Paul, Thanks, but now I'm confused by an answer Tero provided to a slightly different question back in July of 2007 (subject [Ipsec] Comments on draft-hoffman-ikev2bis-01.txt). From Tero's answer I had expected to see something that would disallow using those encoding types if you did not receive the HTTP_CERT_LOOKUP_SUPPORTED. See below.
> Since an implementation MUST be capable of being configured to send and
> accept the first two Hash and URL formats it's seems to follow that an
> implementation also MUST support HTTP certificate lookup (making the
> HTTP_CERT_LOOKUP_SUPPORTED notification extraneous). I believe the
intent
> is for HTTP certificate lookup support to be optional but a clarification
> to that effect would be helpful.
HTTP_CERT_LOOKUP_SUPPORTED is not extraneous, as it tells whether the
other end is CONFIGURED to allow HTTP lookups for the certificates.
> Assuming HTTP certificate lookup support is optional, how should an
> implementation handle receipt of a CERT payload containing either of the
> Hash and URL formats (or any other unsupported encoding)? Presumably the
> implementation should ignore the certificate payload in this case. Is
> that correct?
If you receive certificate payload you cannot process you can ignore
it and try to see if you can still authenticate the other end. If you
happen to have the certificate for the other end for some other reason
(preconfiguration, cached by previous session etc) then you can
authenticate the other end, if you do not have the certificate you
will fail the authentication.
Dave Wierbowski
z/OS Comm Server Developer
Phone:
Tie line: 620-4055
External: 607-429-4055
Paul Hoffman
<paul.hoff...@vpn
c.org> To
Sent by: David Wierbowski/Endicott/i...@ibmus
ipsec-boun...@iet cc
f.org ipsec@ietf.org,
ipsec-boun...@ietf.org
Subject
05/22/2009 11:57 Re: [IPsec]
AM HTTP_CERT_LOOKUP_SUPPORTED question
At 11:52 AM -0400 5/22/09, David Wierbowski wrote:
>Why?
Because there is nothing in the document to indicate that it is invalid.
HTTP_CERT_LOOKUP_SUPPORTED is only mentioned twice in RFC 4306:
Certificate payloads SHOULD be included in an exchange if
certificates are available to the sender unless the peer has
indicated an ability to retrieve this information from elsewhere
using an HTTP_CERT_LOOKUP_SUPPORTED Notify payload.
. . .
HTTP_CERT_LOOKUP_SUPPORTED 16392
This notification MAY be included in any message that can
include a CERTREQ payload and indicates that the sender is
capable of looking up certificates based on an HTTP-based
URL (and hence presumably would prefer to receive
certificate specifications in that format).
Neither of those make it sound like it is required before sending type 12
or 13 certificates.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
<<inline: graycol.gif>>
<<inline: pic51011.gif>>
<<inline: ecblank.gif>>
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
