Re: [COSE] Secdir last call review of draft-ietf-cose-webauthn-algorithms-06
Mike Jones <Michael.Jones@microsoft.com> Wed, 03 June 2020 16:51 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DBE93A0963; Wed, 3 Jun 2020 09:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VCZvD-DfiwtH; Wed, 3 Jun 2020 09:51:44 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640108.outbound.protection.outlook.com [40.107.64.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 473F13A091C; Wed, 3 Jun 2020 09:51:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jvg1WbAkNi2+/TVyHDd7fVa0wzVBS4ub1sl6Rihsz5V0Sp0c+YEyOawf5+EXsJaBnoeW9hnnmwM9oGRnjwocIbueabgeqxvVUJA7ArnOXso9oztMQ2SF5C8TJOs8vkgWytZP5yBPsEpkzg9XxiJMbWog3mRZke2yQzN80er+NLA7RcmPG9gX+zDBu0kayinF9YzX6eN4lDIZOVjOrpsfwWL+mPR59cG7juPEnNQ4BBS9q8sDLVoHRZS+wcqGUHp3ygF5CBt45UEepeKGQqBTzA72PiT3AKovzXVSouhdqXYEbekSNm92HS17clKmmjkFnTSJowW7dF9+C0P10X+3Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zk8MOzPUIALS04cQarCgPhWaUeVvkxuxcR+4qRTeGX0=; b=DJxjQHVkgbq9Lqws0mpTA0zFWlxt1BtzZlHWvrslhg+wfWyqgRYxCq/kizj2I48RL/w2WqWQy9y4o6zUNivb4YzjZ5wBSaDTyMMl9abakfRDscGfExuUnwtzXBpedF/Fr+R/EnLhQoKCCiIjmtDCfiMy9K2Uy0teFUCEo7uMvPM1tXwhedz+kUne4V0tE2/svL7uxU2v+miOfRU0UJloi/GmlL7P8DUO0XpG9iK/R5AcQF9M95bAxRHmyx/v/tuEJptIWrQBYo94XwuQsO607V3nqaHEG1OXCNgy8qLczqa0aJUWnQkCBsAEShwHOoXa7hLSG9xkM//8ydP9j3/vTw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zk8MOzPUIALS04cQarCgPhWaUeVvkxuxcR+4qRTeGX0=; b=AGPIDwOoFjV52bbYJhgo7/Cl1dhxk8mIL+QSyRMzF1a7Rou7baSrw+jCTiaHPug471c7H28RmOhUnVkePM7xCNz+7+EGZPkLjM5/+UdGUHjoDch/BpYy7NfyoRh1z6naz61Y47HAhR1iw5dTo1EUJQLWzRp0af9ALkaJo8nocgQ=
Received: from MN2PR00MB0688.namprd00.prod.outlook.com (2603:10b6:208:199::23) by BL0PR00MB0307.namprd00.prod.outlook.com (2603:10b6:207:1e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3104.0; Wed, 3 Jun 2020 16:51:34 +0000
Received: from MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::c1e4:c91b:f4de:f548]) by MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::c1e4:c91b:f4de:f548%5]) with mapi id 15.20.3107.000; Wed, 3 Jun 2020 16:51:34 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "cose@ietf.org" <cose@ietf.org>, "draft-ietf-cose-webauthn-algorithms.all@ietf.org" <draft-ietf-cose-webauthn-algorithms.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06
Thread-Index: AQHWNIYAZ9wJpsSs30mTfNXJra/es6jHJQSg
Date: Wed, 03 Jun 2020 16:51:34 +0000
Message-ID: <MN2PR00MB0688AC2E5644E4D409E42747F5880@MN2PR00MB0688.namprd00.prod.outlook.com>
References: <159053708200.16306.10159573848968846851@ietfa.amsl.com> <b0165785-034a-0ab8-1028-d971a8206ba1@outer-planes.net> <SN6PR13MB233474057AF4F89E18FA9F1F858E0@SN6PR13MB2334.namprd13.prod.outlook.com>
In-Reply-To: <SN6PR13MB233474057AF4F89E18FA9F1F858E0@SN6PR13MB2334.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=efc2d60a-0ed4-43b6-8f8a-000013c750c0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-03T16:50:06Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: futurewei.com; dkim=none (message not signed) header.d=none;futurewei.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8368a755-352a-46cc-8ca1-08d807de600c
x-ms-traffictypediagnostic: BL0PR00MB0307:
x-microsoft-antispam-prvs: <BL0PR00MB0307BDD4FB86CF9A5ADE2407F5880@BL0PR00MB0307.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 04238CD941
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aF4Jlsx6NScYqaiFYiaqum7yW39WcmlLUExDLGYIRgjyyrqwofo0Ehtc2Svk30vxbpHBMqwbz4wzAog95+8bPKP8fvZSvPzkYU9y3/QvcsE518SKvo4ab6r48wmzyr/EmBNraFUU7zUsM29VjY8QdlEEubiw9f4W2fh12B+FT1+zA+teuxIFYaLF+3F//atCHhrzYEK1QEzkQx/nlFipRzIeypjV/EBS+KSWOMESejUQICQm7HD03TKm3opFhD72UMyCJROBYT7bgxgoTxIQ3uL9aFRrUiyN2sfkkCT4XIzKYd8cmuaSpUuvT6itPRm7K1g01qlqf1vcPKpyg/Z+o8FQoFDYMWV1uVnBvjk3GwcHpXC6A7p/YQ/UVwAmMdwTLdHfLlLLWM3b+jq6UtUVng==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0688.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(346002)(396003)(376002)(366004)(2906002)(33656002)(966005)(66446008)(66556008)(76116006)(86362001)(64756008)(8936002)(10290500003)(478600001)(66946007)(8676002)(316002)(66476007)(83380400001)(110136005)(54906003)(9686003)(82950400001)(82960400001)(7696005)(52536014)(5660300002)(55016002)(186003)(71200400001)(4326008)(8990500004)(53546011)(26005)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: JahTPlw/n9e+uPfBVeFnEKjFtajEs6MQ8Z1M/2JGh67oRW8MrjTNhgqO3R2tl4xZHoXqNQmnjbPfAHhGcBeI8AXpYTCePsVSvc+vyazU+vq81BwOrBWf3qyhPKDBw2k0zT0tLf9MppCEBJIutMl+T39oj5Y2ChfAP76sKGzWB2KIa4g8dkEL9YYpkLH1mEZc9adaRz9N+EOHmT7VzGszKa6S1Xq0Yxyso4wjjD9l+GHMlAFEVYC0zCJ6bMKVOtDs3bR4AHFvyF3Y8i9fR53IbrBtDMvGAeT8a7oYNj+lWlsfgIi5TgNxpVT8sknrzJpdjSz630qS0y53yd4+UqYS/ZwvwaRnqQGkNrGChvPI/1IjPbWTFDUioVAowsE5muypt0jBc3hf6UXxu2jnHiYHBkF610YbtTiFxXP/viHDS2MSPo60uphB2vFGE4mfrCxD1HJ50qfPwM2UITlNXfw5ABzv0rXLX2rngU9bG3TTYDI=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8368a755-352a-46cc-8ca1-08d807de600c
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2020 16:51:34.6851 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tC5yx/qMigw/yPCbXEI6MMrQ2voeMIPBnVZw+TE6HRCSTq+uP6hqT/UiMJ+7Iyl5axgOmKXIdrY6D8H33ZFlFg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0307
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/W_iZgFl-MLRBpUaZqKSKIS-b7j0>
Subject: Re: [COSE] Secdir last call review of draft-ietf-cose-webauthn-algorithms-06
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2020 16:51:46 -0000
Thanks again for your review, Linda. https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-07#section-5.2 adds the requested clarification that SHA-256, SHA-384, and SHA-512 are the SHA-2 hash functions. -- Mike -----Original Message----- From: Linda Dunbar <linda.dunbar@futurewei.com> Sent: Wednesday, May 27, 2020 5:22 PM To: Matthew A. Miller <linuxwolf+ietf@outer-planes.net>; secdir@ietf.org Cc: cose@ietf.org; draft-ietf-cose-webauthn-algorithms.all@ietf.org; last-call@ietf.org Subject: [EXTERNAL] RE: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06 Matthew, That is what I was thinking. Can you add a sentence in Section 5.2 to say that this is for the collection of SHA-256, SHA-384, SHA-512 algorithms? Otherwise, the two sections of the document don't match. Thank you Linda Dunbar -----Original Message----- From: Matthew A. Miller <linuxwolf+ietf@outer-planes.net> Sent: Wednesday, May 27, 2020 4:55 PM To: Linda Dunbar <linda.dunbar@futurewei.com>; secdir@ietf.org Cc: cose@ietf.org; draft-ietf-cose-webauthn-algorithms.all@ietf.org; last-call@ietf.org Subject: Re: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06 Hello Linda, Thanks for the review. Speaking on the author's behalf, SHA-2 is defined as the collection of hash algorithms, including all of those cited (SHA-256, SHA-384, SHA-512). Do you believe it is critical to call this out explicitly? - m&m Matthew A. Miller On 20/05/26 17:51, Linda Dunbar via Datatracker wrote: > Reviewer: Linda Dunbar > Review result: Not Ready > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like > any other last call comments. > > This document is to list down the COSE&JOSE Algorithms to be > registered to IANA. But it seems the description is not complete. In > the Section 2: among the > 4 algorithms listed under RSASSA-PKCS1-v1_5, three are NOT > recommended, one is deprecated. Under the Security Consideration > (Section 5), Section 5.2 describes why SHA-2 is "Not Recommended", > Section 5.3 describes why SHA-1 is "Deprecated". What about the > description on why SHA-512, SHA-384, and SHA-256 are not recommended? Is the missing description intended? > > Best Regards, > > Linda Dunbar > > >
- [COSE] Secdir last call review of draft-ietf-cose… Linda Dunbar via Datatracker
- Re: [COSE] Secdir last call review of draft-ietf-… Matthew A. Miller
- Re: [COSE] Secdir last call review of draft-ietf-… Linda Dunbar
- Re: [COSE] Secdir last call review of draft-ietf-… Mike Jones
- Re: [COSE] Secdir last call review of draft-ietf-… Linda Dunbar