> Sec. 3.7 has:
> The contents of the "Certification Authority" field are defined
only for X.509 certificates, which are types 4, 10, 12, and 13. >
Other values SHOULD NOT be used until standards-track specifications
that specify their use are published.
> This excludes certificate requests of type 7, i.e. for CRLs. For
requesting a specific CRL type 7 would make sense, in particular in > chain
situations. Should we add it to the list of allowed types here?
RFC 4945 states that implementations SHOULD NOT send CERTREQs for types 7
and 8. If they are sent then an implementation MUST NOT require the
recipient to respond and the recipient MAY ignore the request. Given that
I don't expect that it is common that implementations send CERTREQs with
type 7 or 8 to begin with. If they do I agree with Tero that an empty
certificate authority field is probably sufficient.
OTOH, I would not be opposed to adding RFC 4945's "SHOULD NOT send CERTREQs
for type 7 and 8" statement here.
> OTOH, this allows type 10, which is unspecified and should be removed.
Dave Wierbowski
z/OS Comm Server Developer
Phone:
Tie line: 620-4055
External: 607-429-4055
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
