[secdir] Secdir review of draft-ietf-sidr-rpki-algs-04

Brian Weis <bew@cisco.com> Sun, 27 March 2011 20:36 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EB8B3A6946; Sun, 27 Mar 2011 13:36:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.224
X-Spam-Level:
X-Spam-Status: No, score=-110.224 tagged_above=-999 required=5 tests=[AWL=0.375, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ez5exKdhE-Oj; Sun, 27 Mar 2011 13:36:00 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 598063A6945; Sun, 27 Mar 2011 13:36:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=1472; q=dns/txt; s=iport; t=1301258257; x=1302467857; h=from:content-transfer-encoding:subject:date:message-id: cc:to:mime-version; bh=T8VJAxhiudyTcsm6gMbqpWzq6hQ7ChO8ZvlQ5PaXxaA=; b=Y6My4iDC8lLlYgbIwVGsxV1bXunapEBvkr5LF0goe1WXTRn9kqmsIXjS PRkAqf82C9mOcroadsWNTJcIUcIP/3vKzVeawr3nFEHcfW+z/U1ZfX0B7 JLPaGwzBzTYx+jnQATANq5z0g9A7AkQC5WuPhVHqoO5tawAmy9oAXCUy6 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAEefj02rRDoH/2dsb2JhbAClUXelD5p3gxaCUwSFOoc9
X-IronPort-AV: E=Sophos;i="4.63,251,1299456000"; d="scan'208";a="325439373"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by sj-iport-2.cisco.com with ESMTP; 27 Mar 2011 20:37:17 +0000
Received: from sjc-vpn3-943.cisco.com (sjc-vpn3-943.cisco.com [10.21.67.175]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p2RKbGOG015048; Sun, 27 Mar 2011 20:37:17 GMT
From: Brian Weis <bew@cisco.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Sun, 27 Mar 2011 13:37:15 -0700
Message-Id: <BC4FD686-8AE2-472C-9677-B7DA1FA10060@cisco.com>
To: secdir@ietf.org, iesg@ietf.org
Mime-Version: 1.0 (Apple Message framework v1082)
X-Mailer: Apple Mail (2.1082)
Cc: sidr-chairs@tools.ietf.org, draft-ietf-sidr-rpki-algs@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-sidr-rpki-algs-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Mar 2011 20:36:02 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document describes the algorithm suite used as part of the RPKI. The suite specifies a single signature algorithm (RSA) with a single key size, a single hashing algorithm (SHA-256), a single signature format, and formats for describing the public key. Section 5 indicates that this profile will be updated when the RPKI needs to adapt different choices. I was glad to see such an algorithm agility plan, but this implies that this will in fact never have a peer document describing another profile. In such a case I would expect the document title to be more inclusive (e.g., drop the first three words of the title). Alternatively, it might be helpful to describe in Section 5 under what circumstance another profile would be published instead of updating this one.

The Security Considerations document refers the reader to the security considerations described in several other documents. After reading those sections, I agree this is appropriate.

Brian

-- 
Brian Weis
Security Standards and Technology, SRTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com