Re: Last ditch proposal for crypto suites

["Scott G. Kelly" <scott@bstormnetworks.com>]

Unless someone can describe a real-life situation for which suites-only
would not work, I think it is the best way to go. Vendors are always
free to add proprietary extensions if they want to support unspecified
algorithm combinations. If we mandate a minimal set of algorithms (and
hence a minimal set of suites), this will suffice for the vast majority
of deployments. If a la carte selection is important in a limited number
of cases, this can be supported via private payloads, limiting the
interop testing to interested parties.

Scott

Charlie_Kaufman@notesdev.ibm.com wrote:
> 
> The strong and nearly unanimous reaction to this question this time leads
> me to make a more radical proposal:
> 
> I propose that we remove the text for a la carte negotiation from the IKEv2
> spec, and escrow it in a bombproof vault somewhere in case future
> generations want it, and replace it with the proposal from my last message
> for specifying suites only. If we ever need a la carte, we
> have a backwards compatible way to add it in, but in the meantime we won't
> specify it. And if we're lucky, no one will ever miss it.
> 
>           --Charlie
> 
> Opinions expressed may not even by mine by the time you read them, and
> certainly don't reflect those of any other entity (legal or otherwise).