Hi If you're bissing this thing, can we please please please entirely get rid of the requirement to use ECDSA certificates?
While the algorithms and DH groups are subject to configuration in the UI and negotiation in IKE, the algorithm used to sign the certificates is outside the IKE implementation. You usually have a certificate that you need to use, and it's the CA's decision whether this is signed with RSA, DSA or ECDSA. There's even some ambiguity, because it's not necessarily true, that the public key in the certificate is for the same algorithms used to sign the certificate. The UI suites RFC that defined VPN-A and VPN-B did not mandate RSA or DSA. I don't see why 4869 or 4869-bis should. I don't think it's part of the algorithm configuration. Yoav ________________________________________ From: ipsec-boun...@ietf.org [ipsec-boun...@ietf.org] On Behalf Of Law, Laurie [le...@tycho.ncsc.mil] Sent: Wednesday, November 11, 2009 00:15 To: ipsec@ietf.org Subject: [IPsec] RFC4869 bis submitted A bis has been submitted for RFC 4869, "Suite B Cryptographic Suites for IPsec". It is available at http://tools.ietf.org/html/draft-law-rfc4869bis-00 This Internet-Draft makes several minor changes to the suites in RFC 4869 and incorporates comments that have been posted to the ipsec mailing list. Laurie Law National Information Assurance Research Laboratory National Security Agency _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
