Hi,
recent discussion on the list has indicated that there is some interest
in better supporting ECDSA certificates in IKEv2, and that the existing
solutions are not very extensible. The discussion was very useful in
outlining the existing issues and pointing to some possible ways forward.
Paul and I would like to propose setting up a design team with the goal
of proposing a long-term solution to this problem. Some of the
attributes of a reasonable solution include:
- Supports currently used and proposed ECDSA certificates.
- Allows flexibility in defining EC domain parameters.
- Allows flexibility in associating hash functions with EC groups.
- Is not limited to 256 values
- ECDH is out of scope.
- Non-certificate authentication using raw public keys is out of scope,
unless it is trivially supported by the proposal.
The solution should be an extension to IKEv2, and should not break the
protocol. Some of the ideas in
http://www.ietf.org/mail-archive/web/ipsec/current/msg07828.html can be
used as a starting point.
Please respond to us privately or to the list, indicating if you would
like to participate in the design team, or if you only support the
effort and would be willing to review the ensuing I-D.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
