|Main Archive Page > Month Archives > ipsec archives|
At 9:46 AM +0200 10/21/09, Yoav Nir wrote:
>Content-Type: multipart/signed; micalg=sha1;
> boundary="Apple-Mail-15-778597419"; protocol="application/pkcs7-signature"
>A few lines above this section it already says "If the responder's policy allows it to accept the first selector of TSi and TSr, then the responder MUST narrow the traffic selectors to a subset that includes the initiator's first choices."
>So there is a MUST requirement to select the initiator's first choice (if possible), so I don't think the SHOULD and MAY are appropriate here. The way I read this section, it only clarifies what to do if the initiator traffic selector (first or not) is too broad. In that case, we shouldn't mention the initiator's choices.
Yeeps, good catch. That will teach me not to read above and below far enough.
Given this, maybe we need to close out this issue with no change, given the disagreement for other additions to the text.
--Paul Hoffman, Director