[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 Key Size Conformance Requirements

Paul:

No.  A CA, not a IPsec implementation, creates certificates.

Russ

At 08:23 AM 10/28/2002 -0800, Paul Hoffman / VPNC wrote:
>At 4:36 PM -0400 10/26/02, Housley, Russ wrote:
>>I like the direction that we are going, but I would still like to handle 
>>private keys too.  Your proposal still only imposes requirements on the 
>>handling of public keys.  I think that 1024 is the appropriate MUST 
>>statement for private keys.
>
>Sorry, I took for granted that if you could use someone else's 2048-bit 
>public key, that you would be able to issue your own that size. Would the 
>following wording be better?
>
>>>   A conforming implementation MUST be able to create,
>>>   and to authenticate with, X.509
>>>   certificates containing and signed by RSA keys of size 1024, 1536, and
>>>   2048 bits. It MAY process X.509 certificates of any size. If there is a
>>>   limit on the length of a certificate chain, it MUST be at least 10.
>>>
>>>   A conforming implementation MAY accept X.509 certificates containing
>>>   and signed by non-RSA keys, such as DSS keys.
>
>--Paul Hoffman, Director
>--VPN Consortium