Re: Bruce Schneier on IPsec

[tytso@mit.edu]

Steve Kent wrote:

[I tend to agree with this analysis. The argument for weak key checking
was made by folks who don't understand the cryptographic issues
involved, but who are persistent and loud, e.g., Bill Simpson. Ted T'so
(co-chair of the WG) and I discussed this problem, and tried to explain
it to the list, but were unsuccessful. Another flaw in the committee
process.] 

Actually, I think we had gotten agreement to remove the weak key check,
but it never made it into the document edit.  So I believe it was an
oversight, and I'd chalk this one up to the complexity of documents and
overtaxed document editors.  Other folks who argued quite strongly for
removing the weak key check included Bill Sommerfeld, who noted that
from a software engineering perspective, the weak key rejection case
happened so rarely, that there was danger in it being an untested code
path.  Fortunately RFC 2405 lists this as a SHOULD, and so it's
something we can adjust and remove in the next pass.

						- Ted

---

Follow-Ups:

• Re: Bruce Schneier on IPsec
• From: Paul Koning <pkoning@xedia.com>

References:

• Re: Bruce Schneier on IPsec
• From: Henry Spencer <henry@spsystems.net>
• Re: Bruce Schneier on IPsec
• From: Paul Hoffman <paul.hoffman@vpnc.org>
• Re: Bruce Schneier on IPsec
• From: Paul Hoffman <paul.hoffman@vpnc.org>
• Re: Bruce Schneier on IPsec
• From: Steve Kent <kent@bbn.com>

---

• Prev by Date: Re: Bruce Schneier on IPsec
• Next by Date: Connected Notify
• Prev by thread: Re: Bruce Schneier on IPsec
• Next by thread: Re: Bruce Schneier on IPsec
• Index(es):
  • Main
  • Thread