Re: [IPsec] Question about IKEv1 and ECDSA

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 28 November 2012 15:02 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C16A21F8874 for <ipsec@ietfa.amsl.com>; Wed, 28 Nov 2012 07:02:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xiCh1sEg+ZiW for <ipsec@ietfa.amsl.com>; Wed, 28 Nov 2012 07:02:29 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id A793921F8869 for <ipsec@ietf.org>; Wed, 28 Nov 2012 07:02:29 -0800 (PST)
Received: from [10.20.30.102] (50-0-66-243.dsl.dynamic.fusionbroadband.com [50.0.66.243]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id qASF2IPS043433 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 28 Nov 2012 08:02:18 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <4613980CFC78314ABFD7F85CC3027721023F2E@IL-EX10.ad.checkpoint.com>
Date: Wed, 28 Nov 2012 07:02:19 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <060190F3-C914-4995-82E3-9F613461B8BB@vpnc.org>
References: <4613980CFC78314ABFD7F85CC3027721023F2E@IL-EX10.ad.checkpoint.com>
To: Yoav Nir <ynir@checkpoint.com>
X-Mailer: Apple Mail (2.1499)
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Question about IKEv1 and ECDSA
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 15:02:30 -0000

On Nov 28, 2012, at 12:07 AM, Yoav Nir <ynir@checkpoint.com> wrote:

> 1. Is it impossible to have one peer authenticate with RSA while the other authenticates with ECDSA, or even to mix curves?  Or am I missing something?

This was discussed a decade ago at interop events, and the general agreement was that it is impossible to do without an extension, and no one cared to do that. (The question was actually about PlainOldDSA, not ECDSA, but the result is the same.)

> 2. What if an IKE endpoint has >1 certificates, but the one best-suited for the certificate request has a different type key than the one agreed to in packet #2?

Same.

--Paul Hoffman