IKEv2 Key Size Conformance Requirements

["Housley, Russ" <rhousley@rsasecurity.com>]

I am a bit confused by the text in IKEv2-03.  I repeat a few paragraphs 
from section 6:

    X.509 certificates containing and signed by RSA keys of size 512,
    768, 1024, and 2048 bits. (It SHOULD accept RSA keys of any multiple
    of 8 bits in size from 512 bits to 4092 bits, and MAY accept RSA keys
    of any size).  If there is a limit on the size of an X.509
    certificate, it MUST be at least 8K. If there is a limit on the
    length of a certificate chain, it MUST be at least 10.

    X.509 certificates containing and signed by DSS keys of size 512,
    768, 1024, and 2048 bits. (It MAY accept DSS keys of any size).

Here are my concerns:

1.  The first sentence  of the first paragraph does not contain a MUST.  I 
think we want implementation to be able to perform RSA public key 
operations using 512, 768, 1024, and 2048 bit RSA public keys.

2.  I think that conformance statements about X.509 certificate buffer 
sizes should be handled in a separate paragraph.  Units should also be 
provided.  8K bits?  That is probably too small.  8K octets?  This is 
probably over kill.  2K octets is adequate most certificates.

3.  The first sentence of the second paragraph does not contain a MUST.  I 
think we want implementation to be able to perform DSS public key 
operations using 512, 768, 1024, and 2048 bit DSS public keys.

4.  [DSS] does not permit 2048 bit public keys.  An updated reference is 
needed.

5.  I would like to see requirements on private key operations too.  Recent 
guidance from NIST indicates that 1024 bit RSA and DSS keys are adequate 
for protection of sensitive data until the year 2015.  This seems like good 
justification for making support for 1024 bit private key operations the 
MUST.  Of course, implementations MAY support any key size....

Russ