[secdir] secdir review draft-iab-crypto-alg-agility-06 (almost done)
Leif Johansson <leifj@sunet.se> Mon, 03 August 2015 19:20 UTC
Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287E91B30BE; Mon, 3 Aug 2015 12:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.039
X-Spam-Level: *
X-Spam-Status: No, score=1.039 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ik0ioeXtAVAC; Mon, 3 Aug 2015 12:19:58 -0700 (PDT)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49EB91B30BD; Mon, 3 Aug 2015 12:19:58 -0700 (PDT)
Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t73JJtgT022918 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 3 Aug 2015 21:19:55 +0200
Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t73JJpwU024008 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 3 Aug 2015 21:19:54 +0200 (CEST)
VBR-Info: md=sunet.se; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1438629594; bh=T3ZsSd4WcT+mcujDOEHA65L7GT2Tc0thk/2PSWp6YKM=; h=Date:From:To:Subject; b=Fz9slXSCR+YM3orIaRwfh6ZUSgSUXwD1pmyQxfJB+GwQw5nD8mBeE9O77s0BTOG4n LkxGGXHVt4Mz/VcVgsT2wC5v0C1oZ+1NOj8BpAio3PH67tzArumwSkAWCydaiiqrXd 3sIfppx1ZyYcsn/YFEWd0hIS+syDqXS6zy5HuPr0=
X-Footer: c3VuZXQuc2U=
Received: from [10.0.0.120] ([62.102.145.131]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)); Mon, 3 Aug 2015 21:19:49 +0200
Message-ID: <55BFBED5.7070107@sunet.se>
Date: Mon, 03 Aug 2015 21:19:49 +0200
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: draft-iab-crypto-alg-agility.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>, IESG <iesg@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN)
X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6
X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default)
X-Canit-Stats-ID: 09P0jjTyx - f37b5ba90e9f - 20150803
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral (e-mailfilter01.sunet.se: 192.36.171.210 is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=192.36.171.210; envelope-from=<leifj@sunet.se>; helo=smtp1.sunet.se; identity=mailfrom
X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.201
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/bykvhh43HOiznC5nv7V-paas_lo>
Subject: [secdir] secdir review draft-iab-crypto-alg-agility-06 (almost done)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2015 19:20:01 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This document is almost ready to go. I have a couple of issues: 1. Section 3.1 has a certain poetic quality to it but the use of the word "ought" ought perhaps be replaced with normative language unless this is a novel attempt to avoid RFC2119 terms :-) 2. Sections 3.2 and 3.3 should in some way relate back to the recommendation to specify algorithm choices separately from base protocol specifications (esp. since 3.2 suggests that this practice can drive added complexity in the form of algorithm/suite overload) I also have some stylistic comments below, feel free to use or ignore as you see fit: -- minor nits -- 1. Introduction, second paragraph, second sentence current text: As new cryptanalysis techniques are developed and computing capabilities improve, the work factor to break a particular cryptographic algorithm will reduce, becoming more feasible for more attackers. suggested: As new cryptanalysis techniques are developed and computing capabilities improve, the work required to break a particular cryptographic algorithm (aka the work factor) will reduce, making an attack on the algorithm feasible for more attackers. 2.1 Algorithm Identifiers, first paragraph, first sentence current text: IETF protocols that make use of cryptographic algorithms MUST support one or more algorithm or suite identifier. suggested: IETF protocols that make use of cryptographic algorithms MUST support one or more identifier denoting an algorithm or suite of algorithms. 2.2 Mandatory-to-Implement Algorithm, second paragraph, second sentence current text: To achieve this goal, the base protocol specification includes a reference to a companion algorithms document, allowing the update of one document without necessarily requiring an update to the other. suggested: To achieve this goal, it is suggested that the base protocol specification include a reference to a companion algorithms document, allowing the update of one document without necessarily requiring an update to the other. 2.6 Preserving Interoperability, first paragraph s/is very hard/is very difficult/ s/an long support/on long support/ second paragraph s/but preserving/but preserve/ 2.7 Balance Security Strength, first paragraph s/considered in making the selection/considered when making the selection/ s/that are deploying and configuring/who are deploying and configuring/ This section uses "deployment and configuration" (etc) a lot. It may be equally clear to just write "deployment" final paragraph: s/which is in turn/which in turn is/
- [secdir] secdir review draft-iab-crypto-alg-agili… Leif Johansson
- Re: [secdir] secdir review draft-iab-crypto-alg-a… Hannes Tschofenig
- Re: [secdir] secdir review draft-iab-crypto-alg-a… Leif Johansson
- Re: [secdir] secdir review draft-iab-crypto-alg-a… Paul Hoffman
- Re: [secdir] secdir review draft-iab-crypto-alg-a… Leif Johansson