Re: Terminology question: "suites" vs "set of cryptographicalgorithms"

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 11:33 PM -0400 5/9/03, Charlie_Kaufman@notesdev.ibm.com wrote:
>Paul Hoffman / VPNC <paul.hoffman@vpnc.org> wrote on 05/02/2003 07:40:30
>PM:
>>  The term "suite" is used inconsistently in the current document. In
>>  some places, it means "the set of things chosen by the responder".
>>  However, there are exceptions. I have listed what I think are the
>>  main problems with the term "suite" in the current draft.
>>
>I've tried to use it to mean "a collection of algorithms used together
>in an SA". The initiator proposes multiple suites (not as a list, but
>as a Chinese menu (I hope that term has not become politically
>incorrect)), and the responder selects one.
>
>To clarify this, I changed the third paragraph of IKE Protocol Overview to
>the following:
>
>IKE performs mutual authentication between two parties and establishes
>an IKE security association that includes shared secret information
>that can be used
>to efficiently establish SAs for ESP [RFC2406] and/or AH [RFC2402] and
>a set of cryptographic algorithms to be used to protect the SAs.
>In this document, the term "suite" or "cryptographic suite" refers to
>a complete set of algorithms used to protect an SA. An initiator
>proposes one or more suites by listing supported algorithms that can
>be combined into suites in a mix and match fashion.
>IKE can also negotiate use of IPcomp
>[RFC2393] in connection with an ESP and/or AH SA.
>We call the IKE SA an "IKE_SA". The SAs for ESP and/or AH
>that get set up through that IKE_SA we call "CHILD_SA"s.
>
>Does that help?

Yes, definitely. It encompasses both the proposal and the result.

--Paul Hoffman, Director
--VPN Consortium