|Main Archive Page > Month Archives > ipsec archives|
> Sec. 3.7 has:
> The contents of the "Certification Authority" field are defined only for X.509 certificates, which are types 4, 10, 12, and 13. > Other values SHOULD NOT be used until standards-track specifications that specify their use are published.
> This excludes certificate requests of type 7, i.e. for CRLs. For
requesting a specific CRL type 7 would make sense, in particular in > chain situations. Should we add it to the list of allowed types here?
RFC 4945 states that implementations SHOULD NOT send CERTREQs for types 7 and 8. If they are sent then an implementation MUST NOT require the recipient to respond and the recipient MAY ignore the request. Given that I don't expect that it is common that implementations send CERTREQs with type 7 or 8 to begin with. If they do I agree with Tero that an empty certificate authority field is probably sufficient.
OTOH, I would not be opposed to adding RFC 4945's "SHOULD NOT send CERTREQs for type 7 and 8" statement here.
> OTOH, this allows type 10, which is unspecified and should be removed.
z/OS Comm Server Developer
Tie line: 620-4055