Hi Tero,
> [talking as individual and one of RFC7296 authors, not as WG chair].
>
> Toerless Eckert writes:
> > On Wed, Jun 17, 2020 at 08:55:12PM -0400, Paul Wouters wrote:
> > > The RFC states:
> > >
> > >The USE_TRANSPORT_MODE notification MAY be included in a request
> > >message that
In ACP, we use IKEv2 between peers without assumed methods to retrieve
certificates from "external" sources like http repositories. And CA most
likely will have non-public Trust Anchor (TA) (enterptrise PKI).
Imagine a large multi-tenant network infrastructure (office building,
skyscraper)
where
On Fri, 19 Jun 2020, 'Toerless Eckert' wrote:
Michael Richardson was suggesting to include the cert of the TA into the
IKEv2 certificate exchange. This was rejected by Valery/Paul and the suggestion
was to use CERTREQ instead.
Normally, you do not include the TA itself, only intermediate root'
On Fri, Jun 19, 2020 at 01:10:37PM -0400, Paul Wouters wrote:
> > So i am tentatively adding the following text:
> >
> > CERTREQ MUST be used to indicate the ACP TA hashes. This helps the peer
> > in selecting the ACP certificate in case it has certificates also from
> > other TA. It is RECOMMEN
