[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 (son-of-ike) draft
Henry Spencer <henry@spsystems.net> writes:
> > Lack of a standard way of doing it... Do you use raw RSA N/e, PGP key
> > format, X.509 format? If a certificate format (PGP/X.509/etc) what
> > signatures are required, if any? IKE doesn't specify any of this, and
> > quite frankly a number of implementations do it differently.
>
> So *pick one*. Just because there are ten different ways of doing it
> doesn't mean you have to support all ten, or stand there frozen because
> you're unable to make up your mind.
Right, and implementation A picks method X, and implementation B picks
method Y, and implementation C picks method Z, which makes sharing
keys a huge hastle.
For example, in order to get FreeS/WAN to interoperate with, say,
NetBSD, I think I'm going to have to use OpenSSL to general an X.509
self-signed certificate and then extract the key into FreeS/WAN so
that NetBSD (and some other implementations) can have access to an
X.509 cert.
This is just a pain in the butt, and should not be left to
implementors. Then again, the Security Area can't seem to agree on a
format, either. :(
> Henry Spencer
> henry@spsystems.net
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: