Re: [secdir] secdir review of draft-housley-suite-b-to-historic-04
Paul Wouters <paul@nohats.ca> Tue, 24 April 2018 15:08 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4562D129C6B; Tue, 24 Apr 2018 08:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOwh676TPgpP; Tue, 24 Apr 2018 08:08:21 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64D0A1200C5; Tue, 24 Apr 2018 08:08:21 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 40VmtB006Hz3HG; Tue, 24 Apr 2018 17:08:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1524582498; bh=vbzrDpFdypeCRsAIwiUymcyDmC0sLe/qXww42AcaBdY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=AWITaF3okTmzsAldnY3irtkFNKXAkOhtLVZ/oR8lJe7E+CKadtdH5D7GyoavZ3v2T 0pazFLoAYwtBwiMxd97dJXb1Uzh4DBrNBiwuJbVeYhY5UyVqKu+/r/NMvB4N5nKIhB vwRq6gCR53hWk3OoOc8iNtkUxNkVGlv3C9n1Wm0s=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id qs4dAK52bFNh; Tue, 24 Apr 2018 17:08:16 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 24 Apr 2018 17:08:15 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 33C17A7E07; Tue, 24 Apr 2018 11:08:14 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 33C17A7E07
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 280824000B42; Tue, 24 Apr 2018 11:08:14 -0400 (EDT)
Date: Tue, 24 Apr 2018 11:08:14 -0400
From: Paul Wouters <paul@nohats.ca>
To: Taylor Yu <tlyu@mit.edu>
cc: iesg@ietf.org, secdir@ietf.org, draft-housley-suite-b-to-historic.all@ietf.org
In-Reply-To: <ldv36zl5kjd.fsf@ubuntu-1gb-nyc1-01.localdomain>
Message-ID: <alpine.LRH.2.21.1804241056020.17777@bofh.nohats.ca>
References: <ldv36zl5kjd.fsf@ubuntu-1gb-nyc1-01.localdomain>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Sxgpug8BFJCde4QzcHLHhHyRrWU>
Subject: Re: [secdir] secdir review of draft-housley-suite-b-to-historic-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 15:08:24 -0000
On Tue, 24 Apr 2018, Taylor Yu wrote: > "7. Security Considerations > > The CNSA Suite includes algorithms using the larger key sizes that > are included in Suite B. There are no interoperability or security > concerns raised by reclassifying the Suite-B-related RFCs to Historic > Status." This text is interesting as I see two statements by the US government on the CNSA Suite. The first one is at: https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm Which claims the CNSA Suite is not published yet, but there is a transition set of algorithms to use. The second one is at: https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm Which lists the same algorithms, but no longer calls these a transition list but the actual CNSA Suite. Regardless, since I think the IETF should not be advertising a single governments crypto standards, I think this document would be better of not mentioning CNSA in Section 7 at all. We shouldn't have stamped Suite B in the IETF either, but we were young and naive at the time. So let's not stamp CNSA as a "successor" in any kind of way. The only thing this document should do is move Suite B to Historic. I would suggest something like this for Section 7: The algorithms and key sizes from Suite B, where these algorithms and key sizes were published by the IETF, have been obsoleted or updated by new and more secure algorithms and key sizes. Please see the respective IANA registries and RFC updates for the specific algorithm usage within their specific protocols. I'm fine with mentioning CNSA in Section 2. Paul
- [secdir] secdir review of draft-housley-suite-b-t… Taylor Yu
- Re: [secdir] secdir review of draft-housley-suite… Paul Wouters
- Re: [secdir] secdir review of draft-housley-suite… Russ Housley
- Re: [secdir] secdir review of draft-housley-suite… Russ Housley
- Re: [secdir] secdir review of draft-housley-suite… Paul Wouters