RFC 4869 makes some statements like:
The authentication method used with IKEv1 MAY be either pre-shared
key [RFC2409] or ECDSA-256 [RFC4754].
That seems to me like an empty statement, since it doesn't require any particular set of choices nor does it proscribe any choice.
Pre-shared key involve a shared symmetric value. ECDSA-256 involves a pubic-private key pair and a certificate. Either one is acceptable for the Suite B environment.
Is it intended to proscribe the use of non-ECDSA digital signatures such as RSA, and therefore limit the options to pre-shared key and ECDSA-256? I wonder if it should read "MUST" instead?
That is how I read it.
Russ
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec