|
Well, I thought I would start a thread on one issue
that came up at the VPN Workshop, and that is the usage of the CERT_REQ_PAYLOAD
or CRP.
RFC 2408 states
The Certificate Request Payload
provides a means to request
certificates via ISAKMP and can appear in any message. Certificate Request payloads SHOULD be included in an exchange whenever an appropriate directory service (e.g. Secure DNS [DNSSEC]) is not available to distribute certificates. and
If multiple certificates are
required,
then multiple Certificate Request payloads SHOULD be transmitted. The behaviour I saw was one of the
following.
1) Initiator sends CRP per cert required, and
responder replies with the appropriate certificates.
2) Initiator sends 1 CRP, and the responder sends
all certs.
3) Initiator does not send CRP, but wants all certs
because RSA was negotiated.
I am sure there are others. I would like to
recommend that option 1 is the best option, and the simplest. This has caused
many interop issues, and the vague wording does not help. I would like to
tighten up the rules if possible.
Comments?
Regards
Scott Fanning
|