Re: [IPsec] #107: Sending certificate chains in IKEv2

David Wierbowski Wed, 26 Aug 2009 07:52:24 -0700

We use multiple certificate payloads when using  X.509 Certificate -
Signature (4) encoding.


I do not really see how this could be questioned.  RFC 4306 clearly says
X.509 Certificate - Signature (4) encoding contains a single certificate as
pointed out below.  The logical conclusion is that if you need to send
multiple certificates and choose to use  X.509 Certificate - Signature (4)
encoding then you need multiple payloads.

On the other hand you can send one payload if you use Hash and URL of X.509
bundle encoding.  If you do then the first certificate in the bundle must
contain the public key used to sign the AUTH payload.

I think the existing text is fine.



Dave Wierbowski








                                                                       
             Yaron Sheffer                                             
             <yar...@checkpoin                                         
             t.com>                                                     To
             Sent by:                  "ipsec@ietf.org" <ipsec@ietf.org>
             ipsec-boun...@iet                                          cc
             f.org                                                     
                                                                   Subject
                                       [IPsec] #107: Sending certificate
             08/25/2009 05:23          chains in IKEv2                 
             PM                                                        
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       




Yoav says:

Section 3.6 ("Certificate Payload") describes sending certificates in the
IKE_AUTH exchange.  The usual format for sending certificates is #4 (X.509
Certificate - Signature). Here's what it says:


{{{
   o  X.509 Certificate - Signature (4) contains a DER encoded X.509
      certificate whose public key is used to validate the sender's AUTH
      payload.
}}}

(note the singular)  The last paragraph says:


{{{
   Implementations MUST be capable of being configured to send and
   accept up to four X.509 certificates in support of authentication...
   ...If
   multiple certificates are sent, the first certificate MUST contain
   the public key used to sign the AUTH payload.  The other certificates
   may be sent in any order.
}}}

What this doesn't say is how we send this chain of certificates.  Is it
multiple separate CERT payloads (in that case it should say so) or is it a
single CERT payload (and then we should also say so)


Input from actual implementations (and bakeoffs) will be most valuable
here.

Thanks,
            Yaron(See attached file: smime.p7s)
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

<<inline: graycol.gif>>

<<inline: pic43443.gif>>

<<inline: ecblank.gif>>

smime.p7s
Description: Binary data

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] #107: Sending certificate chains in IKEv2

Reply via email to