Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-10.txt
Paul Wouters <paul@nohats.ca> Mon, 25 July 2016 08:07 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E7D412D106 for <ipsec@ietfa.amsl.com>; Mon, 25 Jul 2016 01:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sA3ujLOtw1tq for <ipsec@ietfa.amsl.com>; Mon, 25 Jul 2016 01:07:32 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12A8112D09C for <ipsec@ietf.org>; Mon, 25 Jul 2016 01:07:31 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ryYl42sgDz36S; Mon, 25 Jul 2016 10:07:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1469434048; bh=2k/ry9HJxVmnivWFuTfRNhtW+cdcr8BvLGOodBd4Y+4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=XH3PsMznUxCDJTeibGc5fs/PtikySKE9RLGxNWVKUmWp94OL7wLwd6SWtOGZJyYvh b5vvH1EtCVtrMRKkw1L+k7sAC0NbRRzNSWuSk7ShfaVzaAnt2lp/15oL7poXKieosU f7eOFQ435ogvTit2vnYapjUQqDvgnz4Ilt56UlKE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id kdz512lLe0DH; Mon, 25 Jul 2016 10:07:26 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 25 Jul 2016 10:07:26 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E85D4393D89; Mon, 25 Jul 2016 04:07:25 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca E85D4393D89
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D0DC340D6F5B; Mon, 25 Jul 2016 04:07:25 -0400 (EDT)
Date: Mon, 25 Jul 2016 04:07:25 -0400
From: Paul Wouters <paul@nohats.ca>
To: John Mattsson <john.mattsson@ericsson.com>
In-Reply-To: <D3BB1248.4DD74%john.mattsson@ericsson.com>
Message-ID: <alpine.LRH.2.20.1607250358550.9091@bofh.nohats.ca>
References: <20160720103025.22546.85479.idtracker@ietfa.amsl.com> <D3BB1248.4DD74%john.mattsson@ericsson.com>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AGd6z5F49jZCONVeagQ5wFk-h70>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-10.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 08:07:34 -0000
On Sun, 24 Jul 2016, John Mattsson wrote: > I reread draft-ietf-ipsecme-rfc4307bis-10, I think this is very well > written and definatly ready for WGLC. > > Some comments: > > - Section 4.1 > Given the existing text “Digital Signature [RFC7427] is expected to be > promoted”, I think authentication method number 14 should be “SHOULD+” It should be, but since RFC7427 was not widely adopted yet, we refrained from doing so. We are hopeful it will see more adoption and for it to go that way. But we feel a plus should signify a move that is already visible, and for RFC7427 it is not visible yet. > - Section 4.1 > Given the existing text “It is expected to be downgraded”, I think > authentication method number 1 should be “MUST-”. I agree, but some people at ietf96 felt that we must always have an unqualified MUST in there. I also think a MUST- would be better because it still signifies a MUST but indicates we want to very slowly start deprecating it. I expect in the next version that will go to SHOULD- regardless of whether it is a MUST or MUST- one. > - Section 4 > Any reason that authentication method 10 (ECDSA with SHA-384 on the P-384 > curve) and 11 (ECDSA with SHA-512 on the P-521 curve) are SHOULD while > authentication method 14 (Digital Signature) with ecdsa-with-sha384 and > ecdsa-with-sha512 are MAY? I believe this was due to ECDSA being considered an older variant of ECC and if you do the shint new stuff of RFC7427, you can and should use better ECC algorithms too (like EdDSA) > Capitalisation: > > - Section 2 > “IoT stands” -> “IoT Stands” > > - Section 4.1.1 > “Recommendations for RSA key length” -> Recommendations for RSA Key Length We will pull these two changes into the next version. Paul
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… Paul Wouters
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc430… John Mattsson
- [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis… internet-drafts