[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
> My query would have been whether they should be prohibited
> from REJECTING a key length greater than they've configured.
>
> You configure for, say 128-bit Blowfish. I offer 448. The
> algorithm costs no more to run with the longer key. Clearly
> you SHOULD accept. I'd like to see the standard say you MUST
> accept.
This would mean that if you implement an algorithm with variable length then
you must support all key lengths?
Making this a MUST would render existing systems non-compliant even though
they are not currently required to support (eg) larger groups (it is only a
MUST to support group 2).
I would rather the issue of negotiating up is left to local security policy.
Chris