ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: [IPsec] CRL checking when selecting a certifcate

[IPsec] CRL checking when selecting a certifcate

From: David Wierbowski <wierbows_at_nospam>
Date: Wed Sep 02 2009 - 15:33:18 GMT
To: "ipsec@ietf.org WG" <ipsec@ietf.org>

In a recent append Tero said:

>Then the responder is already going against the RFC4306 which says
>"Certificate revocation checking must be considered during the
>chaining process used to select a certificate. " meaning the responder
>cannot send certifiate which itself considers revoced. Only case when
>this can happen is when responder thinks he has valid certificate but
>initiator then checks it against certificate authority's system (for
>example OCSP) and finds out it is not valid anymore. This is not
>common case, thus it can lead to timeouts.

This is a lower case must. I'm not sure it is safe to assume that implementations adhere to a lower case must. CRL checking is not cheap and performing CRL checking when selecting a certificate seems like an optional usability feature to me. From the sender's point of view the worst thing that is going to happen is the receiver will fail the authentication because the certificate is revoked. The only advantage to doing the check on the sender's side is there is a chance the sender can find a non-revoked certificate, but I think the decision to perform that optimization is implementation specific.

Dave Wierbowski

IPsec mailing list