[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRLs

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Re: CRLs
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Tue, 26 Oct 1999 14:59:01 -0700
In-reply-to: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

<x-flowed>At 05:47 PM 10/26/99 -0400, Greg Carter wrote:

So don't send it unless asked, if asked the above covers how. If they ask
then they can process, so there shouldn't be interop problems.  If they ask
and you can't produce then you have a problem, if you can't produce because
you don't support CRLs than that is your problem.

This sounds right to me. We should add it to the draft as we add discussion about certificate requests and responses.

 If you only support OCSP
as a gateway and the OCSP server is behind your gateway your SOL.

Maybe. We could extend the DOI slightly to allow the request of an OCSP response. Until we do that, however, you're right.

So I think gateways should be prepared to respond with a CRL.  Its a very
convenient method of transporting CRLs.

Yep.

Putting the LDAP server behind the gateway is common.

I hadn't heard this, but if that's true, we do need a way to tunnel the CRLs and OCSP responses through to the IKE systems.

--Paul Hoffman, Director
--VPN Consortium

</x-flowed>

References:
- CRLs
  - From: Greg Carter

Prev by Date: Re: Comments on CRACK
Next by Date: Re: Comments on CRACK
Previous by thread: CRLs
Next by thread: CRLs
Index(es):
- Date
- Thread