Re: [IPsec] RFC4869 bis submitted
Yoav Nir <ynir@checkpoint.com> Wed, 11 November 2009 20:12 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9763528C0D9 for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 12:12:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOL4UqQp4SN1 for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 12:12:00 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 86F3F3A69B2 for <ipsec@ietf.org>; Wed, 11 Nov 2009 12:11:59 -0800 (PST)
X-CheckPoint: {4AFB1784-2-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 1339229C00B; Wed, 11 Nov 2009 22:12:27 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id D65EF29C002; Wed, 11 Nov 2009 22:12:26 +0200 (IST)
X-CheckPoint: {4AFB1783-0-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nABKCQc6014131; Wed, 11 Nov 2009 22:12:26 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 11 Nov 2009 22:12:28 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Law, Laurie" <lelaw@tycho.ncsc.mil>, "ipsec@ietf.org" <ipsec@ietf.org>
Date: Wed, 11 Nov 2009 22:07:31 +0200
Thread-Topic: RFC4869 bis submitted
Thread-Index: AcpiU1O0nSZrevdBSBW8DNVZupILgAAt0Yk8
Message-ID: <006FEB08D9C6444AB014105C9AEB133FB36A4EBFB3@il-ex01.ad.checkpoint.com>
References: <D22B261D1FA3CD48B0414DF484E43D3211B49B@celebration.infosec.tycho.ncsc.mil>
In-Reply-To: <D22B261D1FA3CD48B0414DF484E43D3211B49B@celebration.infosec.tycho.ncsc.mil>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [IPsec] RFC4869 bis submitted
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 20:12:03 -0000
Hi If you're bissing this thing, can we please please please entirely get rid of the requirement to use ECDSA certificates? While the algorithms and DH groups are subject to configuration in the UI and negotiation in IKE, the algorithm used to sign the certificates is outside the IKE implementation. You usually have a certificate that you need to use, and it's the CA's decision whether this is signed with RSA, DSA or ECDSA. There's even some ambiguity, because it's not necessarily true, that the public key in the certificate is for the same algorithms used to sign the certificate. The UI suites RFC that defined VPN-A and VPN-B did not mandate RSA or DSA. I don't see why 4869 or 4869-bis should. I don't think it's part of the algorithm configuration. Yoav ________________________________________ From: ipsec-bounces@ietf.org [ipsec-bounces@ietf.org] On Behalf Of Law, Laurie [lelaw@tycho.ncsc.mil] Sent: Wednesday, November 11, 2009 00:15 To: ipsec@ietf.org Subject: [IPsec] RFC4869 bis submitted A bis has been submitted for RFC 4869, "Suite B Cryptographic Suites for IPsec". It is available at http://tools.ietf.org/html/draft-law-rfc4869bis-00 This Internet-Draft makes several minor changes to the suites in RFC 4869 and incorporates comments that have been posted to the ipsec mailing list. Laurie Law National Information Assurance Research Laboratory National Security Agency
- Re: [IPsec] RFC4869 bis submitted Yoav Nir
- [IPsec] RFC4869 bis submitted Law, Laurie
- Re: [IPsec] RFC4869 bis submitted Dan McDonald
- Re: [IPsec] RFC4869 bis submitted Scott C Moonen
- Re: [IPsec] RFC4869 bis submitted Paul Hoffman
- Re: [IPsec] RFC4869 bis submitted Stephen Kent
- Re: [IPsec] RFC4869 bis submitted Scott C Moonen
- Re: [IPsec] RFC4869 bis submitted Scott C Moonen
- Re: [IPsec] RFC4869 bis submitted Yoav Nir
- Re: [IPsec] RFC4869 bis submitted Bill Sommerfeld
- Re: [IPsec] RFC4869 bis submitted Bill Sommerfeld
- Re: [IPsec] RFC4869 bis submitted Paul Hoffman
- Re: [IPsec] RFC4869 bis submitted Paul Hoffman