Yoav Nir writes: > Or I can go with option (d) and send multiple CERT payloads, as Pasi > suggested here: > http://www.vpnc.org/ietf-ipsec/04.ipsec/msg01022.html
This is what most implementations currently do. > Either way, we should have it clear what is and is not allowed in > section 3.6. The text is very clear that there CAN be multiple CERT payloads. It is also very clear that FIRST public key received must be the one matching the AUTH payload. Everything else is left as implementation matter. I do not see any problem there to send multiple CERT payloads each having one certificate from the end entity cert towards the trust anchor (usually it is not beneficial to provide the trust anchor certificate, as it needs to be preconfigured to the recipient already anyways). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
