Paul Hoffman writes:
> At 9:17 PM -0500 1/21/10, <black_da...@emc.com> wrote:
> >Paul,
> >
> >> What does "Implementations SHOULD be capable of generating and
> >accepting all of these types" mean?
> >
> >It's hair-splitting time ...
> >
> >> To assure maximum interoperability, implementations MUST be
> >configurable to send at least one of
> >> ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, or ID_KEY_ID, and MUST be
> >configurable to accept all of these
> >> types.
> >
> >Short version: MUST be able to send at least *1*, accept all *4*.
> >
> >> Implementations SHOULD be capable of generating and accepting all of
> >these types.
> >
> >Short version: In addition, SHOULD be able to send all *4*.
> >
> >The SHOULD for "accepting" is redundant with the previous MUST, but the
> >SHOULD for "generating" is broader.
> >
> >[... snip ...]
> >
> >> If it means all the listed types, the sentence should be changed to
> >"Implementations SHOULD
> >> also be capable of generating ID_IPV6_ADDR, ID_DER_ASN1_DN, and
> >ID_DER_ASN1_GN."
> >
> >Which I think amounts to a SHOULD for certificate support. Is there a
> >good reason to go there?
>
> This interpretation is quite surprising to me (but I am surprised
> often these days...). What do others think?
I interpreted it so that MUST be able to send one, accept all four
and SHOULD be able to send all four.
Note, also that Section 4 also lists in its conformance list that all
implementations MUST be able to be configured to accept:
----------------------------------------------------------------------
For an implementation to be called conforming to this specification,
it MUST be possible to configure it to accept the following:
o PKIX Certificates containing and signed by RSA keys of size 1024
or 2048 bits, where the ID passed is any of ID_KEY_ID, ID_FQDN,
ID_RFC822_ADDR, or ID_DER_ASN1_DN.
o Shared key authentication where the ID passed is any of ID_KEY_ID,
ID_FQDN, or ID_RFC822_ADDR.
o Authentication where the responder is authenticated using PKIX
Certificates and the initiator is authenticated using shared key
authentication.
----------------------------------------------------------------------
I.e. that adds ID_DER_ASN1_DN for certificates, and does not list
ID_IPV*_ADDR at all.
I.e. even when ID_IPV4_ADDR is mandatory to be implement, that does
not need to be one of the configurations that is required from
implementation (which is ok, as if you make implementation which is
always behind NAT, then IP-address is not something you want to allow
to be configured as ID).
So Certificate support is already MUST, Shared key authentication is
MUST. ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR are MUST for accept for both
authentication, ands ID_DER_ASN1_DN is MUST for accept for certificate
authentication.
The section 4 can also be understood that sending all of the ID
formats is also required, as the text says "ID passed is any of ..."
which would indicate that it requires also sending those ID types.
These requirements are not required to be same, as the other covers
the ID payload support, and the other covers the how the whole system
is configured and used.
--
kivi...@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
