Re: [secdir] SECDIR Review of http://tools.ietf.org/html/draft-krishnan-nomcom-tools-01

Sean Turner <turners@ieca.com> Thu, 19 July 2012 10:58 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A5C321F86BB for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 03:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.322
X-Spam-Level:
X-Spam-Status: No, score=-102.322 tagged_above=-999 required=5 tests=[AWL=-0.057, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KjkOGcwCs5aW for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 03:58:53 -0700 (PDT)
Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [69.56.184.20]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7E921F86B7 for <secdir@ietf.org>; Thu, 19 Jul 2012 03:58:53 -0700 (PDT)
Received: by gateway02.websitewelcome.com (Postfix, from userid 5007) id EA591BB6A7F2F; Thu, 19 Jul 2012 05:59:46 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway02.websitewelcome.com (Postfix) with ESMTP id BD7E0BB6A7F07 for <secdir@ietf.org>; Thu, 19 Jul 2012 05:59:46 -0500 (CDT)
Received: from [71.191.15.186] (port=43705 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1SroSP-0006dE-5U; Thu, 19 Jul 2012 05:59:45 -0500
Message-ID: <5007E8A0.1040805@ieca.com>
Date: Thu, 19 Jul 2012 06:59:44 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>
References: <CAMm+Lwi7W9CoNinCF+4jjygEHsph_nBmBfnbxiYR3yqZOQKFiA@mail.gmail.com> <4FEE4C12.6040208@ericsson.com>
In-Reply-To: <4FEE4C12.6040208@ericsson.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [71.191.15.186]:43705
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 7
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: Joel Halpern <joel.halpern@ericsson.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: [secdir] SECDIR Review of http://tools.ietf.org/html/draft-krishnan-nomcom-tools-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 10:58:54 -0000

Any additional thoughts on the cipher suite?  I think RSA is probably 
the right alg.  2048-bit is the minimum key size.  And, I think we 
should eat our own dogfood and not use MD5/SHA-1 and instead use 
SHA-256.  How do others feel about this?

spt

On 6/29/12 8:45 PM, Suresh Krishnan wrote:
> Hi Phil,
>    Thanks for the review. Please find responses inline.
>
> On 06/27/2012 10:20 AM, Phillip Hallam-Baker wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors. Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>>
>>
>> Surprisingly for a non protocol draft, this one actually is almost
>> completely security requirements. Unfortunately I find it rather hard
>> to tell if the security architecture meets the security goals because
>> they are not separated from each other.
>>
>> I think the document should have a section stating the security goals
>> or reference another document that states them. Presumably these are
>> all derived from the Nomcom RFC.
>
> The goals are derived from RFC3777
>
> * Section 3 Rule 6
>
> "     All deliberations and supporting information that relates to
>        specific nominees, candidates, and confirmed candidates are
>        confidential."
>
> * Section 5 Rule 16
>
> "      The nominating committee should archive the information it has
>         collected or produced for a period of time not to exceed its
>         term.
>         ...
>         The implementation of the archive should make every reasonable
>         effort to ensure that the confidentiality of the information it
>         contains is maintained."
>
>
>>
>>
>> The document specifies creation of a public key but not the algorithm
>> or strength. Given that this is an RFP, I think it would be
>> appropriate to completely and uniquely specify the cipher suite to be
>> supported.
>
> As stated in the draft, the key is generated by the Nomcom chair out of
> band and not by the tool. In the example provided in Appendix A (based
> on what I actually did as chair), the key used is a RSA 2048-bit key.
> Since I am not even remotely close to a security expert :-), it would be
> great if you can provide suggestions to put in here for future Nomcom
> chairs.
>
> Thanks
> Suresh
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>