[Openswan Users] openswan and DoD PKI specification

Chen, Xuli (James) chenja at avaya.com
Mon Mar 21 11:47:19 EDT 2011

Thanks Paul.

RFC specifications already implemented x509 CRL versions2 which has new field CRL extensions. Does the latest openswan support both version CRLs? It would always be backward compatible (It will continue supporting v1 when it supports v2)?  


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Friday, March 18, 2011 9:51 PM
To: Chen, Xuli (James)
Cc: users at openswan.org
Subject: Re: [Openswan Users] openswan and DoD PKI specification

On Fri, 18 Mar 2011, Chen, Xuli (James) wrote:

> Date: Fri, 18 Mar 2011 14:52:10 -0400
> From: "Chen, Xuli (James)" <chenja at avaya.com>
> To: "users at openswan.org" <users at openswan.org>
> Subject: [Openswan Users] openswan and DoD PKI specification
> Hi All,
> Anyone knows if the DoD PKI specification was being followed when the openswan was deployed or upgraded?

The IETF RFCs specifications are used. We have no idea what the relationship with
DoD is. For instance Openswan supports md5 and DoD might say it may not use md5.
Red Hat builds a FIPS 140-2 version of openswan, that disables some ciphers for
this reason, and uses NSS to encrypt all the private keys inside an nssdb database.


More information about the Users mailing list