ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] CRL checking when selecting a certifcate

Re: [IPsec] CRL checking when selecting a certifcate

From: David Wierbowski <wierbows_at_nospam>
Date: Thu Sep 03 2009 - 14:01:25 GMT
To: "ipsec@ietf.org WG" <ipsec@ietf.org>

Tero, thanks for the comments and the clarification on how to read a lower case must. I do have a few more comments.

>So implementations cannot just search uppercase "MUST/SHOULD/MAY"
>texts and assume it is enough to make sure those are correct. It also
>needs to do what the text says...

I think most implementers focus on the MUST and SHOULDs and then apply common sense to the remaining text.

>> CRL checking is not cheap and
>> performing CRL checking when selecting a certificate seems like an
>> usability feature to me.
>The you probably want to make change to the current text which says
>you must do it...

Correct. I think when selecting a certificate that consulting revocation information is a lower case should or could at best. I agree that on the accepting side a lower case must is appropriate for revocation checking from an interoperability perspective. By that I mean the failure to do so will not hinder interoperability, but from a security perspective it really should be done.

Dave Wierbowski

z/OS Comm Server Developer


    Tie line: 620-4055
    External: 607-429-4055

IPsec mailing list