[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Suggested wording for weak key lengths in IKEv2
Greetings again. Now that the WG last call is finished , it seems
like having proposed wording might help resolve some of the open
issues on Angelos' issue list. (You all are watching
The issue that has the most issue numbers is the deprecating DES and
weak keys issue in the ipsec-ikev2-algorithms document. To resolve
it, I propose the following changes for section 4.1.3:
- ENCR_DES_IV64 and ENCR_DES be listed as "SHOULD NOT"
- A sentence be added to the end of that section as a free-standing
paragraph that says: "Implementations that use algorithms with
variable-length keys SHOULD NOT use keys that are weaker than the
effective strength of ENCR_3DES."
If we do this, we can eliminate the definition of "SHOULD-", because
it was only used for the two DES algorithms.
--Paul Hoffman, Director