Sorry for not picking this up earlier, I intended to write about this, but forgot.
On Wed, 4 Aug 2004 [EMAIL PROTECTED] wrote: > Russ says: > > In section 8.4, one of my previous comments was rejected without > explanation. I said: "I am uncomfortable with support for IKE being > a MAY. It ought to be a SHOULD." While I understand that an > Informational document is an inappropriate vehicle to impose this > requirement, the deployment benefits can be pointed out. > > My proposed text is: > > 8.4 Key Management Methods > > An implementation MUST support the manual configuration of the security key > and > SPI. The SPI configuration is needed in orderto delineate between multiple > keys. > > Key management SHOULD be supported. Examples of key management systems > include IKEv1 [RFC-2407] [RFC-2408] [RFC-2409], IKEv2 [IKEv2] and Kerberos; > S/MIME and TLS include key management functions. > > Where key refresh, anti-replay features of AH and ESP, or on-demand creation > of Security Associations (SAs) is required, automated keying MUST be > supported. > > Key management methods for multicast traffic are also being worked on by the > MSEC WG. > > I still need to get an OK from Russ, if the text is accurate & meets his concerns. > However, I need to get input from the WG if this is OK as well. I don't know how intentional Russ's wording is, but if it is, this certainly doesn't address it. Russ says, "IKE should be a SHOULD". You're written this as, "Key management is a SHOULD. There are a number of key management techniques, including (but not limited to) IKE. Even TLS includes key management." The reader of the spec could implement kerberos which would leave him w/o automatic key management for IPsec. The reader might also read this so that just implementing TLS would be enough, when it clearly isn't. Why don't you just specify either IKEv1 or IKEv2 as a SHOULD, and put a MAY or some other mention to the rest? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
