[rfc-dist] RFC 4806 on Online Certificate Status Protocol (OCSP) Extensions to IKEv2

rfc-editor@rfc-editor.org rfc-editor at rfc-editor.org
Mon Feb 26 16:12:17 PST 2007

A new Request for Comments is now available in online RFC libraries.

        RFC 4806

        Title:      Online Certificate Status Protocol (OCSP) 
                    Extensions to IKEv2 
        Author:     M. Myers, H. Tschofenig
        Status:     Standards Track
        Date:       February 2007
        Mailbox:    mmyers at fastq.com, 
                    Hannes.Tschofenig at siemens.com
        Pages:      11
        Characters: 21991
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-myers-ikev2-ocsp-05.txt

        URL:        http://www.rfc-editor.org/rfc/rfc4806.txt

While the Internet Key Exchange Protocol version 2 (IKEv2) supports
public key based authentication, the corresponding use of in-band
Certificate Revocation Lists (CRL) is problematic due to unbounded
CRL size.  The size of an Online Certificate Status Protocol (OCSP)
response is however well-bounded and small.  This document defines
the "OCSP Content" extension to IKEv2.  A CERTREQ payload with "OCSP
Content" identifies zero or more trusted OCSP responders and is a
request for inclusion of an OCSP response in the IKEv2 handshake.  A
cooperative recipient of such a request responds with a CERT payload
containing the appropriate OCSP response.  This content is
recognizable via the same "OCSP Content" identifier.

When certificates are used with IKEv2, the communicating peers need a
mechanism to determine the revocation status of the peer's
certificate.  OCSP is one such mechanism.  This document applies when
OCSP is desired and security policy prevents one of the IKEv2 peers
from accessing the relevant OCSP responder directly.  Firewalls are
often deployed in a manner that prevents such access by IKEv2 peers
outside of an enterprise network.  [STANDARDS TRACK]

This is now a Proposed Standard Protocol.

STANDARDS TRACK: This document specifies an Internet standards track
protocol for the Internet community,and requests discussion and 
suggestions for improvements.Please refer to the current edition of the 
Internet Official Protocol Standards (STD 1) for the standardization 
state and status of this protocol.  Distribution of this memo is 

This announcement is sent to the IETF list and the RFC-DIST list.
Requests to be added to or deleted from the IETF distribution list
should be sent to IETF-REQUEST at IETF.ORG.  Requests to be
added to or deleted from the RFC-DIST distribution list should

Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
an EMAIL message to rfc-info at RFC-EDITOR.ORG with the message body 

help: ways_to_get_rfcs. For example:

        To: rfc-info at RFC-EDITOR.ORG
        Subject: getting rfcs

        help: ways_to_get_rfcs

Requests for special distribution should be addressed to either the
author of the RFC in question, or to RFC-Manager at RFC-EDITOR.ORG.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.

Submissions for Requests for Comments should be sent to
RFC-EDITOR at RFC-EDITOR.ORG.  Please consult RFC 2223, Instructions to RFC
Authors, for further information.

The RFC Editor Team
USC/Information Sciences Institute


More information about the rfc-dist mailing list