Re: [IPsec] #120: CA indication with cert req - allowed types

From: David Wierbowski <wierbows_at_nospam>
Date: Fri Oct 30 2009 - 21:56:15 GMT
To: IPsecme WG <ipsec@ietf.org>

> Sec. 3.7 has:
> The contents of the "Certification Authority" field are defined only for X.509 certificates, which are types 4, 10, 12, and 13. > Other values SHOULD NOT be used until standards-track specifications that specify their use are published.

> This excludes certificate requests of type 7, i.e. for CRLs. For
requesting a specific CRL type 7 would make sense, in particular in > chain situations. Should we add it to the list of allowed types here?

RFC 4945 states that implementations SHOULD NOT send CERTREQs for types 7 and 8. If they are sent then an implementation MUST NOT require the recipient to respond and the recipient MAY ignore the request. Given that I don't expect that it is common that implementations send CERTREQs with type 7 or 8 to begin with. If they do I agree with Tero that an empty certificate authority field is probably sufficient.

OTOH, I would not be opposed to adding RFC 4945's "SHOULD NOT send CERTREQs for type 7 and 8" statement here.

> OTOH, this allows type 10, which is unspecified and should be removed.

Dave Wierbowski

z/OS Comm Server Developer

Phone:

Tie line: 620-4055
External: 607-429-4055

IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

This message: [ Message body ]
Next message: David Wierbowski: "Re: [IPsec] #119: Which certificate types can be mixed in one exchange?"
Previous message: Paul Hoffman: "Re: [IPsec] Fw: Preshared key authentication in IKEv2"
In reply to: Yaron Sheffer: "[IPsec] #120: CA indication with cert req - allowed types"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]