IETF Logo Mail Archive

Re: [Curdle] Some work for the group

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Fri, 09 December 2016 13:46 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E87129428 for <curdle@ietfa.amsl.com>; Fri, 9 Dec 2016 05:46:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lT6mBhFB0mZk for <curdle@ietfa.amsl.com>; Fri, 9 Dec 2016 05:46:44 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0125.outbound.protection.outlook.com [23.103.201.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F65212940B for <curdle@ietf.org>; Fri, 9 Dec 2016 05:46:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=qqfTCeNH5chcAwX9ouWtYnXEtwNpOszzYSk7zqbTIdg=; b=veDvUosFlxAeUL88bSIBEN++Ux3mmOLi7aalb3xbzQUzFJ3w+FDvKtIVVQqBB+MDMq4D7bt5hrBKIF0u4p9dtv4alApojYvIkgdtT2BoKmS4l907dYnaLQFVD/o+R2lrhuWnuhVKnW74BRahKzYsyuLTna9nJrF3XewHNJMHwG0=
Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9; Fri, 9 Dec 2016 13:46:42 +0000
Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.0761.018; Fri, 9 Dec 2016 13:46:42 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: "rsalz@akamai.com" <rsalz@akamai.com>, "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: [Curdle] Some work for the group
Thread-Index: AQHSUiKs3PWVL7wFScuPYdGzcgHHmA==
Date: Fri, 09 Dec 2016 13:46:42 +0000
Message-ID: <D4701965.2CFAB%qdang@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.9.160926
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-ms-office365-filtering-correlation-id: 2c12448a-5a3c-4cc5-d70e-08d42039cf29
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY4PR09MB1464;
x-microsoft-exchange-diagnostics: 1; CY4PR09MB1464; 7:YiSO0KUG5JfWQhcQHkSxitAwECWH55uuVpJsRZ4zY7gk/S6o0+RaTIuAMwK33JDJXk79CLvgtThjSn747+BNF2VvfcWjvJozMW/F5yZHQJ7G2a/eNCyUutDK3NBp9/YAEutl87AtfaM7sG1BUzSHY+2ElLvY+IDUa1SVsYR6lj9WpXMXLIO27+7zEJuc0tNQdI+FOs1LNx/TG2jv87j95pHW35qjlHdGdDkV+B2VAoqjDiMMnOoITR9v5RG3zRsKx9rKlVw+7hi4yUAWCCv886vtPwtQPZhtjD3SHqouV+mOl38m+wtCEqPK0uDqFZiPUmkmRcb5buARYj72vPSUxz6iZfuepDalSTWJVLt41PHp4z1DNiDpjUOk/y8AyJET7RsXDSPxmK/jXtjyGWyAV26xIpPWNmSiMTiLd7UUo5ynByRyYofcV+WcPJpWy/xpYmwN2/9ni7VmQ0+oqTyG3g==
x-microsoft-antispam-prvs: <CY4PR09MB146465E8022C3478356E50A4F3870@CY4PR09MB1464.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(148322886591682)(120809045254105)(192374486261705)(100405760836317)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(6072148); SRVR:CY4PR09MB1464; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1464;
x-forefront-prvs: 015114592F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39840400002)(39450400003)(39850400002)(39410400002)(39860400002)(199003)(189002)(377454003)(77096006)(36756003)(101416001)(105586002)(54356999)(66066001)(106356001)(790700001)(99286002)(106116001)(50986999)(189998001)(2906002)(7906003)(2900100001)(6116002)(7736002)(122556002)(5001770100001)(3846002)(6436002)(8676002)(92566002)(2501003)(107886002)(6506006)(97736004)(4001350100001)(8936002)(606004)(86362001)(6486002)(83506001)(6512006)(68736007)(38730400001)(3660700001)(229853002)(3280700002)(5660300001)(81166006)(102836003)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1464; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D47019652CFABqdangnistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2016 13:46:42.4711 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1464
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/33TYkQclIjUhrEG2OMErjpTI7SA>
Subject: Re: [Curdle] Some work for the group
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2016 13:46:47 -0000

Hi Rich and all,

From: Curdle <curdle-bounces@ietf.org<mailto:curdle-bounces@ietf.org>> on behalf of "Salz, Rich" <rsalz@akamai.com<mailto:rsalz@akamai.com>>
Date: Thursday, December 8, 2016 at 7:23 PM
To: "curdle@ietf.org<mailto:curdle@ietf.org>" <curdle@ietf.org<mailto:curdle@ietf.org>>
Subject: [Curdle] Some work for the group

Hi there!

We are looking for feedback on the following items, my memory spurred by the draft minutes found here:  https://datatracker.ietf.org/doc/minutes-97-curdle/

Please review the minutes by the end of the month.  Speak up on the list if anything's wrong.  Thanks to Ben Kaduk for taking them.

Has anyone (besides Kyle Rose) reviewed curdle-rsa-sha2 ?  Are we ready for WGLC?  Please respond within a week.

The text in draft-ietf-curdle-pkix says CA's MUST NOT use pre-hash version of signatures.  Does anyone object to this?  There is a mention of the trade-offs in doing that at the end of section 5.  Please respond within a week.

There are no security issues with the pre-hash option. One more hash does not create any performance issues for the current protocols.  In addition, the pre-hash option provides the need for long messages as we know: one example is the long CRLs on small devices as pointed out on Jim's slides.

If I had to choose one algorithm which works well for all situations, I would choose the pre-hash option.

We already know that there are situations people are going to use the pre-hash option and there are no security issues with it, but we say that "MUST NOT use it"  which is odd to me.

Therefore, the "MUST NOT" requirement for the pre-hash option is not appropriate in my opinion.



curdle-ssh-ext-info, curdle-ssh-kex-sha2, curdle-ssh-modp-dh-sha2
Has anyone read these?  Will one or more people commit to doing so within a week?  (Commit, not actually read)

Contexts - has anyone got a use for signature contexts? See the minutes.  If you're opposed to the (slight) consensus, speak up.

Thanks.

--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richsalz@jabber.at<mailto:richsalz@jabber.at> Twitter: RichSalz

v2.23.0 | Report a Bug | By Email