Hi Pasi, Pasi Eronen writes:
> > And I want to raise one more issue. Section 4 mandates support > > for both PKIX and preshared key for conformant implementation. > > Isnt't it too strong requirement? > <snip> > > This requirement has been in the document for 4+ years. > > Unless there is concrete evidence of multiple implementors > encountering difficulties with it (and not just hypothetical > garage door openers), I would propose *not* re-visiting this > topic at this time. The main problem is not in the requirement for PKIX support per se (althouth it seems to be too much for small implementation). The problem is in requirement for particular algorithm - RSA. I understand, that RSA is widely used, but there may be situations when it is unavailable for some reason. For example, here in Russia all state organizations are not allowed to use RSA and must use only GOST 3410-2001 signature algorithm. I suspect the same situation may take place in other countries as well. >From my point of view, it is better to move all requirements for particular algorithm support from RFC4306 to RFC4307, where most of them already resides. That will allow building implementations conformant to RFC4306 with any set of algorithms (as protocol itself is completely algorithm independent), while RFC4307 will list those algorithms which will provide "universal" interoperability. Regards, Valery Smyslov. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec