Re: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard

Yoav Nir <ynir.ietf@gmail.com> Thu, 17 April 2014 17:42 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2728E1A017C; Thu, 17 Apr 2014 10:42:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTYpQGp48fjk; Thu, 17 Apr 2014 10:42:31 -0700 (PDT)
Received: from mail-ee0-x236.google.com (mail-ee0-x236.google.com [IPv6:2a00:1450:4013:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id 560D51A0169; Thu, 17 Apr 2014 10:42:31 -0700 (PDT)
Received: by mail-ee0-f54.google.com with SMTP id d49so928069eek.27 for <multiple recipients>; Thu, 17 Apr 2014 10:42:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1Ca6BxJo3tE1mncnJkM+vZt51+XtswwzjUKrFM3ZzR8=; b=zhKZc+busMIG9OibELkbLk5YiuXVhYUSCkorv76ndogDVhRHDtxBmW3vpVM7emZA/5 XFp90RI0wv09Z/2mx+lGx23tpJg9EK9BWthYId1OkZ4QLaYxy1K/AA2NeEabP0iKE8F5 l61ve2ZcR3BACwAoyav+1iajIAACCuhtgTK7sQBPCtKlzFNU7P4zhbMWgJSJxu0xApP6 YpUK/Uff3/Pp99brCIpaMZ3aI2jJm3dvqiGTctmsWqk/bYqYTNHiuaglWS99XA1nw0dQ sXb2ibXP8LgfYKATrmdqiGiekrjraKhm+MVoWOWlXmT2QgTO0jvVUN4Cqrn15Or1O1VC vFfg==
X-Received: by 10.14.241.139 with SMTP id g11mr15808458eer.49.1397756547023; Thu, 17 Apr 2014 10:42:27 -0700 (PDT)
Received: from [192.168.1.101] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id w1sm69218854eel.16.2014.04.17.10.42.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 17 Apr 2014 10:42:26 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <14BE57EA00BC0C469E17B5AD698FE67766664CE4@FR711WXCHMBA01.zeu.alcatel-lucent.com>
Date: Thu, 17 Apr 2014 20:42:23 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <B12490A2-2D31-4E32-9D9E-ACB80C91FB8C@gmail.com>
References: <20140404202750.31367.2461.idtracker@ietfa.amsl.com> <14BE57EA00BC0C469E17B5AD698FE67766664CE4@FR711WXCHMBA01.zeu.alcatel-lucent.com>
To: "PUTMAN, Tony (Tony)" <tony.putman@alcatel-lucent.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/LbZWeXo4OhwZJS-BnjVcT0hFYWc
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 17:42:36 -0000

Hi, Tony

Thanks for the review.

I assume you mean that you don’t sign with public keys. Replacing “sign” with “validate” makes for a strange sentence, because the sentence is about sending (and presumably signing) rather than receiving (and validating).

How about:
“If multiple certificate are sent, the first MUST contain the public key associated with the private key used to sign the AUTH payload”

Yoav


On Apr 17, 2014, at 8:23 PM, PUTMAN, Tony (Tony) <tony.putman@alcatel-lucent.com> wrote:

> All,
> 
> In section 3.6 (top of page 94), there is the statement,
>  "If multiple certificates
>   are sent, the first certificate MUST contain the public key used to
>   sign the AUTH payload."
> 
> "sign" should be "validate".
> 
> Regards,
> Tony
> --
> Tony Putman
> Alcatel-Lucent Technologies
> 
> -----Original Message-----
> From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of The IESG
> Sent: Friday, April 04, 2014 9:28 PM
> To: IETF-Announce
> Cc: ipsec@ietf.org
> Subject: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard
> 
> 
> The IESG has received a request from the IP Security Maintenance and
> Extensions WG (ipsecme) to consider the following document:
> - 'Internet Key Exchange Protocol Version 2 (IKEv2)'
>  <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> as Internet Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2014-04-18. Exceptionally, comments may be
> sent to iesg@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
> 
> Abstract
> 
> 
>   This document describes version 2 of the Internet Key Exchange (IKE)
>   protocol.  IKE is a component of IPsec used for performing mutual
>   authentication and establishing and maintaining Security Associations
>   (SAs).  This document replaces and updates RFC 5996, and includes all
>   of the errata for it, and it is intended to update IKEv2 to be
>   Internet Standard.
> 
> 
> 
> 
> The file can be obtained via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-ikev2-rfc5996bis/
> 
> IESG discussion can be tracked via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-ikev2-rfc5996bis/ballot/
> 
> 
> No IPR declarations have been submitted directly on this I-D.
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec