Yoav says:
Section 3.6 ("Certificate Payload") describes sending certificates in the
IKE_AUTH exchange. The usual format for sending certificates is #4 (X.509
Certificate - Signature). Here's what it says:
{{{
o X.509 Certificate - Signature (4) contains a DER encoded X.509
certificate whose public key is used to validate the sender's AUTH
payload.
}}}
(note the singular) The last paragraph says:
{{{
Implementations MUST be capable of being configured to send and
accept up to four X.509 certificates in support of authentication...
...If
multiple certificates are sent, the first certificate MUST contain
the public key used to sign the AUTH payload. The other certificates
may be sent in any order.
}}}
What this doesn't say is how we send this chain of certificates. Is it
multiple separate CERT payloads (in that case it should say so) or is it a
single CERT payload (and then we should also say so)
Input from actual implementations (and bakeoffs) will be most valuable here.
Thanks,
Yaron
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
