[Swan-dev] More confusion of options to clean up regarding phase1 and phase2 options

Paul Wouters paul at nohats.ca
Mon Apr 21 19:37:35 EEST 2014

On Mon, 21 Apr 2014, Matt Rogers wrote:

> Yep, I pushed an 'alg_info_alias' branch that has my idea for this, with
> some example aliasing, so give that a look when you get a chance.

Will do.

>> identify a (raw) EC key yet - then again, technically I don't think the
>> RFCs support raw EC keys yet because the draft did not get enough
>> traction at the working group.
> Ah, I was assuming that anything we would do with EC moving forward would be
> through NSS so the option would refer to the friendly name.

Well, look at raw RSA. It is referenced via CKAIDNSS in ipsec.secrets.
Note that we really want to obsolete all fiends in the raw RSA structure
except for CKAIDNSS, with the exception of those fields used to refer
to a key. For RSA we need "pubkey" (which is in there as a comment). I
don't know yet how/what we will need to use for EC pub keys.

friendly_names normally comes in via the PKCS#12 export, which is X.509
specific and does not apply to raw keys.


More information about the Swan-dev mailing list