Re: [IPsec] RFC4869 bis submitted

Yoav Nir <> Wed, 11 November 2009 20:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9763528C0D9 for <>; Wed, 11 Nov 2009 12:12:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tOL4UqQp4SN1 for <>; Wed, 11 Nov 2009 12:12:00 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 86F3F3A69B2 for <>; Wed, 11 Nov 2009 12:11:59 -0800 (PST)
X-CheckPoint: {4AFB1784-2-14201DC2-FFFF}
Received: by (Postfix, from userid 105) id 1339229C00B; Wed, 11 Nov 2009 22:12:27 +0200 (IST)
Received: from ( []) by (Postfix) with ESMTP id D65EF29C002; Wed, 11 Nov 2009 22:12:26 +0200 (IST)
X-CheckPoint: {4AFB1783-0-14201DC2-FFFF}
Received: from (localhost []) by (8.12.10+Sun/8.12.10) with ESMTP id nABKCQc6014131; Wed, 11 Nov 2009 22:12:26 +0200 (IST)
Received: from ([]) by ([]) with mapi; Wed, 11 Nov 2009 22:12:28 +0200
From: Yoav Nir <>
To: "Law, Laurie" <>, "" <>
Date: Wed, 11 Nov 2009 22:07:31 +0200
Thread-Topic: RFC4869 bis submitted
Thread-Index: AcpiU1O0nSZrevdBSBW8DNVZupILgAAt0Yk8
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] RFC4869 bis submitted
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Nov 2009 20:12:03 -0000


If you're bissing this thing, can we please please please entirely get rid of the requirement to use ECDSA certificates?

While the algorithms and DH groups are subject to configuration in the UI and negotiation in IKE, the algorithm used to sign the certificates is outside the IKE implementation. You usually have a certificate that you need to use, and it's the CA's decision whether this is signed with RSA, DSA or ECDSA. There's even some ambiguity, because it's not necessarily true, that the public key in the certificate is for the same algorithms used to sign the certificate.

The UI suites RFC that defined VPN-A and VPN-B did not mandate RSA or DSA. I don't see why 4869 or 4869-bis should. I don't think it's part of the algorithm configuration.


From: [] On Behalf Of Law, Laurie []
Sent: Wednesday, November 11, 2009 00:15
Subject: [IPsec] RFC4869 bis submitted

A bis has been submitted for RFC 4869, "Suite B Cryptographic Suites for IPsec". It is available at

This Internet-Draft makes several minor changes to the suites in RFC 4869 and incorporates comments that have been posted to the ipsec mailing list.

Laurie Law
National Information Assurance Research Laboratory
National Security Agency