In the RFC5996 we have format for Raw RSA keys (using PKCS1 format). The current buzzword compatible mantra seems to be ECDSA or Elliptic Curve keys in general, so perhaps we should also allow Raw ECDSA keys to be used in the IKEv2?
For the format we could either use one of the following: 1) RFC5480 2) Draft-hoffman-dnssec-ecdsa-04 3) Roll our own 4) Combination of few above The RFC5480 has the problem that it uses ASN.1, and many of the people want to use Raw Public Keys just because they do not want to use Self signed certificates because of ASN.1 requirement. Draft-hoffman-dnssec-ecdsa-04 uses DNSSec registries, do we want to reuse them? The case 4 would most likely be best, meaning we create own wrapper format where we have the curve information using our own registry (or reuse IKEv2 Authentication Method registry, as the key to be used will be used to create the Authentication Payload anyways), and then attach to that either the format from draft-hoffman-dnssec-ecdsa-04 section 4, or from RFC 5480 section 2.2. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
