Re: [IPsec] #120: CA indication with cert req - allowed types

To: IPsecme WG <ipsec at ietf.org>
Subject: Re: [IPsec] #120: CA indication with cert req - allowed types
From: David Wierbowski <wierbows at us.ibm.com>
Date: Fri, 30 Oct 2009 17:56:15 -0400
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC at il-ex01.ad.checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EAC at il-ex01.ad.checkpoint.com>

> Sec. 3.7 has:

> The contents of the "Certification Authority" field are defined only for X.509 certificates, which are types 4, 10, 12, and 13. > Other values SHOULD NOT be used until standards-track specifications that specify their use are published.

> This excludes certificate requests of type 7, i.e. for CRLs. For requesting a specific CRL type 7 would make sense, in particular in > chain situations. Should we add it to the list of allowed types here?

RFC 4945 states that implementations SHOULD NOT send CERTREQs for types 7 and 8. If they are sent then an implementation MUST NOT require the recipient to respond and the recipient MAY ignore the request. Given that I don't expect that it is common that implementations send CERTREQs with type 7 or 8 to begin with. If they do I agree with Tero that an empty certificate authority field is probably sufficient.

OTOH, I would not be opposed to adding RFC 4945's "SHOULD NOT send CERTREQs for type 7 and 8" statement here.

> OTOH, this allows type 10, which is unspecified and should be removed.

Dave Wierbowski

z/OS Comm Server Developer

Phone:
Tie line: 620-4055
External: 607-429-4055

References:
- [IPsec] #120: CA indication with cert req - allowed types
  - From: Yaron Sheffer

Prev by Date: Re: [IPsec] Fw: Preshared key authentication in IKEv2
Next by Date: Re: [IPsec] #119: Which certificate types can be mixed in one exchange?
Previous by thread: Re: [IPsec] #120: CA indication with cert req - allowed types
Next by thread: Re: [IPsec] #120: CA indication with cert req - allowed types
Index(es):
- Date
- Thread

Re: [IPsec] #120: CA indication with cert req - allowed types

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.