[secdir] secdir review of draft-ietf-ltans-dssc-08.txt
Sean Turner <turners@ieca.com> Tue, 09 June 2009 14:27 UTC
Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03EF73A6C39 for <secdir@core3.amsl.com>; Tue, 9 Jun 2009 07:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5DH-BmLYlHq for <secdir@core3.amsl.com>; Tue, 9 Jun 2009 07:27:20 -0700 (PDT)
Received: from smtp107.biz.mail.re2.yahoo.com (smtp107.biz.mail.re2.yahoo.com [206.190.52.176]) by core3.amsl.com (Postfix) with SMTP id C0B1F3A6CCD for <secdir@ietf.org>; Tue, 9 Jun 2009 07:27:19 -0700 (PDT)
Received: (qmail 41805 invoked from network); 9 Jun 2009 14:27:23 -0000
Received: from unknown (HELO thunderfish.local) (turners@129.6.248.49 with plain) by smtp107.biz.mail.re2.yahoo.com with SMTP; 9 Jun 2009 14:27:23 -0000
X-Yahoo-SMTP: qPTWNAeswBAtDTSn9GKlmmL3C90ke7grn_5n9To-
X-YMail-OSG: rsgvmv0VM1nbaI2YI8kTWwe8nD4OPtpvtZhWH37YoSNNi.nvLbwXlGQYZ2BuQ8wHPximh..bdRMVS8Z_igDPaYtgCvh9WjyzODbjwPeuQpjtg6XJhmKT63ZtgNuF3IasJHhDowv.GSB9p7qGC332e8j7mTzybLTCwDprURmy2K8zacJwBojIo0CF8fLNQMdrjPifozgTGha_PSIgxRCmxvaLqWApcta3NvQa7A8TbEpzBPotd__kO1nLCwBQAGMtGBeYFX76exIVr9trvgnIy1lIuX_xTx8hUmVObHxpIzfggrl.Fd_Qva9_Xf3sAWhPEs67
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4A2E7143.40103@ieca.com>
Date: Tue, 09 Jun 2009 10:27:15 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, draft-ietf-ltans-dscc@tools.ietf.org, ltans-chairs@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] secdir review of draft-ietf-ltans-dssc-08.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2009 14:27:21 -0000
I have reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Doc: Data Structure for the Security Suitability of Cryptographic Algorithms (DSSC) <draft-ietf-ltans-dssc-08.txt> Track: Proposed Standard Summary: Ready except for some nits. The first paragraph in Section 4 refers to RFC 3447 and FIPS 186-1 for RSA and DSA and further it goes on to say these algorithms can be combined with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and RIPEMD-160. I believe these are the wrong references for DSA (and the link doesn't work) and one of the RSA-SHA combos. FIPS 186-1 only specifies SHA-1 for use with DSA and only for certain key sizes. I think this is more correct: For 512-bit DSA with SHA-1 see [FIPS186-2] without Change Notice 1, for 1024-bit DSA with SHA-1 see [FIPS186-2] with Change Notice 1, for 1024-bit and above DSA with SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 see [FIPS186-3]. I don't believe 512-bit DSA with SHA-224, SHA-256, SHA-384, and SHA-512 are defined. FIPS 186-2 with Change Notice 1 required key sizes be 1024-bit and FIPS 186-3 allowed key sizes from 1024-3072. Where is DSA or RSA with RIPEMD-160 defined? RFC 3447 doesn't specify RSA with SHA-224. Maybe pointing to RFC 4055 would be better? spt