Hi Paul, > On Mon, 8 Nov 2021, Tero Kivinen wrote: > > >> Does the AuthMethod apply to the algorithms within the certificate > >> as well? The RFC should clarify this. > > > > The reason for this notify is that if the peer has multiple key pairs > > (i.e., private keys) it needs to pick one private key to sign the AUTH > > payload with. If one of those private keys is using EC and another is > > using RSA, then without this notification there is no way of knowing > > which one to pick (except perhaps by prior configuration or by > > heuristics based on the CERTREQ etc). > > What will be in the notification then? Since the authenticaion method > for both is "RFC 7425 Digital Signatures" as per existing IANA registry > for IKEv2 Authentication Methods.
The notification contain a list of supported auth methods. Each method is represented by a structure containing a value for a auth method from https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ike v2-parameters-12 IANA registry AND IF this method is "Digital Signature" (defined in RFC 7427) then IN ADDITION an AlgorithmIdentifier for the supported signature algorithm is included. So, there may be multiple "Digital Signature" auth methods with different AlgorithmIdentifiers. > We would still need a new registry or we need to identify auth algorithms > by their SPKI similar to how we can signature supported hash algorithms. > But we would prob end up with seeing lots of duplicate entries with > slightly different SPKI prefixes. We can use AlgorithmIdentifier, so no new registry is needed. But there is a trade off, so this can be discussed if the draft is adopted. > The RSS-v1.5 vs RSS-PSS is a major pain right now, and implementations > using 7425 and specifying RSA-v1.5 SHA1 are a double pain as the RFCs > clearly doesn't allow that. We run into frequent interop issues with > these. That what this draft tries to address. Regards, Valery. > Paul > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
