Hi Yoav, This text (to be added for this specific encoding) duplicates the existing text at the end of this same section.
Moreover, we keep saying "multiple certificates" without mentioning the
semantics of these multiple certs, i.e. they should form a trust chain.
Thanks,
Yaron
> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Yoav Nir
> Sent: Wednesday, August 26, 2009 16:54
> To: Tero Kivinen
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] #107: Sending certificate chains in IKEv2
>
> Good. So how about we close this issue by adding the last sentence
> below:
>
> If
> multiple certificates are sent, the first certificate MUST contain
> the public key used to sign the AUTH payload. The other
> certificates
> may be sent in any order. Each certificate is encoded in a separate
> CERT payload.
>
> Does this sound OK to everyone?
>
> On Aug 26, 2009, at 4:43 PM, Tero Kivinen wrote:
>
> > Martin Willi writes:
> >> It is not even clear from the spec how to encode multiple
> >> certificates
> >> in a single cert payload with type 4 (just concatenate?).
> >
> > There is no way to encode more than one certificate with X.509
> > Certificate - Signature (#4) format in one certificate payload.
> > --
> > kivi...@iki.fi
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >
> > Scanned by Check Point Total Security Gateway.
>
>
> Email secured by Check Point
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
> Scanned by Check Point Total Security Gateway.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
