[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Last Call: 'OCSP Extensions to IKEv2' to Proposed Standard (draft-myers-ikev2-ocsp)
The IESG has received a request from an individual submitter to consider the
following document:
- 'OCSP Extensions to IKEv2'
<draft-myers-ikev2-ocsp-02.txt> as a Proposed Standard
While IKEv2 supports public key based authentication (PKI), the
corresponding use of in-band CRLs is problematic due to unbounded CRL
size. The size of an OCSP response is however well-bounded and small.
This document defines two extensions to IKEv2 which enable the use of
OCSP for in-band signaling of certificate revocation status. Two new
content encodings are defined for use in the CERTREQ and CERT
payloads: OCSP Responder Hash and OCSP Response. An OCSP Responder
Hash CERTREQ payload triggers transmission of an OCSP Response CERT
payload.
When certificates are used with IKEv2, the communicating peers need a
mechanism to determine the revocation status of the peer's
certificate. OCSP is one such mechanism. This document applies when
OCSP is desired and security policy prevents one of the IKEv2 peers
from accessing the relevant OCSP responder directly. Firewalls are
often deployed in a manner that prevents such access by IKEv2 peers
outside of an enterprise network.
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send any comments to the
iesg at ietf.org or ietf at ietf.org mailing lists by 2006-08-08.
The file can be obtained via
http://www.ietf.org/internet-drafts/draft-myers-ikev2-ocsp-02.txt
_______________________________________________
IETF-Announce mailing list
IETF-Announce at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce