On Wed, 10 Feb 2016, Johannes Merkle wrote:
Please find the working version of version 03: https://github.com/mglt/drafts/commit/40e6a1e0e99064b54a328e27f0c3d498c2c7164c Feel free to provide comments.
Note we should reference it via: https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis-03
Given the difficulty and time needed to deprecate cryptographic algorithms, I advocate to disallow DSS for authentication. It is not widely deployed, anyway.
We cannot "disallow" it as it might be in use today. The idea is these series of drafts move things from SHOULD to SHOULD+ to MUST to MUST- to SHOULD NOT to MUST NOT. We are trying to phase things in and out smoothly unless there are strong reasons to speed up this process.
And for the digital signature method, why should we require SHA-1?
Because it is very common to use right now. We cannot go from MUST to MUST NOT. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
