ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] HTTP_CERT_LOOKUP_SUPPORTED notify text


From: David Wierbowski <wierbows_at_nospam>
Date: Tue Sep 22 2009 - 14:09:45 GMT
To: ipsec@ietf.org

I posted this a last week and have not seen any comments:

Section 3.6 of ikev2bis-04 says, "Certificate payloads SHOULD be included in an exchange if certificates are available to the sender unless the peer has indicated an ability to retrieve this information from elsewhere using an HTTP_CERT_LOOKUP_SUPPORTED Notify payload."

Section 3.7 of ikev2bis-04, says "The HTTP_CERT_LOOKUP_SUPPORTED notification MAY be included in any message that can include a CERTREQ payload and indicates that the sender is capable of looking up certificates based on an HTTP-based URL (and hence presumably would prefer to receive certificate specifications in that format)."

Section 3.10.1 of ikev2bis-04 indicates that section 3.6 should be consulted for an explanation of the HTTP_CERT_LOOKUP_SUPPORTED notification.

I think section 3.10.1 should say "see section 3.7" as the text that was associated with the HTTP_CERT_LOOKUP_SUPPORTED notify in RFC 4306 is now in Section 3.7.

I also question the accuracy of the statement in Section 3.6. Section 3.7 implies that certificate payloads should still be sent when an HTTP_CERT_LOOKUP_SUPPORTED notify is received; however, an encoding type of 12 or 13 should be used if possible as the peer has indicated a preference to receive certificate specifications in that format.

Dave Wierbowski

IPsec mailing list