Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules

William Whyte <wwhyte@securityinnovation.com> Mon, 17 August 2015 16:21 UTC

Return-Path: <wwhyte@securityinnovation.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EAE41ACE17 for <saag@ietfa.amsl.com>; Mon, 17 Aug 2015 09:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3fZqWjShhpAk for <saag@ietfa.amsl.com>; Mon, 17 Aug 2015 09:21:40 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6D571A8925 for <saag@ietf.org>; Mon, 17 Aug 2015 09:21:39 -0700 (PDT)
Received: by qkcs67 with SMTP id s67so48374405qkc.1 for <saag@ietf.org>; Mon, 17 Aug 2015 09:21:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pjB/jZR1VdBJ0xD1iQ/CYm9Y22aPJXzWl64uMeTRCSo=; b=Vagi7wXBJRi9x018RHGUCrk5mqZoUjfgwEQOutMWvMMFhwFhSzgOq4uoQ/0kDQnRoq GimhTHncr8kOtuwlGtnBDLA6rJRrfUwCNbU/Gq3y9JY+agmO04QHL/x5WJ/+J0Iq8vTP OYGJyKw/zf30O9Txse2p/6F8SgH/k9py/gw2w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pjB/jZR1VdBJ0xD1iQ/CYm9Y22aPJXzWl64uMeTRCSo=; b=RL39gr/nCZEM1RiEg296aKIw4jTULz7IbnIKNcpBjcoPBRSppF9tI1YoEwC29ayMFf gio2lZfDVqyRtr2JXbCgbvdoEIWzLw/Y3TIGfHjM3vqeD1opQxuvVypF03c2ym8guszR uaNGKsbnBFq58/VjZ/PVgTNuFETxA2V5h1looVzZTg6MFaBs9jYr1fh1EbhbM82ZhEKP Tx2FjrNRwv3axCfOR/bYVau4NARjMLYHyz1RxChc4nL8Crjxpb68IdTdUIREz43TOilw mQc8BA91jz67DS0xVqj/h/V7kdO2whSNHWmCMdJInfVLSn2VgD8mch623h6b6SAEClHC 3XOA==
X-Gm-Message-State: ALoCoQng2jKH1l5O9qbsqchzXcTF2Kb6OIZnGD71SVEED1T80Gc23g6fo0R3SnknjZqo42uwtgzb
MIME-Version: 1.0
X-Received: by 10.55.209.157 with SMTP id o29mr3947926qkl.34.1439828499136; Mon, 17 Aug 2015 09:21:39 -0700 (PDT)
Received: by 10.96.238.1 with HTTP; Mon, 17 Aug 2015 09:21:39 -0700 (PDT)
In-Reply-To: <55CF35B2.9020302@cs.tcd.ie>
References: <55CE5A40.3090804@cs.tcd.ie> <CAPofZaGT__FmChCWNf=iMsyD4s7c1SpUus2Lm_6ubhA3ayfGqA@mail.gmail.com> <CAG-id0ZYG946xZQrsfrMqyQunLpg=ZeGGP8BcQRVtFE0s7b3DQ@mail.gmail.com> <55CF35B2.9020302@cs.tcd.ie>
Date: Mon, 17 Aug 2015 12:21:39 -0400
Message-ID: <CACz1E9rg8ZtHLCpZ8utBF67PTOiDKWTDGvepqL0SXL_0WR0=+g@mail.gmail.com>
From: William Whyte <wwhyte@securityinnovation.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary=001a11479fe63aa35f051d8432ae
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/3cKMP4mq2fCf4FOZwuXBuCKPSDI>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 16:21:45 -0000

In fairness, NIST explicitly call this out themselves at
https://www.federalregister.gov/articles/2015/08/12/2015-19743/government-use-of-standards-for-security-and-conformance-requirements-for-cryptographic-algorithm
:

 NIST is also interested in feedback on the impacts of a potential U.S.
Government requirement for use and conformance using a standard with a
fee-based model where organizations must purchase copies of the ISO/IEC
19790:2014.

William

On Sat, Aug 15, 2015 at 8:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>;
wrote:

>
>
> On 15/08/15 12:24, David Lloyd-Jones wrote:
> > What is it you have "heard," Stephen, that has given Phil this avalanche
> of
> > "reason to object"?
>
> I already said that I have been told that the ISO spec is behind
> a paywall, that is all. And now I've said it twice:-)
>
> Whether or not that's a deal for folks who've previously been
> willing to subject themselves to FIPS140 fun is a reasonable
> question. But it's also reasonable to point out that that is
> a barrier to broad, open review.
>
> And of course, if you care about any of this, then telling
> NIST what you think is the correct action.
>
> S.
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>