At 12:53 AM +0300 5/11/09, Yoav Nir wrote: >Paul Hoffman wrote: >> >> At 2:08 PM +0300 5/10/09, Yoav Nir wrote: >> >Hi all >> > >> >I've submitted issue #107 about certificate encoding. >> > >> >IMO it's not clear how certificate chains are to be encoded in IKEv2. >> > >> >http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/107 >> >> That would be the CertBundle, also described in section 3.6. >> >> --Paul Hoffman, Director >> --VPN Consortium > >And there's the problem. There is no certificate payload encoding for a >certificate bundle. Only hash-and-URL > >So what do I do if the peer sent a certificate request for the root CA, and I >have a certificate by a sub-CA, and we don't use hash-and-URL? I can't use a >bundle in a Type #4 encoding, but I do need to send the subordinate CA >certificate as well.
You can: a) start using hash-and-url b) hope your peer has the sub-CA c) write an extension to 4306 that allows bundles in CERT Doing (a) is the most interoperable, but you're probably save with (b) in a typical closed network. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
