[secdir] review of draft-ietf-dnsext-dnssec-gost-05
Stephen Kent <kent@bbn.com> Thu, 07 January 2010 21:01 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D9AC3A68C5 for <secdir@core3.amsl.com>; Thu, 7 Jan 2010 13:01:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VCki5bgMJoD3 for <secdir@core3.amsl.com>; Thu, 7 Jan 2010 13:01:27 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id EAB413A67B3 for <secdir@ietf.org>; Thu, 7 Jan 2010 13:01:26 -0800 (PST)
Received: from dhcp89-089-161.bbn.com ([128.89.89.161]) by smtp.bbn.com with esmtp (Exim 4.63) (envelope-from <kent@bbn.com>) id 1NSzTw-0008RZ-BO; Thu, 07 Jan 2010 16:01:24 -0500
Mime-Version: 1.0
Message-Id: <p06240810c76be77be756@[128.89.89.161]>
Date: Thu, 07 Jan 2010 14:38:14 -0500
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-949224412==_ma============"
Cc: ajs@shinkuro.com, dol@cryptocom.ru, ogud@ogud.com, Ralph Droms <rdroms@cisco.com>
Subject: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jan 2010 21:01:28 -0000
I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Since several SECDIR members are reviewing draft-ietf-dnsext-dnssec-gost-05 I have chosen to focus on one aspect of the document, i.e., the statement that support for GOST algorithms is a SHOULD (Section 6.1) for all DNSSEC aware implementations. I think this is an inappropriate characterization for the level of support that ought to be accorded an algorithm of this type. I explain my rationale for this assertion below. GOST is an example of what I would term a "national" crypto algorithm. I characterize an algorithm as "national" if use of the algorithm is mandated by a government (within its sphere of influence, for some or all application contexts), but the algorithm otherwise is not widely adopted. The GOST set of algorithms are one such example. Others (chosen form the space of symmetric algorithms) include Camellia (Japan), SKIPJACK (US), SEED (Korea), and SMS4 (China, for WAPI). AES and DES are not "national" algorithms. Even though they were published by NIST as FIPS, both were very widely adopted outside of the national context in which use is (was) mandated. This illustrates that the designation of an algorithm as "national" can change over time. Other IETF WGs (e.g., IPsec, S/MIME, OPGP, and TLS) have adopted a policy of publishing RFCs that describe how to use one or more national algorithms in the context of a protocol. However, in these WGs, support for the algorithm is optional, i.e., a MAY in RFC 2119 parlance. These RFCs define how to use a national algorithm IF one chooses to implement it. They do not require support for the algorithm by making it a SHOULD or MUST. This approach allows the IETF to publish RFCs that deal with a wide range of crypto algorithms (national and otherwise) without prejudice, without engaging in a protracted debate about whether all of these algorithms are equally "worthy" etc. These WGs also define a small number of mandatory (MUST or SHOULD), non-national algorithms, to promote interoperability. I think the convention adopted by other WGs is appropriate for DNESEC as well. As a result, I suggest that this document be modified to specify support for GOST algorithms as a MAY.
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
- [secdir] review of draft-ietf-dnsext-dnssec-gost-… Stephen Kent
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Paul Hoffman
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Uri Blumenthal
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Paul Hoffman
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… David McGrew
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Nicolas Williams
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Eric Rescorla
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Uri Blumenthal
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Sandra Murphy
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Sandra Murphy
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Nicolas Williams
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Basil Dolmatov
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Stephen Kent
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Jeffrey Hutzelman
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Andrew Sullivan
- Re: [secdir] review of draft-ietf-dnsext-dnssec-g… Jeffrey Hutzelman