[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

>>>>> "Yoav" == Yoav Nir <ynir@CheckPoint.com> writes:

 Yoav> DES may be too weak for some applications, but it is a widely
 Yoav> used standard.  It is up to the user to decide whether DES is
 Yoav> strong enough for their application or not.  We wish the
 Yoav> standards to ensure interoperability, and that means AES, 3DES
 Yoav> and DES because these are widely implemented.

There are lots of RFCs that say SHOULD NOT or MUST NOT for security
weaknesses.  Just because you can argue "the customer should decide
whether xyz is strong enough" doesn't justify a MAY there -- and I
don't think it does here, either.

 Yoav> Blowfish and IDEA are relatively rare, and have not received
 Yoav> the scrutiny that DES and AES have.  That's why they should be
 Yoav> discouraged.  Not because they are weak, but because we don't
 Yoav> know for sure how weak they are.

Ok, then the simple answer is to remove them entirely from the spec,
because they aren't really specified explicitly anyway for IPsec and
probably not implemented anywhere anyway.