[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remove little-used algorithms from IKEv2
At 8:19 PM -0500 3/14/02, Derek Atkins wrote:
>Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:
>
>> In the same vein, all certificate formats other than #4 (X.509
>> Certificate - Signature) should be deprecated as well. "PKCS #7
>> wrapped X.509 certificate" is particularly bad given that there is no
>> standard for how to "wrap" a certificate.
>
>I'm not sure I agree with the first statement here. I'm willing to be
>convinced, but I think PGP certificates and maybe raw RSA keys are
>both reasonable as well.
PGP certificates seem to be in permanent experimental state with no
customer demand for them. The same is true for bare RSA keys. Yes,
there are probably some people who want them, but there are some
people who might want any of the features we are removing. PGP certs
don't have any better security features than PKIX certs, and bare RSA
keys have fewer security features that PKIX certs.
--Paul Hoffman, Director
--VPN Consortium