[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Terminology question: "suites" vs "set of cryptographicalgorithms"
The term "suite" is used inconsistently in the current document. In
some places, it means "the set of things chosen by the responder".
However, there are exceptions. I have listed what I think are the
main problems with the term "suite" in the current draft.
The third paragraph of 2.7 says:
This hierarchical structure was designed to be able to efficiently
encode proposals for cryptographic suites when the number of
supported suites is large because multiple values are acceptable for
multiple transforms. The responder MUST choose a single suite, which
MAY be any subset of the SA proposal following the rules below:
This use of "suites" is talking about the proposals offered by the
initiator, which is the "old" use of suites.
The last sentence in 2.7 says:
Alice MUST again propose her full
set of acceptable cryptographic suites because the rejection message
was unauthenticated and otherwise an active attacker could trick
Alice and Bob into negotiating a weaker suite than a stronger one
that they both prefer.
But Alice isn't proposing suites, she is proposing individual algorithms.
In 3.10.1 it says:
NO_PROPOSAL_CHOSEN 14
None of the proposed crypto suites was acceptable.
But no suites were proposed: algorithm choices were proposed.
Section 6:
Values of the Cryptographic Suite-ID define a set of cryptographic
algorithms to be used in an IKE, ESP, or AH SA.
We removed Suite-ID completely.
Appedix B:
Future IANA-registered and private use Suite-IDs MAY use Diffie-
Hellman groups that have modulus values and generators that are
different than those in this document or in [ADDGROUP].
Ditto.
--Paul Hoffman, Director
--VPN Consortium