<WG chair hat off, author hat on>
Hi Tero,
I think RFC 6989 (additional tests when reusing DH values) should be a
normative reference, and the text at the bottom of 2.12 should be
strengthened to something like:
In such cases, additional tests defined in [RFC6989] MUST be performed
by the IKE peers. See this document, as well as [REUSE] for a security
analysis of this practice.
Rationale: even if EC groups (and the "DSA groups") are not defined in
RFC 5996, they are a mainstream use case and the RFC 6989 tests are
security critical for them. Also, process-wise, RFC 6989 is a Standards
Track document so the normative reference is legit.
Small typo: in Sec. 3.3.2, "do not need" -> "does not need", and "needs
to have" -> "need to have".
<switch hats now>
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
