Paul Hoffman writes:
> At 3:09 PM +0300 5/11/09, Yaron Sheffer wrote:
> >Or possibly:
> >
> >X.509 Certificate - Signature (4) contains a DER encoded X.509 certificate
> >whose public key is used to validate the sender's AUTH payload. With this
> >encoding, if a chain of certificates needs to be se
At 12:19 AM +0300 5/12/09, Yaron Sheffer wrote:
>In two words, why not? What is the exact new requirement you are referring
>to?
"multiple CERT payloads of type 4 MUST be used". That is a new requirement.
>More generally, this is not some obscure part of the RFC that we're
>discussing. This is p
ility.
Thanks,
Yaron
> -Original Message-
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Paul Hoffman
> Sent: Monday, May 11, 2009 18:58
> To: ipsec@ietf.org
> Subject: Re: [IPsec] Issue #107
>
> At 3:09 PM +0300 5/11/09, Yaron
At 3:09 PM +0300 5/11/09, Yaron Sheffer wrote:
>Or possibly:
>
>X.509 Certificate - Signature (4) contains a DER encoded X.509 certificate
>whose public key is used to validate the sender's AUTH payload. With this
>encoding, if a chain of certificates needs to be sent, multiple CERT
>payloads of ty
ailto:ipsec-boun...@ietf.org] On Behalf Of
> Yoav Nir
> Sent: Monday, May 11, 2009 12:23
> To: pasi.ero...@nokia.com; paul.hoff...@vpnc.org; ipsec@ietf.org
> Subject: Re: [IPsec] Issue #107
>
> Pasi.Eronen wrote:
> >
> > Yoav Nir wrote:
> > > > You can:
>
At 3:23 PM +0300 5/11/09, Tero Kivinen wrote:
>There is text about this in multiple places in the RFC4306.
...barely. It is only clear in section 1.2, not in subsections of Section 3.
The topic of cert chains is barely discussed. I will clear this up in the next
draft.
--Paul Hoffman, Director
At 5:23 PM +0300 5/11/09, Tero Kivinen wrote:
>I think it is quite obvious that you are not supposed to use multiple
>hash and url of X.509 bundle payloads, even when it is not
>specifically forbidden.
Fully disagree. We have no prohibition against this, and I can imagine corner
cases where it wo
David Wierbowski writes:
>
> > Tero said:
> >
> > For the X.509 bundle I think the format is more clear and only one
> > CERT payload is sent containing hash and url of all certificates and
> > crls needed (and first certificate there is the one used for AUTH
> > payload).
>
> Tero, I do not agre
> Tero said:
>
> For the X.509 bundle I think the format is more clear and only one
> CERT payload is sent containing hash and url of all certificates and
> crls needed (and first certificate there is the one used for AUTH
> payload).
Tero, I do not agree that it is more clear that only one CERT
Yoav Nir writes:
> Or I can go with option (d) and send multiple CERT payloads, as Pasi
> suggested here:
> http://www.vpnc.org/ietf-ipsec/04.ipsec/msg01022.html
This is what most implementations currently do.
> Either way, we should have it clear what is and is not allowed in
> section 3.6.
Th
Yoav Nir writes:
> I've submitted issue #107 about certificate encoding.
>
> IMO it's not clear how certificate chains are to be encoded in IKEv2.
>
> http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/107
If certificate chain is sent using X.509 certificate - signature (4)
format, then it is sen
Pasi.Eronen wrote:
>
> Yoav Nir wrote:
> > > You can:
> > >
> > > a) start using hash-and-url
> > >
> > > b) hope your peer has the sub-CA
> > >
> > > c) write an extension to 4306 that allows bundles in CERT
> > >
> > > Doing (a) is the most interoperable, but you're probably
> save with
> > >
Yoav Nir wrote:
> > You can:
> >
> > a) start using hash-and-url
> >
> > b) hope your peer has the sub-CA
> >
> > c) write an extension to 4306 that allows bundles in CERT
> >
> > Doing (a) is the most interoperable, but you're probably save
> > with (b) in a typical closed network.
>
> Or I can g
Paul Hoffman wrote:
>
> At 12:53 AM +0300 5/11/09, Yoav Nir wrote:
> >Paul Hoffman wrote:
> >>
> >> At 2:08 PM +0300 5/10/09, Yoav Nir wrote:
> >> >Hi all
> >> >
> >> >I've submitted issue #107 about certificate encoding.
> >> >
> >> >IMO it's not clear how certificate chains are to be
> encoded
At 12:53 AM +0300 5/11/09, Yoav Nir wrote:
>Paul Hoffman wrote:
>>
>> At 2:08 PM +0300 5/10/09, Yoav Nir wrote:
>> >Hi all
>> >
>> >I've submitted issue #107 about certificate encoding.
>> >
>> >IMO it's not clear how certificate chains are to be encoded in IKEv2.
>> >
>> >http://trac.tools.ietf.or
Paul Hoffman wrote:
>
> At 2:08 PM +0300 5/10/09, Yoav Nir wrote:
> >Hi all
> >
> >I've submitted issue #107 about certificate encoding.
> >
> >IMO it's not clear how certificate chains are to be encoded in IKEv2.
> >
> >http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/107
>
> That would be the Ce
At 2:08 PM +0300 5/10/09, Yoav Nir wrote:
>Hi all
>
>I've submitted issue #107 about certificate encoding.
>
>IMO it's not clear how certificate chains are to be encoded in IKEv2.
>
>http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/107
That would be the CertBundle, also described in section 3.6.
Hi all
I've submitted issue #107 about certificate encoding.
IMO it's not clear how certificate chains are to be encoded in IKEv2.
http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/107
Yoav
Email secured by Check Point
___
IPsec mailing list
IPsec@ie
18 matches
Mail list logo
