Re: [IPsec] RFC4307bis and authentication methods

2015-12-10 Thread Daniel Migault 
Hi,

I have the impression the recommendation goes beyond the scope of IKEv2 and
is more targeting Certificates. On the other hand, having these
requirements would make all cryptographic requirements fit into a single
document IKEv2 As a result, I would rather have a section with a link to a
document that contains requirements that are specific to the Certificates.

I am also wondering if the IKEv2 spec should not also point to that
document.

BR,
Daniel

On Thu, Dec 10, 2015 at 9:00 AM, Tero Kivinen  wrote:

> During the draft-ietf-lwig-ikev2-minimal Stephen pointed out that in
> my draft I have copied requirements from the RFC7296:
>
> --
> ...
>For an implementation to be called conforming to this specification,
>it MUST be possible to configure it to accept the following:
>
>o  Public Key Infrastructure using X.509 (PKIX) Certificates
>   containing and signed by RSA keys of size 1024 or 2048 bits, where
>   the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or
>   ID_DER_ASN1_DN.
> ...
> --
>
> And he pointed out that this asks for mandatory to implemented key
> size for RSA to be 1024 or 2048-bits.
>
> It is not up to the ikev2-minimal to change these, but RFC4307bis is
> different thing.
>
> I.e. should we modify this also while updating the RFC4307? We could
> add section about the mandatory to implement authentication methods,
> and specify which methods are to be used, for example require RSA key
> lengths of 2048 bits, and perhaps say that implementations SHOULD
> support RSA key lengths up to 4096 bits.
>
> For the elliptic curves we might want to say something about signature
> authentication method (RFC 7427) as that supports generic elliptic
> curves not only the nist versions. Also should we say something about
> the RSASSA-PKCS1-v1_5 vs RSASSA-PSS?
> --
> kivi...@iki.fi
>
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] Milestones changed for ipsecme WG

2015-12-10 Thread IETF Secretariat 
Changed milestone "IETF Last Call on cryptographic algorithms for
IKEv2", set state to active from review, accepting new milestone.

Changed milestone "IETF Last Call on Curve25519 and Curve448 for
IKEv2", set state to active from review, accepting new milestone.

URL: https://datatracker.ietf.org/wg/ipsecme/charter/

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] RFC4307bis and authentication methods

2015-12-10 Thread Tero Kivinen 
During the draft-ietf-lwig-ikev2-minimal Stephen pointed out that in
my draft I have copied requirements from the RFC7296:

--
...
   For an implementation to be called conforming to this specification,
   it MUST be possible to configure it to accept the following:

   o  Public Key Infrastructure using X.509 (PKIX) Certificates
  containing and signed by RSA keys of size 1024 or 2048 bits, where
  the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or
  ID_DER_ASN1_DN.
...
--

And he pointed out that this asks for mandatory to implemented key
size for RSA to be 1024 or 2048-bits.

It is not up to the ikev2-minimal to change these, but RFC4307bis is
different thing.

I.e. should we modify this also while updating the RFC4307? We could
add section about the mandatory to implement authentication methods,
and specify which methods are to be used, for example require RSA key
lengths of 2048 bits, and perhaps say that implementations SHOULD
support RSA key lengths up to 4096 bits.

For the elliptic curves we might want to say something about signature
authentication method (RFC 7427) as that supports generic elliptic
curves not only the nist versions. Also should we say something about
the RSASSA-PKCS1-v1_5 vs RSASSA-PSS?
-- 
kivi...@iki.fi

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] Milestones changed for ipsecme WG

2015-12-10 Thread IETF Secretariat 
Deleted milestone "IETF Last Call on null authentication".

URL: https://datatracker.ietf.org/wg/ipsecme/charter/

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] Milestones changed for ipsecme WG

2015-12-10 Thread IETF Secretariat 
Deleted milestone "IETF Last Call on Chacha20-Poly1305".

URL: https://datatracker.ietf.org/wg/ipsecme/charter/

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec