[CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-09.txt

Michael StJohns <msj@nthpermutation.com> Fri, 03 July 2026 19:51 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4930210E05FBF for <cfrg@mail2.ietf.org>; Fri, 3 Jul 2026 12:51:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783108269; bh=JjtUvU72ov9Ph+eTTnGU4HCEwjhTc5v5XCENM+IlpnM=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=AfiHeg08skJTxbrTaHnijhyW71/51tNVW8VHHu/gWbOflBuw2zdWVhPz/h4qczuKa BxRThQNjpabrDS7tX2WfjRlG0oPdICOdW7qLsIYz32Q0AltGfrA1XCDpVb5ZofzMlh FulwyDMzS3U3vumYkK0vJNWIpAZz/XzXrIDnXM4s=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CodCwcclnw7H for <cfrg@mail2.ietf.org>; Fri, 3 Jul 2026 12:51:08 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8621310E05DDA for <cfrg@irtf.org>; Fri, 3 Jul 2026 12:50:52 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-92e5c92c389so41347485a.3 for <cfrg@irtf.org>; Fri, 03 Jul 2026 12:50:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20251104.gappssmtp.com; s=20251104; t=1783108252; x=1783713052; darn=irtf.org; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=yheRKrhBkPun2PiW5MP6Sw43DxPYgvJIbBfWVUAcu0A=; b=P78nqeS2DTm87jUZVxKx+SdwqIMwQBDCPefB41OCGUcEaUr42AH8Jh/P7+bo+F+K2a 649g+Y0CFBOh+avTcZ83cWfGV0eU5BI9px21JOCe/GcpWf+Na3PmIPTQHfZq6pNOloYD YpVGpR86cxGsEMr1NLPrYGwkTDQdwxrCOPr/isRzKB7XhdOyoLCAermrzFfNHHxdY3RI w5QKGz9yGIKj1AOtX71D0hIeuYnm9oXvCZu2sA9D5UYrLvwft926uwBiTE6LhSYlQSja B5YG/GN5OFSBgb9Big1Y15cigpFcuh6SIO4VIh0rJViulY5RLGyxSRD/mQXCXlOcu7ay X9xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783108252; x=1783713052; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:cc:to:subject:user-agent:mime-version :date:message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yheRKrhBkPun2PiW5MP6Sw43DxPYgvJIbBfWVUAcu0A=; b=aJAd8X4yZ7Y7f71889pgiLwjcOpw6EP5Q60V2yLBjODEz56bIpMSJn9zFZxTBJuvpy GaxnRtFExlIovfbHEdF2D1SrHW5w8sJInahAiP/nHTErivhobsROE0GKlnrsU6DN9L9R 0hHFFU8Ix9mqP8ojDbUd0YHpxrsrJ9VT/M/lw2linauJZUbjf+8uSQBEUag7CuIYJk5r 8Bl5qK7D3mIeejs8pP4avIZusJa2ZSwmBc+PEehzON1rP/lzL0IB9DhBD/AAk12VgJzh jU1sKAXLp6bZm/LbuzSiUTp6I4F+kOA7JYzn7mdJOIRKxd5iGgqUqXRHwXkWznk34GKG ZqJw==
X-Gm-Message-State: AOJu0YybGcr7mqyRss/4Y8zIdu8C/690oWf+WtO22c48/4ENIchAlA3f OgGE9N2mi1hcLCrnVMn18AVCh1losRReACi5jpzWuvnufgTqokc60Vcb5hLwpSDmK/BA3Zh4ZwB UImBuqnM=
X-Gm-Gg: AfdE7clo1exmfI0EDA78yDUggWzz+iXLhAjCLOmNqgqHPoWP5f4OtEDZduKsuTwEb7Z tlqchbAeBZ48amE+R7Q725VriKTnK7F9GM/vNuIE9wFVT42GTUsZU9Q0cJFD3p5XZBbx999x8SP 8pEuDs1cgtJKG0Ayxgv0Lw0e1GrCXfQGVFIdDEsZzEUnPlYHegpp8U33CqWAZ7WGITkNoajyWYX oSixWH3zdz+aP5cPiOkDqEhWIC2mw1PAy1zBTBiPVGci2uPmOTpdVqqOV/X8qy+HjJgGdS0bYH1 uRi+bdsx+fMM7lCV4J/+HewPtlPskZ06mt2eGsTzriu2f1dlL3mXhIVMfO4u3rjXfTR5NbAf2eq 3vNTMo3EXWv96FgLVs9rnSGFvf3UfJAz//ol6nn1ZHxOWR525Y9pzAMad30LXl/NEZ5cCiAXIMA 8Zhx2bX6BI/Kb906xHt/Jkwes4CpaUHA27Xd7o66aMa0kekmukaHT8c5eL86IaKtA=
X-Received: by 2002:a05:622a:58d:b0:51a:8c97:937c with SMTP id d75a77b69052e-51c4c34df10mr13569181cf.68.1783108251934; Fri, 03 Jul 2026 12:50:51 -0700 (PDT)
Received: from [192.168.1.21] (pool-108-31-82-55.washdc.fios.verizon.net. [108.31.82.55]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8f46e371f44sm66334316d6.2.2026.07.03.12.50.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Jul 2026 12:50:51 -0700 (PDT)
Message-ID: <b121890b-0dbf-4a17-b0f5-1c480f0d1c3a@nthpermutation.com>
Date: Fri, 03 Jul 2026 15:50:50 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Alicja Kario <hkario@redhat.com>
References: <178249028053.1700343.17333027857089927144@dt-datatracker-f9b87776f-xzl65> <9600be9b-5a3d-4fca-ad34-810ee38decd8@redhat.com> <f3833237-1c74-4679-a989-1ddc59d908d8@nthpermutation.com> <d1f76682-1563-4789-b72a-d160d0001a07@redhat.com> <0e33bb0f-1907-4e90-be82-b4b7c82f730f@nthpermutation.com> <3eb216ed-7df6-495a-873d-afd53cad6b77@redhat.com>
Content-Language: en-US
From: Michael StJohns <msj@nthpermutation.com>
Autocrypt: addr=msj@nthpermutation.com; keydata= xlMEaYFkXhMJKyQDAwIIAQEHAgMEOdOOntc+rmV7lEMu7/N40GZj92v3Adfmv2aM5c+d8E8O JkeckP4/VEuGbS1X9f8eMQXlZ1HP+5wXd0MEXgP9ks03TWljaGFlbCBTdEpvaG5zIChLZXkg Zm9yIHRvZGQpIDxtc2pAbnRocGVybXV0YXRpb24uY29tPsKTBBMTCAA7FiEEZa5rMVt/UsI1 H75faOOlrKh630kFAmmBZF4CGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQaOOl rKh630lP4wEAoV3d9ShCq/OW/uVaVolebc2vzqMyzxYb5cWTq7H0F0wBAJe+PhUWULDMpwIY 8QyRKcUk0M3ESCBrn6YNw1gfhQQtzlcEaYFkXhIJKyQDAwIIAQEHAgMEnFdeZEzyxCp87sqf v8PyE9E2UJpY2spRMmp8YGg2pSwW0ExAJd/ucqn7BVJJuwKI+ZsFnya2yMneNrFC9ZRpJAMB CAfCeAQYEwgAIBYhBGWuazFbf1LCNR++X2jjpayoet9JBQJpgWReAhsMAAoJEGjjpayoet9J ifwBAJOUOlX+49Si1O7xkQpsdWud7YBmWkV7jWBqXQhU1vxlAQCSQCT4g9hwV2bHDrT3UJ2Y k6wVu0KD6I/E/t6hrdcRcg==
In-Reply-To: <3eb216ed-7df6-495a-873d-afd53cad6b77@redhat.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Antivirus: Norton (VPS 260703-12, 7/3/2026), Outbound message
X-Antivirus-Status: Clean
Message-ID-Hash: EQ3NSDLCU6QQFSUY6ORHFNMUEIEWMUXL
X-Message-ID-Hash: EQ3NSDLCU6QQFSUY6ORHFNMUEIEWMUXL
X-MailFrom: msj@nthpermutation.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@irtf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidance-09.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IuB2yYtmcHx3-i78ZLxcmsQPelk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi -

See my comments at the repo.  Nits which you can fix or not.   Thanks 
for the changes.

Mike


On 7/2/2026 12:37, Alicja Kario wrote:
> On Monday, 29 June 2026 21:09:27 CEST, Michael StJohns wrote:
>> Hi Alicja - inline.
>>
>> On 6/29/2026 14:40, Alicja Kario wrote:
>>> On Friday, 26 June 2026 20:43:22 CEST, Michael StJohns wrote:
>>>>
>>>> Section 6 - somewhat inconsistent use of SHOULD/should and 
>>>> MUST/must - suggest a pass to review.  AIRC, the use of BCP14 
>>>> language is disfavored in non-standards.  At most what this 
>>>> document is doing is making suggestions for the implementer (who 
>>>> may or may not have other requirements to meet) rather than 
>>>> imposing requirements, so lower-casing all of these and removing 
>>>> section 3 may be appropriate.
>>>
>>> I would say that the MUST in 5th paragraph of Section 5:
>>> "...the algorithm MUST be implemented as stated..." is necessary,
>>> so I'm strongly opposed to dropping BDP14 language in entirety.
>>>
>>> Fair point on the inconsistent use though. Will try to address it 
>>> tomorrow.
>>
>> -09 that language seems to be in section 7 para 5. - same thing? By 
>> the way *which* algorithm are you referring to here as "the 
>> algorithm"?  OAEP, PKCS1v1.5, general RSA, implicit rejection?
>
> Implicit rejection. I'd say it's clear in the wider context...
>
>> *bleah*  Things like CFRG documents with BCP language are reasons I 
>> wish that the CFRG were either a WG or co-chartered as a WG.
>>
>> Have you considered asking the SEC ADs to sponsor and authorize 
>> publication of this as a BCP on the IETF side?
>
> I'd rather not... It's been a draft for almost 3 years at this point,
> I just want it published...
>
>>>
>>>> Section 6 - power based  side channels attacks aren't mentioned in 
>>>> this section at all, and there may be design tradeoffs between 
>>>> memory, power, processing etc.  A paragraph (e.g. more than a 
>>>> throwaway note in section 5 and in section 9.1) indicating the 
>>>> limitations of this discussion with respect to other side channels 
>>>> not fully discussed/developed here may be appropriate.
>>>>
>>>> General - I see not a single mention of existing testing regimes, 
>>>> and what they miss/might miss without these improvements.  And a 
>>>> few brief notes on how effective these mitigation techniques might 
>>>> be against machine-learning based SCA might also be useful.
>>>
>>> I'll answer both of those paragraphs together.
>>>
>>> The big issue is that it depends on multiple things:
>>> - the leakage of the hardware in question
>>> - assumed capabilities of the attacker
>>> - no "gold standard" for side-channel analysis the same way we have for
>>>   timing
>>>
>>> <stuff deleted - just to make this more readable>
>>
>> I think I agree with all of what you wrote here.  What I was looking 
>> for though was simply a hint to the reader that other considerations 
>> may apply and that techniques such as DPA may require mitigations 
>> past what the document provides.  On the testing side... yeah.. its 
>> hard.  Maybe being up front that even these techniques might not 
>> mitigate testing flaws.
>>
>> The last one - Machine Learning SCAs... always useful to mention the 
>> attack/defense arms race and to exhort the implementers to not become 
>> complacent.
>
> Included both changes in the 
> https://github.com/tomato42/marvin-ietf/pull/11