During the WG meeting in London, somebody (I forget who) asked me whether KE payloads larger than 64k. I thought I ought to clarify matters (as they are more complex than the brief answer I gave indicated).
Of the proposed postquantum key exchange (and public key encryption algorithms, which can be used to transport keys) submitted to NIST, the majority of them have key shares (or public keys/ciphertexts) smaller than 64k; there are a handful that are larger. Now, it is possible (albeit unlikely) that all the algorithms with key shares < 64k will be broken; unless this happens, it would be reasonable (IMHO) that we mandate that any algorithm he allow have a KE payload that fits within 64k. Now, in the event that we feel the need to support larger key shares, there are possible ways to support that; I don't feel that we need to talk about those options now.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
