Re: IKEv2 (son-of-ike) draft

[Derek Atkins <warlord@mit.edu>]

Henry Spencer <henry@spsystems.net> writes:

> > Lack of a standard way of doing it...  Do you use raw RSA N/e, PGP key
> > format, X.509 format?  If a certificate format (PGP/X.509/etc) what
> > signatures are required, if any?  IKE doesn't specify any of this, and
> > quite frankly a number of implementations do it differently.
> 
> So *pick one*.  Just because there are ten different ways of doing it
> doesn't mean you have to support all ten, or stand there frozen because
> you're unable to make up your mind.

Right, and implementation A picks method X, and implementation B picks
method Y, and implementation C picks method Z, which makes sharing
keys a huge hastle.

For example, in order to get FreeS/WAN to interoperate with, say,
NetBSD, I think I'm going to have to use OpenSSL to general an X.509
self-signed certificate and then extract the key into FreeS/WAN so
that NetBSD (and some other implementations) can have access to an
X.509 cert.

This is just a pain in the butt, and should not be left to
implementors.  Then again, the Security Area can't seem to agree on a
format, either. :(

>                                                           Henry Spencer
>                                                        henry@spsystems.net

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available