Black David writes: > > If it means all the listed types, the sentence should be changed to > "Implementations SHOULD > > also be capable of generating ID_IPV6_ADDR, ID_DER_ASN1_DN, and > ID_DER_ASN1_GN." > > Which I think amounts to a SHOULD for certificate support. Is there a > good reason to go there?
It is already there :-) See section 4 (Conformance Requirements): For an implementation to be called conforming to this specification, it MUST be possible to configure it to accept the following: o PKIX Certificates containing and signed by RSA keys of size 1024 or 2048 bits, where the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or ID_DER_ASN1_DN. o Shared key authentication where the ID passed is any of ID_KEY_ID, ID_FQDN, or ID_RFC822_ADDR. o Authentication where the responder is authenticated using PKIX Certificates and the initiator is authenticated using shared key authentication. Regards, Valery Smyslov. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec