[anonsec] should IPsec policies be partially ordered?
Michael Richardson
mcr at sandelman.ca
Mon Mar 19 08:44:37 PDT 2007
Miika Komu wrote:
> On Mon, 19 Mar 2007, Rafael Coninck Teigão wrote:
>
>> I think having a file to configure BASIC, MEDIUM and HIGH strength
>> encryption would not only improve code/policy readability, but also
>> allow algorithm comparison, since we would already have a partial
>> ordering defined (and better yet, it would be defined at the
>> discretion of the administrator).
>
> The BASIC, MEDIUM and HIGH will be added for the next version of the draft.
There are two issues here, which are seperable:
1) should there be abstracted profiles instead of concrete protocols.
I claim that applications should never do:
if(cipher_algo == AES128) { /* trust user */ }
else { /* user is insecure */ }
http://www.sandelman.ca/SSW/ietf/ipsec/btns/ietf-btns-ipsec-apireq.html#anchor7
2) should there be a partial order.
These are two decisions. I would appreciate feedback on section 7 of the API requirements draft.
More information about the ANONSEC
mailing list