Re: Remove little-used algorithms from IKEv2

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> Fri, 15 March 2002 04:51 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g2F4p8406809; Thu, 14 Mar 2002 20:51:08 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA08755 Thu, 14 Mar 2002 23:05:17 -0500 (EST)
Mime-Version: 1.0
X-Sender: phoffvpnc@mail.vpnc.org
Message-Id: <p05101419b8b725b9a370@[165.227.249.20]>
In-Reply-To: <sjm663yzkz3.fsf@kikki.mit.edu>
References: <p0510140ab8b6a4514ed7@[165.227.249.20]> <sjm663yzkz3.fsf@kikki.mit.edu>
Date: Thu, 14 Mar 2002 20:16:54 -0800
To: Derek Atkins <warlord@mit.edu>
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: Remove little-used algorithms from IKEv2
Cc: ipsec@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

At 8:19 PM -0500 3/14/02, Derek Atkins wrote:
>Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
>
>>  In the same vein, all certificate formats other than #4 (X.509
>>  Certificate - Signature) should be deprecated as well. "PKCS #7
>>  wrapped X.509 certificate" is particularly bad given that there is no
>>  standard for how to "wrap" a certificate.
>
>I'm not sure I agree with the first statement here.  I'm willing to be
>convinced, but I think PGP certificates and maybe raw RSA keys are
>both reasonable as well.

PGP certificates seem to be in permanent experimental state with no 
customer demand for them. The same is true for bare RSA keys. Yes, 
there are probably some people who want them, but there are some 
people who might want any of the features we are removing. PGP certs 
don't have any better security features than PKIX certs, and bare RSA 
keys have fewer security features that PKIX certs.

--Paul Hoffman, Director
--VPN Consortium