One Raw RSA key, or...
> One or more cert payloads of either type 4 or H&U (type 12)
I think there are cases where it makes sense to send any combination of
types 7, 12, and 13. I do not think we should restrict which of those
certificate types can be mixed in one exchange.
>Can have one or more CRLs and/or OCSP content (RFC 4806) added to any of
the above, except for Raw RSA.
I thought sending CRLs inline.was strongly discouraged, but I agree that
if an implementation sends them that it would be logical to include one or
more CRLs.
Are we planning on updating the list of certificate encoding types to
include type 14 (OSCP content)? If yes then I do not see that in the
current bis draft.
Dave Wierbowski
z/OS Comm Server Developer
Phone:
Tie line: 620-4055
External: 607-429-4055
- [IPsec] #119: Which certificate types can be mixe… Yaron Sheffer
- [IPsec] #119: Which certificate types can be mixe… Tero Kivinen
- Re: [IPsec] #119: Which certificate types can be … David Wierbowski
- Re: [IPsec] #119: Which certificate types can be … Yaron Sheffer
- Re: [IPsec] #119: Which certificate types can be … Tero Kivinen