On Tue, July 24, 2012 11:04 am, Yoav Nir wrote: > - Flexibility in associating hash functions should not a unlimited. There > is no reason to allow a 521-bit EC group with MD4 as the hash function, > or even with SHA2-256 as the hash function. I'm perfectly happy to limit > that curve to SHA2-512 and SHA3-512.
There is no reason to "allow" the 768-bit FFC group to be used to generate a shared secret that is to be authenticated with an ECDSA signature with a 521-bit curve and have SHA-1 be used as the key derivation function either, but such a thing is permissible and it will be permissible in IKEv2 even if we were to prohibit the use of SHA-256 with a 521-bit curve. Any attempt to enforce coherent use of primitives-- e.g. define what primitives are valid for different security levels, or what certain combinations of primitives are permissible and what are forbidden-- should only be done as part of an IKEv3. Dan. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
