ipsec October 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] #120: CA indication with cert req - allowed t

Re: [IPsec] #120: CA indication with cert req - allowed types

From: David Wierbowski <wierbows_at_nospam>
Date: Fri Oct 30 2009 - 21:56:15 GMT
To: IPsecme WG <ipsec@ietf.org>

> Sec. 3.7 has:
> The contents of the "Certification Authority" field are defined only for X.509 certificates, which are types 4, 10, 12, and 13. > Other values SHOULD NOT be used until standards-track specifications that specify their use are published.

> This excludes certificate requests of type 7, i.e. for CRLs. For
requesting a specific CRL type 7 would make sense, in particular in > chain situations. Should we add it to the list of allowed types here?

RFC 4945 states that implementations SHOULD NOT send CERTREQs for types 7 and 8. If they are sent then an implementation MUST NOT require the recipient to respond and the recipient MAY ignore the request. Given that I don't expect that it is common that implementations send CERTREQs with type 7 or 8 to begin with. If they do I agree with Tero that an empty certificate authority field is probably sufficient.

OTOH, I would not be opposed to adding RFC 4945's "SHOULD NOT send CERTREQs for type 7 and 8" statement here.

> OTOH, this allows type 10, which is unspecified and should be removed.

Dave Wierbowski

z/OS Comm Server Developer


    Tie line: 620-4055
    External: 607-429-4055

IPsec mailing list