[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Auth Method
The public key type is encoded in the key itself. So even if you use
signatures without certs, you still have the information.
Jeff
Valery Smyslov wrote:
> Greeting,
>
> IKEv2-05 specifies only 2 values for Auth Method field in
> Authentication Payload: Digital Signature (1) and Shared Key
> Message Integrity Code (2). How could receiver unambiguously
> determine what digital signature algorithm was used: RSA, DSA or
> something else? By examining Authentication Payload length? - not
> very reliable method. Via the other entity's certificate? - but
> Certificate Payload is optional, and the entity may have several
> certificates of different type.
>
> In message http://www.vpnc.org/ietf-ipsec/mail-archive/msg02440.html
> Charlie Kaufman wrote:
>
> Unless someone objects, I'll add a specifier of the
> authentication data type, of which we currently have 3: RSA
> signature,
> DSA signature, and shared key HMAC.
>
> So, the original intention was to make Auth Type more specific than we
> have now, indicating what particular digital signature algorithm was used.
> I'm curious what was the rationale to change that intention.
>
> Another issue - how each side can advertise auth methods she supports.
> In the same message there was some discussion on this topic and
> suggestion to use CertRequest Payload for that purpose. Unfortunately,
> it hasn't been done. Why? Are there strong objections against it?
>
> Regards,
> Valery Smyslov.
- References:
- Auth Method
- From: "Valery Smyslov" <svan@trustworks.com>