Yaron Sheffer writes: > Paul and I would like to propose setting up a design team with the goal > of proposing a long-term solution to this problem. Some of the > attributes of a reasonable solution include: > > - Supports currently used and proposed ECDSA certificates. > - Allows flexibility in defining EC domain parameters. > - Allows flexibility in associating hash functions with EC groups. > - Is not limited to 256 values > - ECDH is out of scope. > - Non-certificate authentication using raw public keys is out of scope, > unless it is trivially supported by the proposal.
I would also like to solve the problem with non-EC DSA. > The solution should be an extension to IKEv2, and should not break the > protocol. Some of the ideas in > http://www.ietf.org/mail-archive/web/ipsec/current/msg07828.html can be > used as a starting point. Actually I think adding the signatureAlgorithm from the PKIX 4.1.1.2 to be included in the Authentication data inside the new authentication method as proposed in my email today to the list would be even better, but this is something that should be discussed in the design team. > Please respond to us privately or to the list, indicating if you would > like to participate in the design team, or if you only support the > effort and would be willing to review the ensuing I-D. I would like to participate. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
