[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CRLs



Greg Carter writes:
> So don't send it unless asked, if asked the above covers how. If they ask
> then they can process, so there shouldn't be interop problems.  If they ask

If they cannot process CRLs inside the IKE then the implementation is
broken, and does not follow the ISAKMP RFC. The ISAKMP RFC says very
clearly that certificate payload MUST be accepted at any point during
an exchange. The implementation can throw the CRL it received away,
but it must be able to receive certificate payloads anywhere.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/