[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: speaking of keys

To: Bob Doud <BDoud@hifn.com>
Subject: Re: speaking of keys
From: Derrell Piper <ddp@electric-loft.org>
Date: Fri, 13 Dec 2002 10:45:23 -0800
Cc: "'Paul Hoffman / VPNC'" <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
In-Reply-To: <51C7002B020CD411824E009027C469F7DD3422@cldxch01.hifn.com>
Sender: owner-ipsec@lists.tislabs.com


On Thursday, December 12, 2002, at 06:25 PM, Bob Doud wrote:

> Excellent suggestion.  I agree.
>
> Bob

So do I.  Require support for 1024, 1536, and 2048.  And forbid 
anything less than 1024.  This gives us maximal interoperability and 
good security when you want to pay the price.

Derrell

> Paul Hoffman / VPNC writes:
>>
>> Whatever we put for MUST will be the default for the UIs. Over half
>> of the VPN boxes in our interop lab, all of which shipped this year,
>> default to DES and MD5, not because any of the manufacturers think
>> those are good ideas, but because those are the MUSTs in IKEv1.
>>
>> If we pick too big of a single MUST, we will make IKEv2 look slow.
>>
>> It sounds like most people who want a large value for MUST mean that
>> they want to guarantee that large values can be used interoperably by
>> people who can afford the CPU and/or accelerator time. To do that, we
>> could say "MUST support key sizes of 1024, 1536, and 2048." That gets
>> us the guarantee of interop, and forces the manufacturers to actually
>> think about what they want their default values to be.
>>
>> --Paul Hoffman, Director
>> --VPN Consortium
>>

Follow-Ups:
- Re: speaking of keys
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- RE: speaking of keys
  - From: Bob Doud <BDoud@hifn.com>

Prev by Date: Re: (more#4 fwd from ipsec) Re: Handling of IPcomp in IKEv2
Next by Date: Re: speaking of keys
Prev by thread: RE: speaking of keys
Next by thread: Re: speaking of keys
Index(es):
- Date
- Thread