Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 17 August 2015 22:43 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 048B01ACED9 for <saag@ietfa.amsl.com>; Mon, 17 Aug 2015 15:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1b7Pb_u5IWH9 for <saag@ietfa.amsl.com>; Mon, 17 Aug 2015 15:43:22 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34F1C1ACEDA for <saag@ietf.org>; Mon, 17 Aug 2015 15:43:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 75D1CBEB5; Mon, 17 Aug 2015 23:43:20 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BBcgGXkDRbNf; Mon, 17 Aug 2015 23:43:17 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.42.22.71]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A3471BEA1; Mon, 17 Aug 2015 23:43:17 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1439851397; bh=vQR9WKNeH84wd0k0CxL5HKFJICATblAbccce9fwh57A=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=Se9ZmMcmD4gpuaJk4pQtoKJrWNXt5iC+ame+5B+xXsiy+NwYB0rf2vjKb8Kv1QkEE gmexc3XCy/Fy8dwBq5nPBZfDoFgG6DsQR2ftqCvy4ZRY7OXvoCLGcqD/k2CV0FPkIg gHw9yfTXfABT1fSRc1UP4UvhtThYMM/ADhBjfcrM=
Message-ID: <55D26385.8050203@cs.tcd.ie>
Date: Mon, 17 Aug 2015 23:43:17 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>, Richard Barnes <rlb@ipv.sx>
References: <55CE5A40.3090804@cs.tcd.ie> <CAPofZaGT__FmChCWNf=iMsyD4s7c1SpUus2Lm_6ubhA3ayfGqA@mail.gmail.com> <CAG-id0ZYG946xZQrsfrMqyQunLpg=ZeGGP8BcQRVtFE0s7b3DQ@mail.gmail.com> <55CF35B2.9020302@cs.tcd.ie> <CACz1E9rg8ZtHLCpZ8utBF67PTOiDKWTDGvepqL0SXL_0WR0=+g@mail.gmail.com> <F2C87ED1-E00B-4B46-AF01-33FF4FD0A237@vigilsec.com> <CAL02cgQjM=gStDy-O1a4GXBFh=2Zur4br4Ea17XKW3_fEru1MA@mail.gmail.com> <75EDF4F6-A8E9-4423-ACD2-31671413EFBD@vigilsec.com>
In-Reply-To: <75EDF4F6-A8E9-4423-ACD2-31671413EFBD@vigilsec.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/UOTGLIOlJ8EpgfqMzA7ziwAytWc>
Cc: IETF SAAG <saag@ietf.org>
Subject: Re: [saag] NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 22:43:25 -0000

Hiya,

On 17/08/15 23:31, Russ Housley wrote:
> I think it would be stronger if these comments went to NIST from the
> IETF Security Area Directors or the IESG.

Fair enough, I'm happy to chat with Kathleen and see how
best to process a statement if you or someone has time to
draft a bit of text. Or if nobody does I'll try get to it
next week if Kathleen doesn't beat me to it. (I at least
may need reminding - so please bug me if nothing appears
to happen a lot;-)

I don't think it'd be right for the IESG to send but I'm
happy to chat with the IESG and IAB to find a way to get
the message sent. (*)

Regardless of whose name is on the "From" line of the
message, I'd be happy if the text had been seen and not
found objectionable on this list. (If objections are
raised here we can figure out what to do about 'em.)
And of course, after some text has been crafted here it
might get tweaked by e.g. the IAB or someone but I'd
make sure they know that this list was involved in the
generation of the text and ask that they check any such
edits.

S.

(*) For the sensible amongst you who don't get involved in
IETF process stuff, the IAB are (amongst other things) the
foreign-office and might rightly be a bit irked if the IESG
(amongst other things, the home-office) started stepping on
that toe. Apologies for the .gov.uk terminology but I figure
the Irish analogues wouldn't be as well known:-)

> 
> Russ
> 
> 
> On Aug 17, 2015, at 4:33 PM, Richard Barnes wrote:
> 
>> On Mon, Aug 17, 2015 at 2:48 PM, Russ Housley
>> <housley@vigilsec.com>; wrote:
>>> It is not clear to me that the use of ISO/IEC 19790 offers any
>>> improvement for the people that make crypto modules or the people
>>> that purchase crypto modules.  The specification being behind a
>>> paywall means that fewer people will know what it says.  Since
>>> the existing FIPS documents are freely available online, this
>>> seems to me to be a move in the wrong direction.
>> 
>> +1, but presumably these comments should be going to some NIST
>> channel?
>> 
>>> 
>>> Russ
>>> 
>>> 
>>> On Aug 17, 2015, at 12:21 PM, William Whyte wrote:
>>> 
>>> In fairness, NIST explicitly call this out themselves at 
>>> https://www.federalregister.gov/articles/2015/08/12/2015-19743/government-use-of-standards-for-security-and-conformance-requirements-for-cryptographic-algorithm:
>>>
>>>
>>> 
NIST is also interested in feedback on the impacts of a potential U.S.
>>> Government requirement for use and conformance using a standard
>>> with a fee-based model where organizations must purchase copies
>>> of the ISO/IEC 19790:2014.
>>> 
>>> William
>>> 
>>> On Sat, Aug 15, 2015 at 8:50 AM, Stephen Farrell
>>> <stephen.farrell@cs.tcd.ie>; wrote:
>>>> 
>>>> 
>>>> 
>>>> On 15/08/15 12:24, David Lloyd-Jones wrote:
>>>>> What is it you have "heard," Stephen, that has given Phil
>>>>> this avalanche of "reason to object"?
>>>> 
>>>> I already said that I have been told that the ISO spec is
>>>> behind a paywall, that is all. And now I've said it twice:-)
>>>> 
>>>> Whether or not that's a deal for folks who've previously been 
>>>> willing to subject themselves to FIPS140 fun is a reasonable 
>>>> question. But it's also reasonable to point out that that is a
>>>> barrier to broad, open review.
>>>> 
>>>> And of course, if you care about any of this, then telling NIST
>>>> what you think is the correct action.
>>>> 
>>>> S.
>>> 
>>> 
>>> 
>>> _______________________________________________ saag mailing
>>> list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
>>> 
> 
> _______________________________________________ saag mailing list 
> saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
> 
>