certificate
Click on the red underlined text to get to the source
... public key based authentication. Confirmation of certificate
reliability is essential in order to achieve the security ...
... public key cryptography provides. One fundamental element of such
confirmation is reference to certificate revocation status (see
[RFC3280 ...
... RFC3280] for additional detail).
The traditional means of determining certificate revocation status is
through the use of Certificate Revocation Lists ...
... certificate revocation status is
through the use of Certificate Revocation Lists (CRLs). IKEv2 allows
...
... participant. Such network access deadlock further contributes to a
reduced reliance on the status of certificate revocations in favor of
blind trust ...
... IANA Considerations section of this document):
Certificate Encoding Value
-------------------- -----
OCSP ...
... Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA,
indicating that the responder ...
... OCSP response is signed by the CA who issued the
certificate. In case of (c), the OCSP response is signed by the CA
...
... Payload indicates the presence of an OCSP response in the Certificate
Data field of the CERT ...
... CERT payload carrying a certificate can be achieved by matching the
OCSP response CertID field to the certificate ...
... certificate can be achieved by matching the
OCSP response CertID field to the certificate. See [RFC2560] for the
definition of OCSP response ...
... trust anchor
hashes as the Certification Authority value of a single CERTREQ
message. There is no means however to indicate which among those
...
... message. There is no means however to indicate which among those
hashes, if present, relates to the certificate of a trusted OCSP
responder ...
... nodes be configured to try OCSP and, if there is
no response, attempt to determine certificate revocation status by
some other means.
...
... OCSP response CERT payload corresponding to the certificate needed to
verify its signature on IKEv2 ...
... payload is out of scope of this document.
The Certificate Data field of an OCSP response CERT ...
... Initiator sends in (3) both a CERT payload carrying its certificate
and an OCSP response CERT ...
... OCSP response CERT payload covering that certificate. In (3),
Initiator also requests an OCSP response ...
... OCSP response CERT payload covering that certificate.
It is important to note that in this scenario, the Responder ...
... Responder in (2)
does not yet possess the Initiator's certificate and therefore cannot
form an OCSP request as defined in [RFC2560 ...
... replay attacks in which an old (good)
response is replayed prior to its expiration date but after the
certificate has been revoked. Deployments of OCSP should carefully
...
... IKEv2 Cert
Encoding field of the Certificate Payload format. Official
assignment of the "OCSP Content" extension to the Cert Encoding ...
... X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560prop, June 1999. ...
... Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ...
... X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280prop ...