[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Suggested wording for weak key lengths in IKEv2

To: ipsec@lists.tislabs.com
Subject: Suggested wording for weak key lengths in IKEv2
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Thu, 26 Jun 2003 11:15:00 -0700
Sender: owner-ipsec@lists.tislabs.com

Greetings again. Now that the WG last call is finished , it seems 
like having proposed wording might help resolve some of the open 
issues on Angelos' issue list. (You all are watching 
<https://roundup.machshav.com/ipsec/index>, yes?)

The issue that has the most issue numbers is the deprecating DES and 
weak keys issue in the ipsec-ikev2-algorithms document. To resolve 
it, I propose the following changes for section 4.1.3:

- ENCR_DES_IV64 and ENCR_DES be listed as "SHOULD NOT"

- A sentence be added to the end of that section as a free-standing 
paragraph that says: "Implementations that use algorithms with 
variable-length keys SHOULD NOT use keys that are weaker than the 
effective strength of ENCR_3DES."

If we do this, we can eliminate the definition of "SHOULD-", because 
it was only used for the two DES algorithms.

--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- Re: Suggested wording for weak key lengths in IKEv2
  - From: Henry Spencer <henry@spsystems.net>
- Re: Suggested wording for weak key lengths in IKEv2
  - From: Paul Koning <pkoning@equallogic.com>
- Re: Suggested wording for weak key lengths in IKEv2
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: Re: IKE negotiation for fragmentation controls in IPsec
Next by Date: Re: IKE negotiation for ICMP message type selectors
Prev by thread: Re: IKEv2 selectors for IPsec?
Next by thread: Re: Suggested wording for weak key lengths in IKEv2
Index(es):
- Date
- Thread