Picking up some leftover open points.
On Wed, Feb 26, 2020 at 03:10:55PM -0500, Paul Wouters wrote:
> Actually we do. We had to add pkcs7 to ikev2 to be compatible with some
> windows deployments when intermediate certificates were being sent. On
> top of that, Microsoft did it wrong, as the format does not allow a
> chain but they added more than one anyway. So if anything, we DO NOT
> want to see more pkcs7 in IKEv2.
ACP nodes would never need to talk directly to a Microsoft CA, but
an ACP registrar might. Such as a registrar using BRSKI.
Question: Would a registrar be able to convert the encoding of the certificate
(chain) between pkcs7 towards a Microsoft CA and whatever RFC7296 prefers,
i guess "X.509 Certificate - Signature" towards the enrolling/renewing client ?
If that conversion is possible, we are done, because then its up to
each vendors registrar implementation to do this, at best we might
put a note into the non-normative part of ACP (operations of registrars)
or nothing. But given how ACP is an OPS area document, i think the
WG/area appreciates help operationalizing systems, and not only
creating strict protocol specifications.
Alas, in the pre-standard implementations of ACP i used, we always used
pkcs7 towards client, which is why i haven't been able to try to figure
out the answer to this question. Given how i hope its just container
formats, i hope the answer is yes.
Cheers
Toerless
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
