IETF Logo Mail Archive

Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 01 September 2015 21:24 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CE211B34FF for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 14:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgQDl5ha7GeO for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 14:24:10 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5F711A92E9 for <saag@ietf.org>; Tue, 1 Sep 2015 14:24:09 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so25959465wic.0 for <saag@ietf.org>; Tue, 01 Sep 2015 14:24:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HgfwKjvRkM8AMyWEq9eqWGKZr2dOERDI/EJMisE0xCw=; b=k+QPgDmym/AZK9kTEjFqh9Py3fomicA/z8CIlrJtGeTrtdnY3gCnGjv4oKvuEEXUyk aTWKgnD9sBPULbuhtFs0yLv0Ut3ic1opO73V6G5gPFo8clz/uGINPNX5iipD2SWhXWzi t1viS5uZ1dg/e4dJwugX8ce743Jc468WngclBHlt1JsZEVKss1zeB68HU2vcUMo0FJzZ NvTFHdf5WIicfoWnDWdvUzgbJoqAB8okGMEwsbGo1HNg/oaeVeNCQXSXMHpY+DvaTbvM 80gz/SNyPk1AtnLVEPJwKssGbsFoKftBGl0xrRcGLQdF7Nu+qepl5zjpfIYAlgbo93KJ u3gw==
MIME-Version: 1.0
X-Received: by 10.194.205.37 with SMTP id ld5mr39137386wjc.14.1441142648528; Tue, 01 Sep 2015 14:24:08 -0700 (PDT)
Received: by 10.28.157.84 with HTTP; Tue, 1 Sep 2015 14:24:08 -0700 (PDT)
In-Reply-To: <4F6E430F-61E7-46BA-9B4A-8E12156B62FA@vigilsec.com>
References: <CAHbuEH6w+O-TSA9SRP-9TrM+Hdh+vn7Me+tdJrFTNY_-Nbenug@mail.gmail.com> <20150901165526.GU9021@mournblade.imrryr.org> <4F6E430F-61E7-46BA-9B4A-8E12156B62FA@vigilsec.com>
Date: Tue, 01 Sep 2015 17:24:08 -0400
Message-ID: <CAHbuEH7ePaY4T5mwB9avTwo0=-JTSuu_6jrvj0jq5Ag6Es1cww@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/OQKUsHyvVrRdXM5xsmEPwGHEZAY>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 21:24:11 -0000

On Tue, Sep 1, 2015 at 4:58 PM, Russ Housley <housley@vigilsec.com> wrote:
> I'm trying to pull together the things that I have heard on this thread over the last week regarding Section 2.9.  I think I have captured them.  Please let me know if I missed something?
>
> 2.9.  Opportunistic Security
>
>    Despite the guidance in Section 2.4, opportunistic security [RFC7435]
>    also deserves consideration, especially at the time a protocol
>    implementation is deployed and configured.  Using algorithms that are
>    weak against advanced attackers but sufficient against others is one
>    way to make pervasive surveillance significantly more difficult.  As
>    a result, algorithms that would not be acceptable in many negotiated
>    situations are acceptable for opportunistic security when legacy
>    systems are in use for unauthenticated encrypted sessions as
>    discussed in Section 3 of [RFC7435] as long as their use does not
>    facilitate downgrade attacks.  Similarly, weaker algorithms and
>    shorter key sizes are also acceptable for opportunistic security with
>    the same constraints.  That said, the use of strong algorithms is
>    always preferable.

Your additional edits look good to me, thank you!
Kathleen

>
> Russ
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email