Re: Terminology question: "suites" vs "set of cryptographicalgorithms"

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

The term "suite" is used inconsistently in the current document. In 
some places, it means "the set of things chosen by the responder". 
However, there are exceptions. I have listed what I think are the 
main problems with the term "suite" in the current draft.

The third paragraph of 2.7 says:
    This hierarchical structure was designed to be able to efficiently
    encode proposals for cryptographic suites when the number of
    supported suites is large because multiple values are acceptable for
    multiple transforms. The responder MUST choose a single suite, which
    MAY be any subset of the SA proposal following the rules below:
This use of "suites" is talking about the proposals offered by the 
initiator, which is the "old" use of suites.

The last sentence in 2.7 says:
    Alice MUST again propose her full
    set of acceptable cryptographic suites because the rejection message
    was unauthenticated and otherwise an active attacker could trick
    Alice and Bob into negotiating a weaker suite than a stronger one
    that they both prefer.
But Alice isn't proposing suites, she is proposing individual algorithms.

In 3.10.1 it says:
         NO_PROPOSAL_CHOSEN                       14
             None of the proposed crypto suites was acceptable.
But no suites were proposed: algorithm choices were proposed.

Section 6:
    Values of the Cryptographic Suite-ID define a set of cryptographic
    algorithms to be used in an IKE, ESP, or AH SA.
We removed Suite-ID completely.

Appedix B:
    Future IANA-registered and private use Suite-IDs MAY use Diffie-
    Hellman groups that have modulus values and generators that are
    different than those in this document or in [ADDGROUP].
Ditto.

--Paul Hoffman, Director
--VPN Consortium