David Wierbowski writes:
> Thanks for the clarification. The text in 4301 makes sense. What I do not
> agree with is the text in 4945 that requires implementations MUST be able
> to perform matching based on a bitwise comparison of the entire DN in ID to
> its entry in the SPD. I can agree with
Yoav Nir mailto:y...@checkpoint.com>>
To:
David Wierbowski/Endicott/i...@ibmus
Cc:
"ipsec@ietf.org<mailto:ipsec@ietf.org>" mailto:ipsec@ietf.org>>
Date:
09/17/2009 02:50 AM
Subject:
Re: [IPsec] Populating ID_DER_ASN1_DN
Sent by:
ipsec-boun..
Cc: "ipsec@ietf.org"
Date: 09/17/2009 02:50 AM
On Sep 17, 2009, at 5:33 AM, David Wierbowski wrote:
> Section 3.1.5 of RFC 4945 states that when generating an ID type of
> ID_DER_ASN1_DN that "implementations MUST populate the contents of
> ID with the Subject field from the end-entity certificate, and MUST
> do so such that a binary com
Hi David,
On Thu, Sep 17, 2009 at 8:03 AM, David Wierbowski wrote:
> Section 3.1.5 of RFC 4945 states that when generating an ID type of
> ID_DER_ASN1_DN that "implementations MUST populate the contents of ID with
> the Subject field from the end-entity certificate, and MUST do so such that
> a b
Section 3.1.5 of RFC 4945 states that when generating an ID type of
ID_DER_ASN1_DN that "implementations MUST populate the contents of ID with
the Subject field from the end-entity certificate, and MUST do so such that
a binary comparison of the two will succeed." Section 3.1.5 is specific to
IK