Re: [secdir] secdir review of draft-turner-asymmetrickeyformat-algs-01

Sean Turner <> Thu, 22 April 2010 13:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 082A628C11C for <>; Thu, 22 Apr 2010 06:57:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.871
X-Spam-Status: No, score=-0.871 tagged_above=-999 required=5 tests=[AWL=-0.873, BAYES_50=0.001, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id neueAty0CI59 for <>; Thu, 22 Apr 2010 06:57:50 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 3B5183A6ABF for <>; Thu, 22 Apr 2010 06:56:57 -0700 (PDT)
Received: (qmail 49459 invoked from network); 22 Apr 2010 13:56:47 -0000
Received: from thunderfish.local (turners@ with plain) by with SMTP; 22 Apr 2010 06:56:46 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-Yahoo-Newman-Property: ymail-3
Message-ID: <>
Date: Thu, 22 Apr 2010 09:56:45 -0400
From: Sean Turner <>
User-Agent: Thunderbird (Macintosh/20100228)
MIME-Version: 1.0
References: <1271786580.275918665@>
In-Reply-To: <1271786580.275918665@>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "" <>,,
Subject: Re: [secdir] secdir review of draft-turner-asymmetrickeyformat-algs-01
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Apr 2010 13:57:51 -0000 wrote:
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> This document describes conventions for crypto algorithms for use with a companion document ( which is intended to replace rfc5208. 
> I couldn't give this review the amount of time I would have liked to, but I hope my comments are useful nonetheless.
> In section 2, it says that the de facto standard for PrivateKeyInfo encryption is Password Based Encryption using either PKCS5 or PKCS12, and that the major difference between these is the password encoding. I was surprised that no mention was made of the more robust crypto algorithms supported by PKCS12, which seems like an important consideration for this application.
> Also, I was confused as to whether the draft is mixing the documentation of current practices with some recommendations, or whether it intends to specify a required usage profile. If the latter, it seems reasonable to ask why deprecated algorithms are included. If the former, maybe the document could do a better job of making this intention clear, and of demarcating which is which.

I revisited section 2 and agree.  It's not clear what the actual must
algorithms.  It's waxing poetic about PBES1.  I double checked RFC 2898
and it recommends PBES2 be used in new applications, which I think this
is one.  Further someone notes that the sip-certs ID
( wants to use a
PBES2 algorithm.  I'll work on the wording to make it clear what the
requirement is (follow what sip-certs wanted), delete the tutorial about
PBES1, and follow the recommendation from RFC 2898.

Tim's worked up an RFC editor's note to incorporate this change.

> The only other nit I had was that no mention is made of the implications of wrapping various asymmetric key sizes with potentially weaker symmetric keys/algorithms, but the security considerations section references a mighty list of related RFCs, at least one of which discusses this (RFC5649), so maybe that is good enough.

That is exactly why I included the reference to RFC 5649.

> --Scott