Re: [secdir] SECDIR review of draft-turner-encryptedkeypackagecontenttype-01
Sean Turner <turners@ieca.com> Mon, 12 April 2010 18:16 UTC
Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66C913A6ABD for <secdir@core3.amsl.com>; Mon, 12 Apr 2010 11:16:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDHzKiPRCH94 for <secdir@core3.amsl.com>; Mon, 12 Apr 2010 11:16:42 -0700 (PDT)
Received: from smtp115.biz.mail.re2.yahoo.com (smtp115.biz.mail.re2.yahoo.com [66.196.116.35]) by core3.amsl.com (Postfix) with SMTP id 760B43A6A95 for <secdir@ietf.org>; Mon, 12 Apr 2010 11:16:42 -0700 (PDT)
Received: (qmail 3280 invoked from network); 12 Apr 2010 18:16:37 -0000
Received: from thunderfish.local (turners@96.231.117.128 with plain) by smtp115.biz.mail.re2.yahoo.com with SMTP; 12 Apr 2010 11:16:37 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: h0DSU1AVM1nBMXCBxHdNCjiwGkdZU18qK2bFN.2u6g88o_KezUwS_nrqoID4dkyXtkw_XK9ivUJPYVNYgFzDvxU_bATpwisf4cW1Y4sYbZ0xLylsJF7cb5XwPucbEYI9wcWazDeQojMrqUk6ArA7e8WrmGFZvgSDB3dhQasqGH50WSPM2vReMAR.pMElSof0py5.74TTKSK6nCAIv.t97rZcBjuSPznwPcjyvORWlMwVWyEqm9mCZ5hiLvl2e_bVp_JLZIFZlc6u6jtXQWD6KmaXyWvUH.1prxbX1A6iOKntjTACXzIAXZk2D6TxdroR_EUDiCoxQqxmf.yi9H8069SvQJGVlPNUy4OJQN.PCBtOF9nu5cYIwnCUl7qskPIdcdNKEsQPCrbYWercZGHrMGiPjo6aS8jMF5LTedza7pztvCtY734v
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4BC36385.4060506@ieca.com>
Date: Mon, 12 Apr 2010 14:16:37 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Chris Lonvick <clonvick@cisco.com>
References: <Pine.GSO.4.63.1004101623250.26156@sjc-cde-011.cisco.com> <4BC35666.60300@ieca.com> <Pine.GSO.4.63.1004121035250.21469@sjc-cde-011.cisco.com>
In-Reply-To: <Pine.GSO.4.63.1004121035250.21469@sjc-cde-011.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: cwallace@cygnacom.com, draft-turner-encryptedkeypackagecontenttype-01.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SECDIR review of draft-turner-encryptedkeypackagecontenttype-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2010 18:16:43 -0000
Chris Lonvick wrote: > Hi Sean, > > All looks good. One comment in-line. > > On Mon, 12 Apr 2010, Sean Turner wrote: >> WRT the use of the unprotected attribute: The attribute is used to >> identify a key that was previously distributed. This kind of >> mechanism is used in EcnryptedData as well as in certificates (e.g., >> subject key and authority key identifiers). I looked for some wording >> from other RFCs that used this kind of mechanism that I could use in a >> security consideration. But, I couldn't find any. I'm thinking >> there's isn't any text because as long as people don't do something >> utterly stupid like use the actual key as the identifier there is no >> security consideration. > > You're on the same track as I was thinking, but I was thinking of > something VERY much more generic. From RFCs 2797 and 5273, > > Implementers of this protocol are strongly encouraged to consider > generally accepted principles of secure key management when > integrating this capability within an overall security architecture. > > (Which is a nice way of saying, "Don't be utterly stoopid!" :-) I'll add this to the beginning of the considerations. spt
- [secdir] SECDIR review of draft-turner-encryptedk… Chris Lonvick
- [secdir] SECDIR review of draft-turner-encryptedk… Chris Lonvick
- Re: [secdir] SECDIR review of draft-turner-encryp… Sean Turner
- Re: [secdir] SECDIR review of draft-turner-encryp… Chris Lonvick
- Re: [secdir] SECDIR review of draft-turner-encryp… Sean Turner