Query on draft-ietf-ipsec-pki-req-03.txt
"Walker, Jesse" <jesse.walker@intel.com> Tue, 19 October 1999 16:36 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id JAA01896; Tue, 19 Oct 1999 09:36:15 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA21306 Tue, 19 Oct 1999 10:53:33 -0400 (EDT)
Message-ID: <392A357CE6FFD111AC3E00A0C99848B002242C56@hdsmsx31.hd.intel.com>
From: "Walker, Jesse" <jesse.walker@intel.com>
To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: Query on draft-ietf-ipsec-pki-req-03.txt
Date: Tue, 19 Oct 1999 07:55:54 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="ISO-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Gents, The draft includes the following text in Section 2: IKE systems conforming to this profile MUST check the revocation statusof any certificate on which they rely, using the algorithm described inthe PKIX certificate profile. Thus, every conforming IKE system MUSThave a method for receiving up-to-date revocation information for thecertificates it is validating. What do you intend this to mean in the remote access case? One normal operational scenario will have the CRL distribution point the remote IPSec host needs to validate the security gateway's certificate behind the security gateway. In such a case, unless it has already obtained the CRL via an alternate channel, the remote host will be unable to meet the above requirement. Seemingly the best that it could be able to do is to establish IKE and IPSec security associations, then attempt to obtain the CRL, and then decide what to do on the basis of whether or not it could get the CRL or the security gateway's cert gets validated. Maybe we need to require implementations to send the latest CRL known to them during the IKE phase 1 negotiation?
- Query on draft-ietf-ipsec-pki-req-03.txt Walker, Jesse
- RE: Query on draft-ietf-ipsec-pki-req-03.txt Greg Carter
- RE: Query on draft-ietf-ipsec-pki-req-03.txt Walker, Jesse
- RE: Query on draft-ietf-ipsec-pki-req-03.txt Walker, Jesse
- Re: Query on draft-ietf-ipsec-pki-req-03.txt Paul Hoffman