Hi Eric, > -------- Original Message -------- > Subject: [P2PSIP] Certificates in SecurityBlock > From: Eric Rescorla <[email protected]> > Date: Mon, June 18, 2012 12:54 pm > To: [email protected] > > > In principle the SecurityBlock structure is designed to work with > certificates which are stored in the overlay and then retrieved > at verification time. In practice, however, the certificates are > indexed into the security block by Hash(cert) but stored in > the overlay under subject, so you can't retrieve them from > the overlay. > > There seem to be two fixes for this: > (1) Modify(add to?) the certificate store usage to store certs > under the fingerprint so they can be retrieved. > (2) Stop claiming that you can fetch the certs and just say that > for this version you must send the certs with the message. > > Is anyone interested in not sending all the certs with the message? > If so, we should do (1). Otherwise, we should do (2). We should do (2), since doing a cert fetch in the middle of a request processing adds complexity.
If future version do (1), it will also be a good opportunity to add the single-hop optimization I proposed long ago, in which messages meant for directly connected peers send an empty security block, because everything is already being done by TLS and DTLS. Thanks --Michael _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
