Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > 1998-fall > 98 > 120318.html (Request Expert lists.freeswan.org Support)

linux-ipsec: FW: Certificate request payloads in ISAKMP

From: Peter Onion <ponion(at)srd.bt.co.uk>
Date: Wed Dec 16 1998 - 11:58:32 EST


I've just sent this to the guys that wrote rfc2409, but maybe someone on the list can help.....

-----FW: Certificate request payloads in ISAKMP-----

Date: Wed, 16 Dec 1998 16:34:48 -0000 (GMT) From: Peter Onion <ponion@srd.bt.co.uk>
To: dharkins@cisco.com, carrel@ipsec.org Subject: Certificate request payloads in ISAKMP

Hi,

I'm looking at putting certificate based authentication into freeswan (the linux IPSEC implementation), and I have a several questions, but here's one for starters....

I'm reading rfc2409 at the moment, and I'm puzzeled by the statement in section 5..

   Exchanges in IKE are not open ended and have a fixed number of    messages. Receipt of a Certificate Request payload MUST NOT extend    the number of messages transmitted or expected.

and in 5.2..

Do you need help?X

   In order to perform the public key encryption, the initiator must    already have the responder's public key.

I realise that I could go to a CA or LDAP server to get the certificate, but if I want to send a request to the other party for its certificate should it be placed as an additional payload after the SA in the first exchange ?

Thus making the exchanges look like this (New items shown **thus**) 

        Initiator                        Responder
       -----------                      -----------
        HDR, SA, **CertReq**      -->
                                  <--    HDR, SA, **Cert_i**, **CertReq**
        HDR, KE, [ HASH(1), ],
          **Cert_r**,
          PubKey_r,
            PubKey_r        -->
                                         HDR, KE, PubKey_i,
                                  <--            PubKey_i
        HDR*, HASH_I              -->
                                  <--    HDR*, HASH_R

If I've totally misunderstood what is going on then please tell me so as I'm still getting to grips with the rfcs :-)

Peter Onion.


E-Mail: Peter Onion <ponion@srd.bt.co.uk> Date: 16-Dec-98
Time: 16:34:48

This message was sent by XFMail

--------------End of forwarded message-------------------------


E-Mail: Peter Onion <ponion@srd.bt.co.uk> Date: 16-Dec-98
Time: 16:57:26

This message was sent by XFMail

Received on Wed Dec 16 16:30:39 1998
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:09 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library