[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IKEv2 draft nits
1) AUTH IDs are allocated to the IANA for assignment, CERT IDs are not -
this is problematic because the two will generally go together and so
should be allocated together.
Sections 3.6 and 6 should be updated to show that CERT IDs are to be
allocated by the IANA.
2) A number of CERT IDs are allocated without corresponding
specifications being available. Either this should be noted and such
allocations marked as "reserved for ..." or, if noone uses them,
these reservations should be removed.
The existing AUTH IDs obviously do not apply to apply to at least one
CERT ID ("Kerberos Token").
Presumably "Kerberos Token" means an AP-REQ for the initiator and an
AP-REP for the responders, followed by KRB-SAFE(auth octets)
exchanges as AUTH values - except that no such AUTH ID is allocated!
Is the "Kerberos Token" CERT used at all? If not, you amy want to
remove it - otherwise this I-D could use some clarification in wrt
"Kerberos Token."
3) Rather than allocate a CERT and AUTH ID to "Kerberos Token," if you
still would, it really would be better still to allocate a CERT and
AUTH ID to "GSS-API Token."
4) The text in section 2.15 describing the octets to be signed by the
AUTH payloads is rather, er, informal; if there's any way to make the
description more formal, please do so.
Cheers,
Nico
--