IETF Logo Mail Archive

Re: [Anima] towards using of MUST-/SHOULD+/SHOULD- in draft-ietf-autonomic-control-plane-24

Russ Housley <housley@vigilsec.com> Fri, 26 June 2020 23:58 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2D6F3A0D29 for <anima@ietfa.amsl.com>; Fri, 26 Jun 2020 16:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sfiL2b2M8Dqa for <anima@ietfa.amsl.com>; Fri, 26 Jun 2020 16:58:29 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26A563A0D27 for <anima@ietf.org>; Fri, 26 Jun 2020 16:58:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A63E1300B33 for <anima@ietf.org>; Fri, 26 Jun 2020 19:58:26 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Xl2sUrF-VEud for <anima@ietf.org>; Fri, 26 Jun 2020 19:58:24 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id F1CC6300A93; Fri, 26 Jun 2020 19:58:23 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <C26E1A95-D89E-43AE-A83F-AE0775897781@vigilsec.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_02CA01BA-1A25-4870-BBE0-2E93295B82B6"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Fri, 26 Jun 2020 19:58:24 -0400
In-Reply-To: <14352.1593208951@localhost>
Cc: Toerless Eckert <tte@cs.fau.de>, anima@ietf.org, Ben Kaduk <kaduk@mit.edu>, IETF SAAG <saag@ietf.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <20200624023407.GA41244@faui48f.informatik.uni-erlangen.de> <C71BDB46-A15A-48EC-BC4D-68CA9A7C1DFB@vigilsec.com> <14352.1593208951@localhost>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/kRdwANFtowqKhlYlRNBJxyg6dBE>
Subject: Re: [Anima] towards using of MUST-/SHOULD+/SHOULD- in draft-ietf-autonomic-control-plane-24
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 23:58:31 -0000


> On Jun 26, 2020, at 6:02 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Russ Housley <housley@vigilsec.com> wrote:
>>> <t>ACP nodes MUST NOT support certificates with RSA public keys of
>>> less than 2048 bits. They MUST support certificates with RSA public keys
>>> with 2048 bits and SHOULD support longer RSA keys. ACP nodes MUST
>>> support certificates with ECC public keys using NIST P-256, P-384 and
>>> P-521 curves.</t>
>>> 
>>> <t>ACP nodes MUST support SHA-256, SHA-384, SHA-512 signatures for certificates with RSA key and the same RSA signatures plus ECDSA signatures for certificates with ECC key.</t>
>>> ---
>>> 
>>> I don't understand whether your note about the key length of the curves is an indication of missing text. When i first reviewed with Ben, i had to enter the curves because thats as specific as necessary AFAIK, but given how the key length is implied, i wouldn't understand why i would need to write those down. I don't remember that i have seen that being done either in other RFCs i read through.
>>> 
>>> In any case, specific text suggestions always welcome in case this text is not sufficient.
> 
>    russ> I was expecting you to make one of the curves MUST and the others
>    russ> SHOULD. Making all three curves MUST is okay with me, but it will
>    russ> increase implementation size.
> 
>    russ> Likewise, I was expecting you to make one of the hash functions
>    russ> MUST and the others SHOULD.
> 
> I tried to convince Toerless to go with the MUST-/SHOULD+/SHOULD- terminology from
> IPsecME's RFC8247.
> 
> It would be nice if SAAG lifted section 1.1 into a BCP14-like document, as I
> think that it has widespread applicability throughout documents that want to
> establish interoperable crypto.

IPsec ad S/MIME have been using MUST-/SHOULD+/SHOULD- terminology for a long time.  I'd be willing to help with a BCP14-like document for them.

Russ

v2.23.0 | Report a Bug | By Email