Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules

Richard Barnes <rlb@ipv.sx> Tue, 18 August 2015 13:47 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96EB91A8748 for <saag@ietfa.amsl.com>; Tue, 18 Aug 2015 06:47:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Ax_s1fbzCir for <saag@ietfa.amsl.com>; Tue, 18 Aug 2015 06:47:33 -0700 (PDT)
Received: from mail-vk0-f45.google.com (mail-vk0-f45.google.com [209.85.213.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02D5F1A873A for <saag@ietf.org>; Tue, 18 Aug 2015 06:47:32 -0700 (PDT)
Received: by vkm66 with SMTP id 66so8823167vkm.1 for <saag@ietf.org>; Tue, 18 Aug 2015 06:47:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=IZiy8rV7o/rGtYAd7hrHYnkBeNJyNUxeUQp70lcJT4w=; b=iUmumwgrUYzoWpz/KyxCLu42e7Pgtic4zNFSaIN548TrPACWO2ok5aiN8w/fvUeAeB 8B70er4GwpJNQpZc4Iwn1QY0KtfFvr9w/9D0avZXShJoMsOEyNPX7wkd2zXjcF7cwQjk sA+Yn5gIZnkOIScfNiIwp8KzSOEsIu4ImXoeEfErdxC560wIv3BNPK9uiFaUKv2ctza+ xIteHaoG3iG8TcnQpBzTpAL7DSPRFsdmbnONa1K1eIuUGI2po6qIJ81mJRv7t43ldifI ScBkTLNU6CygIQiGD+q8hhuV28lzjmZbuYJ9VDnL+nHLrc1bl4jtMITjVGwVyUdZJyCQ Juhw==
X-Gm-Message-State: ALoCoQkMgpneCnBy8KgHkeYzBHqt1HspforNCg6WhpWtP+hJ+98aB68cLQUZZJUafCO/08XhXnAo
MIME-Version: 1.0
X-Received: by 10.52.69.241 with SMTP id h17mr8898942vdu.68.1439905652250; Tue, 18 Aug 2015 06:47:32 -0700 (PDT)
Received: by 10.31.164.207 with HTTP; Tue, 18 Aug 2015 06:47:32 -0700 (PDT)
In-Reply-To: <CAPofZaGf4U_7hccU-nMQ9QEuFnbJWa8Pemmzs=hxTec3vtH7rA@mail.gmail.com>
References: <55CE5A40.3090804@cs.tcd.ie> <CAPofZaGT__FmChCWNf=iMsyD4s7c1SpUus2Lm_6ubhA3ayfGqA@mail.gmail.com> <CAG-id0ZYG946xZQrsfrMqyQunLpg=ZeGGP8BcQRVtFE0s7b3DQ@mail.gmail.com> <55CF35B2.9020302@cs.tcd.ie> <CACz1E9rg8ZtHLCpZ8utBF67PTOiDKWTDGvepqL0SXL_0WR0=+g@mail.gmail.com> <97152.1439858222@eng-mail01.juniper.net> <CAPofZaGf4U_7hccU-nMQ9QEuFnbJWa8Pemmzs=hxTec3vtH7rA@mail.gmail.com>
Date: Tue, 18 Aug 2015 09:47:32 -0400
Message-ID: <CAL02cgTgFcjqtsqroy2LaLjNu8Ezzf_uSxXo3Po-3KfhdrHq=w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Phil Lello <phil@dunlop-lello.uk>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/5b5caKB2Oc8Jp5r3QfOnDy42hLY>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2015 13:47:34 -0000

On Tue, Aug 18, 2015 at 5:33 AM, Phil Lello <phil@dunlop-lello.uk>; wrote:
> I'd just like to clarify that my objection to the paywall isn't about paying
> for the standard per-se, as it would be reasonable to pay a fee as an
> implementor (much like paying to access C++ standards to write a compiler).
> The objection is specifically about needing to pay to access the standard as
> part of a review process, as the fee is a barrier to broad evaluation.

Well, then let me explicitly disagree with this position.  The
standards that run the Internet need to be widely implemented, and
that means the specs need to be widely available.  As Russ observed,
the current FIPS standards are freely available, so moving to a
paywalled standard would be a major step backwards.  And a step
backwards for, AFAICT, no benefit.

I would also observe that "free for review, pay for implementation" is
not really a realistic position.  If anyone can download the spec for
review, then it will be out there on the Internet after it's
finalized.  Much like the C++ spec, in fact (see the links in
https://en.wikipedia.org/wiki/C%2B%2B).  And in practice that just
means that everyone will use the free "almost final" version, not the
paywalled "final" version.

--Richard


>
> Phil
>
> On Tue, Aug 18, 2015 at 1:37 AM, Mark D. Baushke <mdb@juniper.net>; wrote:
>>
>> It may be worth noting that NIST actually put the wrong edition of the
>> ISO/IEC standard in the Federal Register article... They intended to put
>> 19790:2012 instead.
>>
>> See also
>>
>>   http://csrc.nist.gov/groups/STM/cmvp/notices.html
>>
>>            -- Mark
>>
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>