Re: [COSE] Secdir last call review of draft-ietf-cose-webauthn-algorithms-06
Linda Dunbar <linda.dunbar@futurewei.com> Thu, 28 May 2020 00:21 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC5903A0D5F; Wed, 27 May 2020 17:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7tv_aDdduXQ; Wed, 27 May 2020 17:21:54 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2120.outbound.protection.outlook.com [40.107.223.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF80B3A0EB3; Wed, 27 May 2020 17:21:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TMBjRqMW3SlV3mP1F7HZkzFW/rCodRckr5TSH8W/S1pNu3tp/4gMWuYzFPlA+lFojDVQzcivm8686LKpmmhvioEN0nTXjstBxFb/+2aWs+oGZjMX8wIWv/qR0uzMIzAJaCK2miPrUdUh/pP6iQmqzeD0pLfEAIbVnE1cK4IY25CJe91pGLoCx0OyQfJqUdLjVn4yVeHqgk1FR9cxPabtLJScdzFvKBmko7tNFKHSbfrFo/ZfdC403bsRP8xNdQK2A1memGX08A3qvFpwswj+Fegj+FroAm6dhDOtPwJbwZylHvVupwwTEEdZDKfkkYUOhtCFaCKF1UL+/+Mmp6oZvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4Kgm+iutcMQWm1ddej9y9cdRSFLgi82L0Zh5g1pEs6Q=; b=VDE5gLlMatRdwPmDhKhEWbdO57Zwydtlz8T+tjZD37OvFRVOdcmoSAapedfdJN8GK9FBJSs1lgacDKz6d/o3dfLnqBkhtZxMId2RlyAXyHivdcxoXDbSHv+1kwhnDJiu9alF5qZRWGppBgI9XYnSq/rrWvl6J2Sx9HqV+4m3ECtkrP99oPrdjjdGnA7hh1HjyT4k3cSHBkAy0N7Q0XLzlZ/WDTkBliCMZaS5goSulMrEAOKvudCc30qkA5S5lbHPehCnE4x3B+7/L+Z2Z+d8zGG13HAJWzVxnv3CdxQZ4P1QYpT/A7WDh1MnlwW6gzEJgN8n1R6XPhDBB1A877HZ0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4Kgm+iutcMQWm1ddej9y9cdRSFLgi82L0Zh5g1pEs6Q=; b=Bd5qr6KVnfmlTIbpV3OjpGhrLwuPD+zbWrbzr0l7AUi0zWwM1cPuT54laN4uewzMGYag07T5Ka2BY3jdAH64GRHzMQAqawGtowxCk9J0Bo8oxG9KjJ68NNVVJX/iOSt9UoL8HkST2MGZUOSgUVPUAh6A+Gye0/5H11aVJeO+WNg=
Received: from SN6PR13MB2334.namprd13.prod.outlook.com (2603:10b6:805:55::16) by SN6PR13MB2527.namprd13.prod.outlook.com (2603:10b6:805:58::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.10; Thu, 28 May 2020 00:21:42 +0000
Received: from SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::7813:cef6:bbde:1970]) by SN6PR13MB2334.namprd13.prod.outlook.com ([fe80::7813:cef6:bbde:1970%5]) with mapi id 15.20.3045.013; Thu, 28 May 2020 00:21:42 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "cose@ietf.org" <cose@ietf.org>, "draft-ietf-cose-webauthn-algorithms.all@ietf.org" <draft-ietf-cose-webauthn-algorithms.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06
Thread-Index: AQHWNHF88QTcU9SYR0Gbkbt6ssDowai8okaw
Date: Thu, 28 May 2020 00:21:42 +0000
Message-ID: <SN6PR13MB233474057AF4F89E18FA9F1F858E0@SN6PR13MB2334.namprd13.prod.outlook.com>
References: <159053708200.16306.10159573848968846851@ietfa.amsl.com> <b0165785-034a-0ab8-1028-d971a8206ba1@outer-planes.net>
In-Reply-To: <b0165785-034a-0ab8-1028-d971a8206ba1@outer-planes.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: outer-planes.net; dkim=none (message not signed) header.d=none;outer-planes.net; dmarc=none action=none header.from=futurewei.com;
x-originating-ip: [72.180.73.64]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cc248342-4212-46c0-b857-08d8029d1917
x-ms-traffictypediagnostic: SN6PR13MB2527:
x-microsoft-antispam-prvs: <SN6PR13MB25276734F020C6951C3624E7858E0@SN6PR13MB2527.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0417A3FFD2
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0AZR5L95lR2JcN04Ngcnt1KYYIxakxAqy3cUiA68Bh4m4ZWCNA4q6CTGEM80W6c79x/sOfBMF3aeQzWP0q6UckYT9EcojVS6w4CtDy/8fv+jlVLAsZGHIDiaw9DZ8sHn4bByy5cxp+7Yp95nbPu2AVC7tDi1A8xPIArAjotErvA0jpUcTPGgGTrZ50tygB2s232bo6Gx082fTWXnXfT3x30reWgtdTgpMzqaivwBNJYgw3xqCZZGhFTNx5T7lOgHDh4kdE3wAcDMs2n+9F44HS1eHjyjT8RqjYR+8DDE9Cm4C2+rqsUfVo0a1YwZwnbIPNrcpXAg9ZasK18SpfDU3Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR13MB2334.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(39850400004)(396003)(136003)(346002)(376002)(76116006)(66946007)(55016002)(5660300002)(8936002)(4326008)(9686003)(7696005)(186003)(54906003)(478600001)(83380400001)(86362001)(110136005)(2906002)(8676002)(33656002)(66476007)(53546011)(52536014)(316002)(66446008)(71200400001)(66556008)(64756008)(44832011)(26005)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 2sUqlZNxhBLTtVMUwZlyJsCfJdHqcUnOoGS6lsud/6gtKC/B7yBjLua+BwPwAt5bw/M6K8wIWKWwrGBoqXRaCu05BzYrswiK9rFtvE/DPSRj9L7G4swY5ld0qJSkSSkaJaBDF+tZCJ8KaCb+2+lQS+SyK/gbIkHEDZWjYQDzwQkkd32YbGEoOyG3FoIX5gkQzmvgv3PKaEoalycQs02xtV8DVp+mS2nIHJDuKxqhpVBzoW1b24ddgN7Jz6OuIaCnzaMlMGc4d2/YCNM9S1L3f7PRmqYNu4n5SxoivHZ7QSGztrWuKqc1wfo27W6xhQO3UzAJpPRN9/OO3B4fh6756IpV2HCTEtNMJp4N5x87B0sBJiGFLP0fGA2AZgCDEemzMsms213vUumfyxpLDEfbe7NASN1zR+Q5HPiz0iMfHROfPUTDBBKTBe+gSvV1ncEiyLkd0VKOKXTcVj+L8rOP5KovieFgqROzJBCbs9T/Sks=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cc248342-4212-46c0-b857-08d8029d1917
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2020 00:21:42.5242 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Sk5Ykf1R9QK+QK5wiXUzghGrAwUfnr9iZP+IMuCoqfzuS6okFzimxkIPjiiRvFhguXqiH+CIe1hFYIbP1HN6rg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR13MB2527
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/p8147dw2nmC9D6VsX9BLMMOWCfQ>
Subject: Re: [COSE] Secdir last call review of draft-ietf-cose-webauthn-algorithms-06
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 00:21:56 -0000
Matthew, That is what I was thinking. Can you add a sentence in Section 5.2 to say that this is for the collection of SHA-256, SHA-384, SHA-512 algorithms? Otherwise, the two sections of the document don't match. Thank you Linda Dunbar -----Original Message----- From: Matthew A. Miller <linuxwolf+ietf@outer-planes.net> Sent: Wednesday, May 27, 2020 4:55 PM To: Linda Dunbar <linda.dunbar@futurewei.com>; secdir@ietf.org Cc: cose@ietf.org; draft-ietf-cose-webauthn-algorithms.all@ietf.org; last-call@ietf.org Subject: Re: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06 Hello Linda, Thanks for the review. Speaking on the author's behalf, SHA-2 is defined as the collection of hash algorithms, including all of those cited (SHA-256, SHA-384, SHA-512). Do you believe it is critical to call this out explicitly? - m&m Matthew A. Miller On 20/05/26 17:51, Linda Dunbar via Datatracker wrote: > Reviewer: Linda Dunbar > Review result: Not Ready > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like > any other last call comments. > > This document is to list down the COSE&JOSE Algorithms to be > registered to IANA. But it seems the description is not complete. In > the Section 2: among the > 4 algorithms listed under RSASSA-PKCS1-v1_5, three are NOT > recommended, one is deprecated. Under the Security Consideration > (Section 5), Section 5.2 describes why SHA-2 is "Not Recommended", > Section 5.3 describes why SHA-1 is "Deprecated". What about the > description on why SHA-512, SHA-384, and SHA-256 are not recommended? Is the missing description intended? > > Best Regards, > > Linda Dunbar > > >
- [COSE] Secdir last call review of draft-ietf-cose… Linda Dunbar via Datatracker
- Re: [COSE] Secdir last call review of draft-ietf-… Matthew A. Miller
- Re: [COSE] Secdir last call review of draft-ietf-… Linda Dunbar
- Re: [COSE] Secdir last call review of draft-ietf-… Mike Jones
- Re: [COSE] Secdir last call review of draft-ietf-… Linda Dunbar