Re: [IPsec] HTTP_CERT_LOOKUP_SUPPORTED question

Fri, 22 May 2009 13:39:31 -0700 

Did I say either of the quotes you sent make it sound like one could not
sent hash-and-URL if HTTP_CERT_LOOKUP_SUPPORTED was not received?

I said I'm confused by Tero's previous answer which makes it sound as if
such a restriction is implied.

I guess the value in the HTTP_CERT_LOOKUP_SUPPORTED notify is  that you
know when it is safe to use the hash and URL encoding, but it also allows
you to send the hash and URL encoding to a peer that may have disabled that
support via a configuration option.  That doesn't seem like a good design
to me, but it's certainly flexible :>).

Dave Wierbowski







                                                                       
             Paul Hoffman                                              
             <paul.hoff...@vpn                                         
             c.org>                                                     To
             Sent by:                  David Wierbowski/Endicott/i...@ibmus
             ipsec-boun...@iet                                          cc
             f.org                     [email protected],                 
                                       [email protected]          
                                                                   Subject
             05/22/2009 02:04          Re: [IPsec]                     
             PM                        HTTP_CERT_LOOKUP_SUPPORTED question
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       




At 12:08 PM -0400 5/22/09, David Wierbowski wrote:
>Paul,
>
>Thanks, but now I'm confused by an answer Tero provided to a slightly
different question back in July of 2007 (subject [Ipsec] Comments on
draft-hoffman-ikev2bis-01.txt). From Tero's answer I had expected to see
something that would disallow using those encoding types if you did not
receive the HTTP_CERT_LOOKUP_SUPPORTED. See below.

I cannot speak for Tero. I can only say what is in the RFC and the current
draft. Did either of the quotes I sent make it sound like one could not
sent hash-and-URL if HTTP_CERT_LOOKUP_SUPPORTED was not received?

At 5:05 PM +0300 7/19/07, Tero Kivinen wrote:
>HTTP_CERT_LOOKUP_SUPPORTED is not extraneous, as it tells whether the
>other end is CONFIGURED to allow HTTP lookups for the certificates.

While that is true, a peer is not required to send it if that peer is
configured to allow HTTP lookups.

--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

<<inline: graycol.gif>>

<<inline: pic53431.gif>>

<<inline: ecblank.gif>>

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to