[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Auth Method

To: <ipsec@lists.tislabs.com>
Subject: Auth Method
From: "Valery Smyslov" <svan@trustworks.com>
Date: Thu, 6 Mar 2003 11:29:38 +0300
Sender: owner-ipsec@lists.tislabs.com

Greeting,

IKEv2-05 specifies only 2 values for Auth Method field in
Authentication Payload: Digital Signature (1) and Shared Key
Message Integrity Code (2). How could receiver unambiguously
determine what digital signature algorithm was used: RSA, DSA or
something else? By examining Authentication Payload length? - not
very reliable method. Via the other entity's certificate? - but
Certificate Payload is optional, and the entity may have several
certificates of different type.

In message http://www.vpnc.org/ietf-ipsec/mail-archive/msg02440.html
Charlie Kaufman wrote:

        Unless someone objects, I'll add a specifier of the
        authentication data type, of which we currently have 3: RSA
signature,
        DSA signature, and shared key HMAC.

So, the original intention was to make Auth Type more specific than we
have now, indicating what particular digital signature algorithm was used.
I'm curious what was the rationale to change that intention.

Another issue - how each side can advertise auth methods she supports.
In the same message there was some discussion on this topic and
suggestion to use CertRequest Payload for that purpose. Unfortunately,
it hasn't been done. Why? Are there strong objections against it?

Regards,
Valery Smyslov.

Follow-Ups:
- Re: Auth Method
  - From: jeff pickering <jpickering@creeksidenet.com>
- Re: Auth Method
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: RE: temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt [WAS: Configuration portion of OPEN ISSUES...]
Next by Date: Re: SPI in Delete Payload of IKE / IKEv2
Prev by thread: Re: SPI in Delete Payload of IKE / IKEv2
Next by thread: Re: Auth Method
Index(es):
- Date
- Thread