Black David writes:
> > If it means all the listed types, the sentence should be changed to
> "Implementations SHOULD
> > also be capable of generating ID_IPV6_ADDR, ID_DER_ASN1_DN, and
> ID_DER_ASN1_GN."
>
> Which I think amounts to a SHOULD for certificate support. Is there a
> good reason to go there?
It is already there :-) See section 4 (Conformance Requirements):
For an implementation to be called conforming to this specification,
it MUST be possible to configure it to accept the following:
o PKIX Certificates containing and signed by RSA keys of size 1024
or 2048 bits, where the ID passed is any of ID_KEY_ID, ID_FQDN,
ID_RFC822_ADDR, or ID_DER_ASN1_DN.
o Shared key authentication where the ID passed is any of ID_KEY_ID,
ID_FQDN, or ID_RFC822_ADDR.
o Authentication where the responder is authenticated using PKIX
Certificates and the initiator is authenticated using shared key
authentication.
Regards,
Valery Smyslov.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
