[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggested wording for weak key lengths in IKEv2
>>>>> "Paul" == Paul Hoffman </ VPNC <paul.hoffman@vpnc.org>> writes:
Paul> The issue that has the most issue numbers is the deprecating
Paul> DES and weak keys issue in the ipsec-ikev2-algorithms
Paul> document. To resolve it, I propose the following changes for
Paul> section 4.1.3:
Paul> - ENCR_DES_IV64 and ENCR_DES be listed as "SHOULD NOT"
Great.
Paul> - A sentence be added to the end of that section as a
Paul> free-standing paragraph that says: "Implementations that use
Paul> algorithms with variable-length keys SHOULD NOT use keys that
Paul> are weaker than the effective strength of ENCR_3DES."
How about "... strength of ENCR_3DES (112 bits)." Otherwise it might
cause confusion, because some will think that this rules out 128-bit
keys, which isn't the intent.
paul