On Sun, 24 Jul 2016, John Mattsson wrote:
I reread draft-ietf-ipsecme-rfc4307bis-10, I think this is very well
written and definatly ready for WGLC.
Some comments:
- Section 4.1
Given the existing text “Digital Signature [RFC7427] is expected to be
promoted”, I think authentication method number 14 should be “SHOULD+”
It should be, but since RFC7427 was not widely adopted yet, we refrained
from doing so. We are hopeful it will see more adoption and for it to
go that way. But we feel a plus should signify a move that is already
visible, and for RFC7427 it is not visible yet.
- Section 4.1
Given the existing text “It is expected to be downgraded”, I think
authentication method number 1 should be “MUST-”.
I agree, but some people at ietf96 felt that we must always have an
unqualified MUST in there. I also think a MUST- would be better because
it still signifies a MUST but indicates we want to very slowly start
deprecating it. I expect in the next version that will go to SHOULD-
regardless of whether it is a MUST or MUST- one.
- Section 4
Any reason that authentication method 10 (ECDSA with SHA-384 on the P-384
curve) and 11 (ECDSA with SHA-512 on the P-521 curve) are SHOULD while
authentication method 14 (Digital Signature) with ecdsa-with-sha384 and
ecdsa-with-sha512 are MAY?
I believe this was due to ECDSA being considered an older variant of
ECC and if you do the shint new stuff of RFC7427, you can and should
use better ECC algorithms too (like EdDSA)
Capitalisation:
- Section 2
“IoT stands” -> “IoT Stands”
- Section 4.1.1
“Recommendations for RSA key length” -> Recommendations for RSA Key Length
We will pull these two changes into the next version.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
