Valery Smyslov writes:
> > And you can always retry when you notice that you get authentication
> > error after using private key, provided you have multiple types of
> > keys.
>
> In general you can't if it is responder who selected wrong key.
That is something I realized on our way home, but i
Hi Valery,
>
> As far as I remember, the main problem was that Auth Method field in AUTH
> Payload
> was only 8 bits and its codepoints coupled signature with particular hash.
Well, this was the initial problem, but then Yoav had the great idea of
generalizing the mechanism by using the OIDs in
Hi Johannes,
Your proposal creates exactly the issue which the draft is trying to
solve: The lack of flexibility by relying on IPsec
code points for the signature algorithm (as opposed to using existing OIDs
commonly used in certificates and CMS) and
the coupling of signing algorithms and sign
Valery,
>>> I suggest to change this as following. Instead of
>>> adding IKE registry, listing hash algorithms,
>>> add registry listing combinations of hash&signature
>>> algorithms, as listed in Appendix A.
>>> So, the registry would look like:
>>>
>>> RESERVED 0
Hi Tero,
Valery Smyslov writes:
The problem, that the draft is not solving, is the situation,
when one of the peers has more than one private key, each
for different signature algorithm. This may happen if in deployed
VPN there is a need to move from one signature alg
to another (for any reason