Section 3.6 of ikev2bis-04 says, "Certificate payloads SHOULD be included
in an exchange if certificates are available to the sender unless the peer
has indicated an ability to retrieve this information from elsewhere using
an HTTP_CERT_LOOKUP_SUPPORTED Notify payload."
Section 3.7 of ikev2bis-04, says "The HTTP_CERT_LOOKUP_SUPPORTED
notification MAY be included in any message that can include a CERTREQ
payload and indicates that the sender is capable of looking up certificates
based on an HTTP-based URL (and hence presumably would prefer to receive
certificate specifications in that format)."
Section 3.10.1 of ikev2bis-04 indicates that section 3.6 should be
consulted for an explanation of the HTTP_CERT_LOOKUP_SUPPORTED
notification.
I think section 3.10.1 should say "see section 3.7" as the text that was
associated with the HTTP_CERT_LOOKUP_SUPPORTED notify in RFC 4306 is now in
Section 3.7.
I also question the accuracy of the statement in Section 3.6. Section 3.7
implies that certificate payloads should still be sent when an
HTTP_CERT_LOOKUP_SUPPORTED notify is received; however, an encoding type of
12 or 13 should be used if possible as the peer has indicated a preference
to receive certificate specifications in that format.
Dave Wierbowski
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
