IETF Logo Mail Archive

Re: [IPsec] #116: The AUTH payload signature

Yaron Sheffer <yaronf@checkpoint.com> Tue, 24 November 2009 17:10 UTC

Return-Path: <yaronf@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A9633A6B6B for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 09:10:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.494
X-Spam-Level:
X-Spam-Status: No, score=-3.494 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VqkaQclSIiB for <ipsec@core3.amsl.com>; Tue, 24 Nov 2009 09:10:32 -0800 (PST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 1647328C111 for <ipsec@ietf.org>; Tue, 24 Nov 2009 09:10:30 -0800 (PST)
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nAOH9JGp011035 for <ipsec@ietf.org>; Tue, 24 Nov 2009 19:09:20 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 24 Nov 2009 19:09:25 +0200
From: Yaron Sheffer <yaronf@checkpoint.com>
To: IPsecme WG <ipsec@ietf.org>
Date: Tue, 24 Nov 2009 19:09:24 +0200
Thread-Topic: #116: The AUTH payload signature
Thread-Index: AcpY7JIWsaUaiVnDRVWi32jyvGpWeAUOPQXQ
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE0@il-ex01.ad.checkpoint.com>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EA8@il-ex01.ad.checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDA1213EA8@il-ex01.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88DFFE0ilex01adche_"
MIME-Version: 1.0
Subject: Re: [IPsec] #116: The AUTH payload signature
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 17:10:39 -0000

Tero requested a clarification: I'm proposing to say that the certificate's hash algorithm does not determine the AUTH hash function (which is the negotiated PRF). Implementations may use the certificates received from a given peer as a hint for selecting a mutually-understood PRF with that peer.

And yes, the last sentence refers to this text:

To promote interoperability, implementations that support this type SHOULD support signatures that use SHA-1 as the hash function and SHOULD use SHA-1 as the default hash function when generating signatures.

________________________________
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: Friday, October 30, 2009 1:18
To: IPsecme WG
Subject: [IPsec] #116: The AUTH payload signature


The definition of the payload (sec. 3.8) should mention explicitly that the payload hash algorithm is unrelated to the one used in the certificate, or the algorithm used to sign the IKE Encrypted Payload.

Moreover, the words "by default" are confusing and should be deleted.



Scanned by Check Point Total Security Gateway.

v2.23.0 | Report a Bug | By Email