Valery Smyslov writes:
And you can always retry when you notice that you get authentication
error after using private key, provided you have multiple types of
keys.
In general you can't if it is responder who selected wrong key.
That is something I realized on our way home, but it is
Hi Tero,
Valery Smyslov writes:
The problem, that the draft is not solving, is the situation,
when one of the peers has more than one private key, each
for different signature algorithm. This may happen if in deployed
VPN there is a need to move from one signature alg
to another (for any
Valery,
I suggest to change this as following. Instead of
adding IKE registry, listing hash algorithms,
add registry listing combinations of hashsignature
algorithms, as listed in Appendix A.
So, the registry would look like:
RESERVED 0
Hi Johannes,
Your proposal creates exactly the issue which the draft is trying to
solve: The lack of flexibility by relying on IPsec
code points for the signature algorithm (as opposed to using existing OIDs
commonly used in certificates and CMS) and
the coupling of signing algorithms and
Hi Valery,
As far as I remember, the main problem was that Auth Method field in AUTH
Payload
was only 8 bits and its codepoints coupled signature with particular hash.
Well, this was the initial problem, but then Yoav had the great idea of
generalizing the mechanism by using the OIDs in