[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Initial

To: scep@xxxxxxxx
Subject: Initial
From: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
Date: Sun, 17 Feb 2008 17:04:26 +0100
List-archive: <http://www.vpnc.org/scep/mail-archive/>
List-id: <scep.vpnc.org>
List-unsubscribe: <mailto:scep-request@vpnc.org?body=unsubscribe>
Sender: owner-scep@xxxxxxxxxxxxx

Apologies if this is is a very obvious question - but I've certainlymissed it reading through the document. With respect to:

2.2.1.2 Required Information A requester is required to have thefollowing information configured before starting any PKI operations:1. the certificate authority IP address or fully-qualified domainname,2. the certificate authority HTTP CGI script path, and the HTTPproxy information in case there is no direct Internet connection tothe server,3. If CRLs are being published by the CA to an LDAP directoryserver, and there is a CRL Distribution Point containing only an X.500 directory name, then the client will need to know the LDAPserver fully-qualified domain name or IP address. CRL DistributionPoints are discussed in more detail in RFC 2459.

How does a client learn '1' and '3' in the wild. For '3' we have clearextensions in the very first x509 cert's you'd encounter, say during a802.1X signon, when you talk to the server* -- but in what extensionis 1 passed ? And secondly - how does one learn those when the x509 ofthe first port of call (say some Radius server doing EAP) is differentfrom above ?


Thanks,

Dw

*: who in the TLS exchange will flash its own cert and the chain up.

Prev by Date: Re: question on interop with entrust server
Previous by thread: Q: draft 6 of draft-nourse-scep
Index(es):
- Date
- Thread