[Openswan dev] [Pki4ipsec] OCSP in IKEv2

Michael Myers mmyers at fastq.com
Sat Aug 7 11:21:32 CEST 2004


The intersection of IPSEC with PKI is of recent interest.  Towards that
dialog, Hannes Tschofenig and I have proposed how OCSP could be used to
deliver certificate status in-band to IKEv2.  We were driven first to
consider the important use case of EAP (i.e. the Road Warrior) but also
considered the Peer-to-Peer case in order to develop a general solution.

This individual submission I-D can be found at:

Two new certificate encoding types are proposed:  OCSP Responder Hash
and OCSP Response.  An OCSP Responder Hash is sent in a CERTREQ,
computed as trust anchor hashes are computed but sent in a separate
CERTREQ.  A corresponding OCSP Response is sent back in its own CERT
payload and in the context of the CERT payload carrying the
participant's certificate.  That is, an IKEv2 participant sends both its
cert and that cert's status in separate CERT payloads.

Hannes and I look forward to your comments and debate.  I've
cross-posted due to intersecting interests but please post comments to
the IPSEC list only.

Michael Myers

pki4ipsec mailing list
pki4ipsec at honor.icsalabs.com

More information about the Dev mailing list