Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules

Phil Lello <phil@dunlop-lello.uk> Sat, 15 August 2015 08:23 UTC

Return-Path: <phil@dunlop-lello.uk>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF781ACDD4 for <saag@ietfa.amsl.com>; Sat, 15 Aug 2015 01:23:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6UBS_COdad5v for <saag@ietfa.amsl.com>; Sat, 15 Aug 2015 01:23:09 -0700 (PDT)
Received: from mail-la0-f42.google.com (mail-la0-f42.google.com [209.85.215.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3DE81ACDD3 for <saag@ietf.org>; Sat, 15 Aug 2015 01:23:08 -0700 (PDT)
Received: by lagz9 with SMTP id z9so55055517lag.3 for <saag@ietf.org>; Sat, 15 Aug 2015 01:23:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Dn20vNsEFBjq6sgtGCFslsFOd1GozIR/PiS+qX2FQbU=; b=ZjnLNS4/PZZKklBB+rkX45ixD0pougHPo+HQ34dYOC6RpLXFseA5ckTQsr0FxEakZy E/R/w1Cf8hDLej/iDvoUq9mQ3Td3bx0ZmWVXKIlEFjkLCnZU9PUv14o86AoCRta5osnF v5khE2BGch1ST7CqldXJPNHN2UB+8CXgxZqXmeE2BgIYvTHp0nXKm3o98vyXONmfFPda KXG4ozre8nwmRMnU1AZlqZK4H5c+Wi7YeOXuPyXeGD1mIbN8ZQBqqCqGC+PfWcFeLqeF BKd13ColOp7rOl7qvNp3YDZrc0LtYk4noGCB89Og+zBG4AdcO5RXJKHGTcHIgzdy8p9d go0g==
X-Gm-Message-State: ALoCoQnBdHuPN5SYZ1KnG1xhwlfA3EpzhkBpqPPKLC0K9yfLn8dUEuI6mxoZ0WhMYWW0uRsiCZpD
MIME-Version: 1.0
X-Received: by 10.152.2.41 with SMTP id 9mr47865010lar.65.1439626986969; Sat, 15 Aug 2015 01:23:06 -0700 (PDT)
Received: by 10.25.144.193 with HTTP; Sat, 15 Aug 2015 01:23:06 -0700 (PDT)
In-Reply-To: <55CE5A40.3090804@cs.tcd.ie>
References: <55CE5A40.3090804@cs.tcd.ie>
Date: Sat, 15 Aug 2015 09:23:06 +0100
Message-ID: <CAPofZaGT__FmChCWNf=iMsyD4s7c1SpUus2Lm_6ubhA3ayfGqA@mail.gmail.com>
From: Phil Lello <phil@dunlop-lello.uk>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary=089e013c62582b0036051d554710
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/9yR8h3NXiZz_yyHl11xeVt2s8Q4>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2015 08:23:11 -0000

I'm not in the US or trading with US companies, so presumably not affected,
but the paywall alone sounds like a reasonable grounds to object to me - it
prevents reasonable review by people with no reason to buy the standard,
and presumably also creates a smaller pool of suppliers (since it will
eliminate those who don't buy the spec).

On Fri, Aug 14, 2015 at 10:14 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie
> wrote:

>
> Hiya,
>
> As an FYI, those of you who are interested in cryptographic
> module APIs would probably be interested in this. [1] (partly
> copied below.)
>
> I'm told the ISO spec is behind a paywall, but haven't gone
> to look and see if there's a version freely available, so
> it's hard to know what kind of change this might represent.
> If someone has more info on that it might be useful to
> share that here.
>
> Cheers,
> S.
>
> []1 http://csrc.nist.gov/news_events/#aug12
>
>
> -----------
>
> NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal
> Standard for cryptographic modules
>
> NIST is seeking public comments on using International Organization for
> Standardization/International Electrotechnical Commission (ISO/IEC)
> standards for cryptographic algorithm and cryptographic module testing,
> conformance, and validation activities, currently specified by Federal
> Information Processing Standard (FIPS) 140-2. The National Technology
> Transfer and Advancement Act (NTTAA), Public Law 104-113, directs
> federal agencies to adopt voluntary consensus standards wherever
> possible. The responses to this request for information (RFI) will be
> used to plan possible changes to the FIPS or in a decision to use all or
> part of ISO/IEC 19790:2012, Security Requirements for Cryptographic
> Modules, for testing, conformance and validation of cryptographic
> algorithms and modules.
>
> The **RFI posted in today’s Federal Register provides additional
> background information, including seven questions that NIST is
> especially interested in having addressed, as well as NIST’s intentions.
>
>  Send public comments to: UseOfISO@nist.gov (also see the address for
> sending written comments)
>
> Comment period closes: September 28, 2015
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>