[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Suggested wording for weak key lengths in IKEv2

>>>>> "Paul" == Paul Hoffman </ VPNC <paul.hoffman@vpnc.org>> writes:

 Paul> The issue that has the most issue numbers is the deprecating
 Paul> DES and weak keys issue in the ipsec-ikev2-algorithms
 Paul> document. To resolve it, I propose the following changes for
 Paul> section 4.1.3:

 Paul> - ENCR_DES_IV64 and ENCR_DES be listed as "SHOULD NOT"


 Paul> - A sentence be added to the end of that section as a
 Paul> free-standing paragraph that says: "Implementations that use
 Paul> algorithms with variable-length keys SHOULD NOT use keys that
 Paul> are weaker than the effective strength of ENCR_3DES."

How about "... strength of ENCR_3DES (112 bits)."  Otherwise it might
cause confusion, because some will think that this rules out 128-bit
keys, which isn't the intent.