Paul Hoffman wrote: > > At 12:53 AM +0300 5/11/09, Yoav Nir wrote: > >Paul Hoffman wrote: > >> > >> At 2:08 PM +0300 5/10/09, Yoav Nir wrote: > >> >Hi all > >> > > >> >I've submitted issue #107 about certificate encoding. > >> > > >> >IMO it's not clear how certificate chains are to be > encoded in IKEv2. > >> > > >> >http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/107 > >> > >> That would be the CertBundle, also described in section 3.6. > >> > >> --Paul Hoffman, Director > >> --VPN Consortium > > > >And there's the problem. There is no certificate payload > encoding for a > >certificate bundle. Only hash-and-URL > > > >So what do I do if the peer sent a certificate request for > the root CA, and I have a certificate by a sub-CA, and we > don't use hash-and-URL? I can't use a bundle in a Type #4 > encoding, but I do need to send the subordinate CA > certificate as well. > > You can: > > a) start using hash-and-url > > b) hope your peer has the sub-CA > > c) write an extension to 4306 that allows bundles in CERT > > Doing (a) is the most interoperable, but you're probably save > with (b) in a typical closed network.
Or I can go with option (d) and send multiple CERT payloads, as Pasi suggested here: http://www.vpnc.org/ietf-ipsec/04.ipsec/msg01022.html (thanks, Yaron) Either way, we should have it clear what is and is not allowed in section 3.6. Email secured by Check Point _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec