IETF Logo Mail Archive

Re: [IPsec] #120: CA indication with cert req - allowed types

Tero Kivinen <kivinen@iki.fi> Wed, 25 November 2009 12:30 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07EF83A6A21 for <ipsec@core3.amsl.com>; Wed, 25 Nov 2009 04:30:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.578
X-Spam-Level:
X-Spam-Status: No, score=-2.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9cPxiJqHzO9 for <ipsec@core3.amsl.com>; Wed, 25 Nov 2009 04:30:22 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 7D86A3A68E4 for <ipsec@ietf.org>; Wed, 25 Nov 2009 04:30:22 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nAPCUEwL011499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Nov 2009 14:30:14 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nAPCUEJB015302; Wed, 25 Nov 2009 14:30:14 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19213.9046.156284.824605@fireball.kivinen.iki.fi>
Date: Wed, 25 Nov 2009 14:30:14 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf@checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE4@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE4@il-ex01.ad.checkpoint.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 4 min
X-Total-Time: 3 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] #120: CA indication with cert req - allowed types
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 12:30:24 -0000

Yaron Sheffer writes:
> Please also see Tero's follow-up here:
> http://www.ietf.org/mail-archive/web/ipsec/current/msg04990.html 

I still agree what I said back then :-)

> Subject: [IPsec] #120: CA indication with cert req - allowed types
> 
> 
> Sec. 3.7 has:
> 
> The contents of the "Certification Authority" field are defined only
> for X.509 certificates, which are types 4, 10, 12, and 13. Other
> values SHOULD NOT be used until standards-track specifications that
> specify their use are published. 
> 
> This excludes certificate requests of type 7, i.e. for CRLs. For
> requesting a specific CRL type 7 would make sense, in particular in
> chain situations. Should we add it to the list of allowed types
> here? 
> 
> OTOH, this allows type 10, which is unspecified and should be removed.

And there is also format 14 which also can be sent as CERTREQ and it
can have empty certificate authority or it can have some hashes from
trusted responder's public keys.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email