Hi Chris and ipsecme, I am in favor of including the word "transcript" in the name of the Notify Payload. In particular, I think it is a good idea to name the specific mechanism induced by the inclusion of this payload in initiator and responder IKE_SA_INIT messages.
I do have a concern with the "IKE_SA_INIT" portion of the Notify Payload name. In the case where peers use IKE_INTERMEDIATE to perform an additional key establishment, I find it confusing that the Notify Payload name refers only to the IKE_SA_INIT exchange and not IKE_INTERMEDIATE, though both exchanges would be included in the transcript. Is there a way to make it clear that all pre-IKE_AUTH messages are included in the transcript, and not just IKE_SA_INIT? Something like PRE_IKE_AUTH_FULL_TRANSCRIPT_AUTH? Or AUTH_WITH_PRE_IKE_AUTH_TRANSCRIPT? Rebecca Rebecca Guthrie she/her Center for Cybersecurity Standards (CCSS) Cybersecurity Collaboration Center (CCC) National Security Agency (NSA) From: Christopher Patton <[email protected]> Sent: Monday, November 10, 2025 5:23 PM To: [email protected] Subject: [IPsec] Name of notify message for draft-ietf-ipsecme-ikev2-downgrade-prevention Hi all, Based on the bikeshedding we did at IETF 124, we think there's consensus for: IKE_SA_INIT_FULL_TRANSCRIPT_AUTH Here is the PR that adds it: https://github.com/smyslov/ikev2-downgrade-prevention/pull/14 If you have a strong opinion, please chime in. Otherwise, we'll merge the PR at the end of the week. Thanks, Chris P.
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
