>David Wierbowski writes:
>> I agree with Tero that Yoav's proposed text adds clarity and effectively
it
>> does not add a new MUST; however, to address Paul's concern can we just
>> change the words "MUST be" to the word "are" or lower case "should be?"
>> For example:
>>
>>o X.509 Certifica
to do.
Thanks,
Yaron
> -Original Message-
> From: Tero Kivinen [mailto:kivi...@iki.fi]
> Sent: Thursday, August 27, 2009 9:57
> To: David Wierbowski
> Cc: ipsec@ietf.org; ipsec-boun...@ietf.org; Yaron Sheffer
> Subject: Re: [IPsec] #107: Sending certificate chai
David Wierbowski writes:
> I agree with Tero that Yoav's proposed text adds clarity and effectively it
> does not add a new MUST; however, to address Paul's concern can we just
> change the words "MUST be" to the word "are" or lower case "should be?"
> For example:
>
>o X.509 Certificate - Si
Yaron
> -Original Message-
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Yoav Nir
> Sent: Wednesday, August 26, 2009 16:54
> To: Tero Kivinen
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] #107: Sending certificate chains in IKEv2
>
> G
aron Sheffer
f.org
cc
"ipsec@ietf.org"
08/26/2009 09:42 Subject
We use multiple certificate payloads when using X.509 Certificate -
Signature (4) encoding.
I do not really see how this could be questioned. RFC 4306 clearly says
X.509 Certificate - Signature (4) encoding contains a single certificate as
pointed out below. The logical conclusion is that if y
Yaron Sheffer writes:
> What this doesn't say is how we send this chain of certificates. Is it
> multiple separate CERT payloads (in that case it should say so) or is it a
> single CERT payload (and then we should also say so)
If you use format that can only store one certificate (for example
X.5
Good. So how about we close this issue by adding the last sentence
below:
If
multiple certificates are sent, the first certificate MUST contain
the public key used to sign the AUTH payload. The other
certificates
may b
Martin Willi writes:
> It is not even clear from the spec how to encode multiple certificates
> in a single cert payload with type 4 (just concatenate?).
There is no way to encode more than one certificate with X.509
Certificate - Signature (#4) format in one certificate payload.
--
kivi...@iki.
Hi,
> Input from actual implementations (and bakeoffs) will be most valuable
> here.
We and I think all vendors I have tested against use multiple
certificate payloads (however, multi-level CA is a feature not tested
with many participants).
It is not even clear from the spec how to encode multi
Yoav says:
Section 3.6 ("Certificate Payload") describes sending certificates in the
IKE_AUTH exchange. The usual format for sending certificates is #4 (X.509
Certificate - Signature). Here's what it says:
{{{
o X.509 Certificate - Signature (4) contains a DER encoded X.509
11 matches
Mail list logo
