Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules

Russ Housley <housley@vigilsec.com> Mon, 17 August 2015 22:32 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36C981ACECF for <saag@ietfa.amsl.com>; Mon, 17 Aug 2015 15:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EARTLKhH4uH0 for <saag@ietfa.amsl.com>; Mon, 17 Aug 2015 15:32:09 -0700 (PDT)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 950351ACECE for <saag@ietf.org>; Mon, 17 Aug 2015 15:32:09 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 30047F24136; Mon, 17 Aug 2015 18:31:59 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id 7QOtcRYIgqJt; Mon, 17 Aug 2015 18:30:41 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 5B906F24134; Mon, 17 Aug 2015 18:31:38 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAL02cgQjM=gStDy-O1a4GXBFh=2Zur4br4Ea17XKW3_fEru1MA@mail.gmail.com>
Date: Mon, 17 Aug 2015 18:31:27 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <75EDF4F6-A8E9-4423-ACD2-31671413EFBD@vigilsec.com>
References: <55CE5A40.3090804@cs.tcd.ie> <CAPofZaGT__FmChCWNf=iMsyD4s7c1SpUus2Lm_6ubhA3ayfGqA@mail.gmail.com> <CAG-id0ZYG946xZQrsfrMqyQunLpg=ZeGGP8BcQRVtFE0s7b3DQ@mail.gmail.com> <55CF35B2.9020302@cs.tcd.ie> <CACz1E9rg8ZtHLCpZ8utBF67PTOiDKWTDGvepqL0SXL_0WR0=+g@mail.gmail.com> <F2C87ED1-E00B-4B46-AF01-33FF4FD0A237@vigilsec.com> <CAL02cgQjM=gStDy-O1a4GXBFh=2Zur4br4Ea17XKW3_fEru1MA@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/UOPXwoDj-7KGAdgQKjDBnO_3U5k>
Cc: IETF SAAG <saag@ietf.org>
Subject: Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 22:32:11 -0000

I think it would be stronger if these comments went to NIST from the IETF Security Area Directors or the IESG.

Russ


On Aug 17, 2015, at 4:33 PM, Richard Barnes wrote:

> On Mon, Aug 17, 2015 at 2:48 PM, Russ Housley <housley@vigilsec.com>; wrote:
>> It is not clear to me that the use of ISO/IEC 19790 offers any improvement
>> for the people that make crypto modules or the people that purchase crypto
>> modules.  The specification being behind a paywall means that fewer people
>> will know what it says.  Since the existing FIPS documents are freely
>> available online, this seems to me to be a move in the wrong direction.
> 
> +1, but presumably these comments should be going to some NIST channel?
> 
>> 
>> Russ
>> 
>> 
>> On Aug 17, 2015, at 12:21 PM, William Whyte wrote:
>> 
>> In fairness, NIST explicitly call this out themselves at
>> https://www.federalregister.gov/articles/2015/08/12/2015-19743/government-use-of-standards-for-security-and-conformance-requirements-for-cryptographic-algorithm:
>> 
>> NIST is also interested in feedback on the impacts of a potential U.S.
>> Government requirement for use and conformance using a standard with a
>> fee-based model where organizations must purchase copies of the ISO/IEC
>> 19790:2014.
>> 
>> William
>> 
>> On Sat, Aug 15, 2015 at 8:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>;
>> wrote:
>>> 
>>> 
>>> 
>>> On 15/08/15 12:24, David Lloyd-Jones wrote:
>>>> What is it you have "heard," Stephen, that has given Phil this avalanche
>>>> of
>>>> "reason to object"?
>>> 
>>> I already said that I have been told that the ISO spec is behind
>>> a paywall, that is all. And now I've said it twice:-)
>>> 
>>> Whether or not that's a deal for folks who've previously been
>>> willing to subject themselves to FIPS140 fun is a reasonable
>>> question. But it's also reasonable to point out that that is
>>> a barrier to broad, open review.
>>> 
>>> And of course, if you care about any of this, then telling
>>> NIST what you think is the correct action.
>>> 
>>> S.
>> 
>> 
>> 
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>>