[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 Key Size Conformance Requirements
Paul:
No. A CA, not a IPsec implementation, creates certificates.
Russ
At 08:23 AM 10/28/2002 -0800, Paul Hoffman / VPNC wrote:
>At 4:36 PM -0400 10/26/02, Housley, Russ wrote:
>>I like the direction that we are going, but I would still like to handle
>>private keys too. Your proposal still only imposes requirements on the
>>handling of public keys. I think that 1024 is the appropriate MUST
>>statement for private keys.
>
>Sorry, I took for granted that if you could use someone else's 2048-bit
>public key, that you would be able to issue your own that size. Would the
>following wording be better?
>
>>> A conforming implementation MUST be able to create,
>>> and to authenticate with, X.509
>>> certificates containing and signed by RSA keys of size 1024, 1536, and
>>> 2048 bits. It MAY process X.509 certificates of any size. If there is a
>>> limit on the length of a certificate chain, it MUST be at least 10.
>>>
>>> A conforming implementation MAY accept X.509 certificates containing
>>> and signed by non-RSA keys, such as DSS keys.
>
>--Paul Hoffman, Director
>--VPN Consortium