Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt

Rodney Thayer <rodney@tillerman.nu> Thu, 10 September 1998 21:37 UTC

Message-Id: <199809102051.QAA02975@2gn.com>
Date: Thu, 10 Sep 1998 17:53:12 -0400
To: "Hsu, Yung-Kao" <yungkaohsu@lucent.com>
From: Rodney Thayer <rodney@tillerman.nu>
Subject: Re: questions: key length & cert retrieve: draft-ietf-ipsec-pki-req-01.txt
Cc: ipsec@tis.com
In-Reply-To: <35F81C5E.1C58A5AE@lucent.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

At 02:37 PM 9/10/98 -0400, you wrote:
>I'm new, don't know enough, and have two questions.
>
>1) In section 2.2, it is stated
>
>	All the certificates used in the IPSec device and the PKI must 
>	be of the same key length.
>
>So, for examples, I can't have a CA with a 2048-bit key signs a cert of 
>1024-bit key for my IPsec device. Why?

I said it the way I did to keep things simple.  a 2048 signing a 1024 seems safe although "downshifting" is still questionable.  a 512 signing a 1024 seems insecure, to me.

>
>2) In section 3.2, it is stated
>
>	IPSec devices MUST be able to retrieve their own fulfilled
>	certificates, signing certificates for other IPSec devices, and
>	identification certificates for other IPSec devices.
>
>Does this mean that, from an IPsec device, I can query cert of other IPsec
>devices even without establishing any communication to them?

No, it means you have posess your own cert and the signing cert[s] for the other party in order to do this.

>
>Yung-Kao Hsu
>Lucent Technologies
>

questions: key length & cert retrieve: draft-ietf… Hsu, Yung-Kao
Re: questions: key length & cert retrieve: draft-… Rodney Thayer
Re: questions: key length & cert retrieve: draft-… Bill Sommerfeld
Re: questions: key length & cert retrieve: draft-… Rodney Thayer