[IPsec] #120: CA indication with cert req - allowed types
Tero Kivinen <kivinen@iki.fi> Fri, 30 October 2009 14:32 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 113F53A69B9 for <ipsec@core3.amsl.com>; Fri, 30 Oct 2009 07:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.511
X-Spam-Level:
X-Spam-Status: No, score=-2.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUkLTjHPsLqH for <ipsec@core3.amsl.com>; Fri, 30 Oct 2009 07:32:55 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id D2E283A67B6 for <ipsec@ietf.org>; Fri, 30 Oct 2009 07:32:54 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id n9UEX5S7009401 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Oct 2009 16:33:05 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id n9UEX5WJ008973; Fri, 30 Oct 2009 16:33:05 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19178.63776.974040.367597@fireball.kivinen.iki.fi>
Date: Fri, 30 Oct 2009 16:33:04 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf@checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC@il-ex01.ad.checkpoint.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 15 min
X-Total-Time: 25 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] #120: CA indication with cert req - allowed types
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2009 14:32:56 -0000
Yaron Sheffer writes: > Sec. 3.7 has: > > The contents of the "Certification Authority" field are defined only > for X.509 certificates, which are types 4, 10, 12, and 13. Other > values SHOULD NOT be used until standards-track specifications that > specify their use are published. This is clearly wrong and is not present in the RFC4306. There is two meanings for the certificate request payload, one is to specify preferred format in which certificates are requested and another is to tell which authority the certificate is wanted from. So if someone wants to have certificate payloads in raw rsa format, he should be able to give certificate request with encoding of type 11 and with empty authority field (as for raw rsa keys there is no authority field). Also as the certificate request is just hint the contents of the authority field is not that important, it is there just in case the other end happens to have MULTIPLE "certificates" it could use and needs to decide which of them to use. If it has only one of the requested format then it should send it regardless what the authority field said. So the text most likely should say that "For other values the certificate authority field contents is not defined, and can be anything (or empty) until specifications that specify their contents is published." > This excludes certificate requests of type 7, i.e. for CRLs. For > requesting a specific CRL type 7 would make sense, in particular in > chain situations. Should we add it to the list of allowed types > here? Giving certificate authorities for the CRLs is usually no operation as it will be the same as the ones for X.509 certificates (usually hosts do trust same CAs for certificates and CRLs, they do not have separate sets of authorities for those two uses). So in most cases certificate request of type 7 is just indicating that other end would like to have CRLs inline also if possible in addition to certificates, and the authority field could be empty there. This kind of telling only the format not the exact authority is inherited from the IKEv1 and is specified for example in the RFC4945 section 3.2.7.2. I think we had discussion about this when we were specifying IKEv2 as some people wanted to disallow it but I think we decided to allow it (at least I couldn't find text in the RFC4306 which would disallow it). > OTOH, this allows type 10, which is unspecified and should be > removed. Most likely. -- kivinen@iki.fi
- [IPsec] #120: CA indication with cert req - allow… Yaron Sheffer
- [IPsec] #120: CA indication with cert req - allow… Tero Kivinen
- Re: [IPsec] #120: CA indication with cert req - a… David Wierbowski
- Re: [IPsec] #120: CA indication with cert req - a… David Wierbowski
- Re: [IPsec] #120: CA indication with cert req - a… Tero Kivinen
- Re: [IPsec] #120: CA indication with cert req - a… Yaron Sheffer
- Re: [IPsec] #120: CA indication with cert req - a… Tero Kivinen