Re: IKEv2 Key Size Conformance Requirements

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 4:36 PM -0400 10/26/02, Housley, Russ wrote:
>I like the direction that we are going, but I would still like to 
>handle private keys too.  Your proposal still only imposes 
>requirements on the handling of public keys.  I think that 1024 is 
>the appropriate MUST statement for private keys.

Sorry, I took for granted that if you could use someone else's 
2048-bit public key, that you would be able to issue your own that 
size. Would the following wording be better?

>>   A conforming implementation MUST be able to create,
>>   and to authenticate with, X.509
>>   certificates containing and signed by RSA keys of size 1024, 1536, and
>>   2048 bits. It MAY process X.509 certificates of any size. If there is a
>>   limit on the length of a certificate chain, it MUST be at least 10.
>>
>>   A conforming implementation MAY accept X.509 certificates containing
>>   and signed by non-RSA keys, such as DSS keys.

--Paul Hoffman, Director
--VPN Consortium