Re: [secdir] secdir review of draft-housley-suite-b-to-historic-04
Russ Housley <housley@vigilsec.com> Tue, 24 April 2018 15:48 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7290B12E8D1 for <secdir@ietfa.amsl.com>; Tue, 24 Apr 2018 08:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vD2Is-qUqZlg for <secdir@ietfa.amsl.com>; Tue, 24 Apr 2018 08:48:26 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0F0A12E89A for <secdir@ietf.org>; Tue, 24 Apr 2018 08:48:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 7D1DA300455 for <secdir@ietf.org>; Tue, 24 Apr 2018 11:48:24 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Rvwrnhwp60fl for <secdir@ietf.org>; Tue, 24 Apr 2018 11:48:23 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id E6575300435; Tue, 24 Apr 2018 11:48:22 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <ldv36zl5kjd.fsf@ubuntu-1gb-nyc1-01.localdomain>
Date: Tue, 24 Apr 2018 11:48:28 -0400
Cc: IESG <iesg@ietf.org>, IETF SecDir <secdir@ietf.org>, draft-housley-suite-b-to-historic.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <25AEF8D8-8B9A-431B-9903-92C9DD0C8FD2@vigilsec.com>
References: <ldv36zl5kjd.fsf@ubuntu-1gb-nyc1-01.localdomain>
To: Taylor Yu <tlyu@mit.edu>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/25MPWzMiaGKtJIxmCXsmsFlgu88>
Subject: Re: [secdir] secdir review of draft-housley-suite-b-to-historic-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 15:48:28 -0000
> On Apr 23, 2018, at 11:51 PM, Taylor Yu <tlyu@mit.edu> wrote: > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The summary of the review is Ready with Nits. > > It's not clear to me whether there are any replacement specs for the > crypto suites being declared Historic. Are the remaining crypto suites > for these protocols of comparable strength and security properties? > > More concretely, Section 5 says: > > "5. Impact of Reclassifying the Suite-B-related RFCs to Historic > > No interoperability or security concerns are raised by reclassifing > the Suite-B-related RFCs to Historic Status." > > It would be helpful to have some explanation. For example, is it true > that none of the RFCs being moved to Historic Status is the sole > specification of an algorithm or an identifier for an algorithm that we > expect people to continue using? Yes, it is true that the conventions for using these algorithms are specified in other documents. The Suite B profile documents make reference to those other documents. Section 4.5 points to the one document that makes reference to one of the Suite B profile document as a citation for a ciphersuite. Both of these ciphersuites are defined in RFC 5289, which would have been a better reference. > Also there's a typo: "reclassifing" should be "reclassifying". Indeed. > Similarly, in Section 7: > > "7. Security Considerations > > The CNSA Suite includes algorithms using the larger key sizes that > are included in Suite B. There are no interoperability or security > concerns raised by reclassifying the Suite-B-related RFCs to Historic > Status." > > Will there be forthcoming specs for using CNSA Suite algorithms with > these protocols? There will be documents, but unlike the Suite B profiles, the IESG will not be asked to approve them as Informational RFCs. Russ
- [secdir] secdir review of draft-housley-suite-b-t… Taylor Yu
- Re: [secdir] secdir review of draft-housley-suite… Paul Wouters
- Re: [secdir] secdir review of draft-housley-suite… Russ Housley
- Re: [secdir] secdir review of draft-housley-suite… Russ Housley
- Re: [secdir] secdir review of draft-housley-suite… Paul Wouters