Re: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard

"PUTMAN, Tony (Tony)" <tony.putman@alcatel-lucent.com> Tue, 22 April 2014 09:57 UTC

Return-Path: <tony.putman@alcatel-lucent.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D45531A02D7; Tue, 22 Apr 2014 02:57:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uf7e3JXpFr_5; Tue, 22 Apr 2014 02:57:00 -0700 (PDT)
Received: from hoemail2.alcatel.com (hoemail2.alcatel.com [192.160.6.149]) by ietfa.amsl.com (Postfix) with ESMTP id C08A91A01D9; Tue, 22 Apr 2014 02:56:55 -0700 (PDT)
Received: from fr712usmtp2.zeu.alcatel-lucent.com (h135-239-2-42.lucent.com [135.239.2.42]) by hoemail2.alcatel.com (8.13.8/IER-o) with ESMTP id s3M9ulVi025546 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 22 Apr 2014 04:56:49 -0500 (CDT)
Received: from FR711WXCHHUB02.zeu.alcatel-lucent.com (fr711wxchhub02.zeu.alcatel-lucent.com [135.239.2.112]) by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id s3M9ul0U008820 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 22 Apr 2014 11:56:47 +0200
Received: from FR711WXCHMBA01.zeu.alcatel-lucent.com ([169.254.1.223]) by FR711WXCHHUB02.zeu.alcatel-lucent.com ([135.239.2.112]) with mapi id 14.02.0247.003; Tue, 22 Apr 2014 11:56:47 +0200
From: "PUTMAN, Tony (Tony)" <tony.putman@alcatel-lucent.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard
Thread-Index: AQHPUER+0n62SMALMEq7nBB2qf17BpsWIUEw///ldYCAB3nA4A==
Date: Tue, 22 Apr 2014 09:56:46 +0000
Message-ID: <14BE57EA00BC0C469E17B5AD698FE67766664FCB@FR711WXCHMBA01.zeu.alcatel-lucent.com>
References: <20140404202750.31367.2461.idtracker@ietfa.amsl.com> <14BE57EA00BC0C469E17B5AD698FE67766664CE4@FR711WXCHMBA01.zeu.alcatel-lucent.com> <B12490A2-2D31-4E32-9D9E-ACB80C91FB8C@gmail.com>
In-Reply-To: <B12490A2-2D31-4E32-9D9E-ACB80C91FB8C@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.239.27.38]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/t3KMpP4LXOYyEYGNwpwvIS7xcGA
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Apr 2014 09:57:05 -0000

Hi Yoav,

Yes, that's what I meant; your suggestion is fine with me.  To be honest, I wasn't sure whether this was a "substantive comment" or not, but the question was raised to me by a colleague and I thought that I should pass it on.  Apologies if my comment was too brief (and for the late follow-up).

Tony

-----Original Message-----
From: Yoav Nir [mailto:ynir.ietf@gmail.com]
Sent: Thursday, April 17, 2014 6:42 PM
To: PUTMAN, Tony (Tony)
Cc: ietf@ietf.org; ipsec@ietf.org
Subject: Re: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard

Hi, Tony

Thanks for the review.

I assume you mean that you don’t sign with public keys. Replacing “sign” with “validate” makes for a strange sentence, because the sentence is about sending (and presumably signing) rather than receiving (and validating).

How about:
“If multiple certificate are sent, the first MUST contain the public key associated with the private key used to sign the AUTH payload”

Yoav


On Apr 17, 2014, at 8:23 PM, PUTMAN, Tony (Tony) <tony.putman@alcatel-lucent.com> wrote:

> All,
>
> In section 3.6 (top of page 94), there is the statement,
>  "If multiple certificates
>   are sent, the first certificate MUST contain the public key used to
>   sign the AUTH payload."
>
> "sign" should be "validate".
>
> Regards,
> Tony
> --
> Tony Putman
> Alcatel-Lucent Technologies
>
> -----Original Message-----
> From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of The IESG
> Sent: Friday, April 04, 2014 9:28 PM
> To: IETF-Announce
> Cc: ipsec@ietf.org
> Subject: [IPsec] Last Call: <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> (Internet Key Exchange Protocol Version 2 (IKEv2)) to Internet Standard
>
>
> The IESG has received a request from the IP Security Maintenance and
> Extensions WG (ipsecme) to consider the following document:
> - 'Internet Key Exchange Protocol Version 2 (IKEv2)'
>  <draft-kivinen-ipsecme-ikev2-rfc5996bis-02.txt> as Internet Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2014-04-18. Exceptionally, comments may be
> sent to iesg@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
>
> Abstract
>
>
>   This document describes version 2 of the Internet Key Exchange (IKE)
>   protocol.  IKE is a component of IPsec used for performing mutual
>   authentication and establishing and maintaining Security Associations
>   (SAs).  This document replaces and updates RFC 5996, and includes all
>   of the errata for it, and it is intended to update IKEv2 to be
>   Internet Standard.
>
>
>
>
> The file can be obtained via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-ikev2-rfc5996bis/
>
> IESG discussion can be tracked via
> http://datatracker.ietf.org/doc/draft-kivinen-ipsecme-ikev2-rfc5996bis/ballot/
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec