Hi, Please find the working version of version 03: https://github.com/mglt/drafts/commit/40e6a1e0e99064b54a328e27f0c3d498c2c7164c Feel free to provide comments.
BR, Daniel A) adding recommendations for DH - Group 22- 24: <c>22</c><c>1024-bit MODP Group with 160-bit Prime Order Subgroup</c><c>MUST NOT</c> <c>23</c><c>1024-bit MODP Group with 224-bit Prime Order Subgroup</c><c>MUST NOT</c> <c>24</c><c>1024-bit MODP Group with 256-bit Prime Order Subgroup</c><c>MUST NOT</c> with the following comment: Group 22-24 or 1024-bit MODP Group with 160-bit and 2048-bit MODP Group with 224-256-bit Prime Order Subgroup are exposed to synchronization or transcription attacks. B) PKIX Do we need something more ? C) Intended Audience: Specifying the implementer vs users: The recommendations of this document mostly target IKEv2 implementers as implementations needs to meet both high security expectations as well as high interoperability between various vendors and with different updates. Interoperability requires a smooth move to more secure cipher suites. This may differ from a user point of view that may deploy and configure IKEv2 with only the safest cipher suites. On the other hand, comments and recommendations are also expected to be useful for such users. D) Other Hash function has been removed E) Removing Curve25519 as not yet defined F) ENCR payload replaced by Encrypted Payload. It seems an INTG payload is running somewhere, but I could not find it. G) removing recommendation for non defined crypt suites: Ed25519 (MAY), Ed25519ph(MAY), Ed448(MAY), Ed448ph(MAY). I would like to be able to provide the right OID ASN1 code for the recommended authentication methods.
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
