Hi, I have the impression the recommendation goes beyond the scope of IKEv2 and is more targeting Certificates. On the other hand, having these requirements would make all cryptographic requirements fit into a single document IKEv2 As a result, I would rather have a section with a link to a document that contains requirements that are specific to the Certificates.
I am also wondering if the IKEv2 spec should not also point to that document. BR, Daniel On Thu, Dec 10, 2015 at 9:00 AM, Tero Kivinen <[email protected]> wrote: > During the draft-ietf-lwig-ikev2-minimal Stephen pointed out that in > my draft I have copied requirements from the RFC7296: > > ---------------------------------------------------------------------- > ... > For an implementation to be called conforming to this specification, > it MUST be possible to configure it to accept the following: > > o Public Key Infrastructure using X.509 (PKIX) Certificates > containing and signed by RSA keys of size 1024 or 2048 bits, where > the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or > ID_DER_ASN1_DN. > ... > ---------------------------------------------------------------------- > > And he pointed out that this asks for mandatory to implemented key > size for RSA to be 1024 or 2048-bits. > > It is not up to the ikev2-minimal to change these, but RFC4307bis is > different thing. > > I.e. should we modify this also while updating the RFC4307? We could > add section about the mandatory to implement authentication methods, > and specify which methods are to be used, for example require RSA key > lengths of 2048 bits, and perhaps say that implementations SHOULD > support RSA key lengths up to 4096 bits. > > For the elliptic curves we might want to say something about signature > authentication method (RFC 7427) as that supports generic elliptic > curves not only the nist versions. Also should we say something about > the RSASSA-PKCS1-v1_5 vs RSASSA-PSS? > -- > [email protected] > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
