Yaron Sheffer writes: > I just reread the introduction of RFC 4945 and I don't understand its > purpose. So I'm not sure it should be referenced from 5996bis.
Ok, if there is any disagreement about it, then I think it is better to leave it out from 5996bis. > It is definitely not a "profile" in the sense that Tero is alluding to. > Tero's own "minimal IKEv2" is a profile for a specific use. RFC 4945 > just attempts to fill in the holes (or perceived holes) in RFC 4306 and > PKIX docs wrt PKI use in IPsec. Which just happens to be the main use > case of IKE/IPsec! I have understood that RFC4945 is profile which profiles both PKIX and IPsec, i.e. tell the CA vendors what kind of features might be needed form the PKIX if certificates are used in the IPsec environment, and tell the IPsec vendors what kind of certificates it will receive from the CAs and how those can be used in the IPsec environment. > Quoting: "This profile of the IKE and PKIX frameworks is intended to > provide an agreed-upon standard for using PKI technology in the context > of IPsec by profiling the PKIX framework for use with IKE and IPsec, and > by documenting the contents of the relevant IKE payloads and further > specifying their semantics." This very clearly tells the first part (i.e. the profiling the PKIX), and bit vaguely describes the second part (i.e. "document the contents of relevant IKE payloads and further specifying their semantics" meaning that it profiles the IPsec implementations by specifying more exact contents and semantics to the payloads, when the IPsec specifications usually leave them open). It is profile in such sense that it gives common ground for PKIX and IPsec vendors so they can agree on what kind of certs can be used in IPsec. It is not the only possible way of combining PKIX and IPsec, for example if someone wants to use certificates and IPsec to protect routers, the requirements what kind of certificats and what kind of IKE payloads and their semantics might be different. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
