Good point!
On 10/12/15 15:00, "IPsec on behalf of Tero Kivinen" <[email protected] on behalf of [email protected]> wrote: >During the draft-ietf-lwig-ikev2-minimal Stephen pointed out that in >my draft I have copied requirements from the RFC7296: > >---------------------------------------------------------------------- >... > For an implementation to be called conforming to this specification, > it MUST be possible to configure it to accept the following: > > o Public Key Infrastructure using X.509 (PKIX) Certificates > containing and signed by RSA keys of size 1024 or 2048 bits, where > the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or > ID_DER_ASN1_DN. >... >---------------------------------------------------------------------- > >And he pointed out that this asks for mandatory to implemented key >size for RSA to be 1024 or 2048-bits. > >It is not up to the ikev2-minimal to change these, but RFC4307bis is >different thing. > >I.e. should we modify this also while updating the RFC4307? We could >add section about the mandatory to implement authentication methods, >and specify which methods are to be used, for example require RSA key >lengths of 2048 bits, and perhaps say that implementations SHOULD >support RSA key lengths up to 4096 bits. +1 for MUST NOT support less than 2048-bit RSA +1 for SHOULD/SHALL support 3072/4096-bit RSA >For the elliptic curves we might want to say something about signature >authentication method (RFC 7427) as that supports generic elliptic >curves not only the nist versions. If we say something about RSA we should say something about key lengths in (EC)DSA as well. And if we discuss authentication we should also say something about SHA-1. >Also should we say something about >the RSASSA-PKCS1-v1_5 vs RSASSA-PSS? +1 for SHOULD NOT support/use PKCS1-v1_5 >-- >[email protected] > >_______________________________________________ >IPsec mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
