Technical Summary
While IKEv2 supports public key based authentication (PKI), the
corresponding use of in-band CRLs is problematic due to unbounded CRL
size. The size of an OCSP response is however well-bounded and small.
This document defines two extensions to IKEv2 which enable the use of
OCSP for in-band signaling of certificate revocation status. Two new
content encodings are defined for use in the CERTREQ and CERT
payloads: OCSP Responder Hash and OCSP Response. An OCSP Responder
Hash CERTREQ payload triggers transmission of an OCSP Response CERT
payload.
When certificates are used with IKEv2, the communicating peers need a
mechanism to determine the revocation status of the peer's
certificate. OCSP is one such mechanism. This document applies when
OCSP is desired and security policy prevents one of the IKEv2 peers
from accessing the relevant OCSP responder directly. Firewalls are
often deployed in a manner that prevents such access by IKEv2 peers
outside of an enterprise network.
Working Group Summary
This document is not a product of any IETF Working Group, but it has
been discussed on both the IPsec mail list and the PKIX mail list.
Protocol Quality
This document was reviewed by Russ Housley for the IESG.