IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20

Valery Smyslov <valery@smyslov.net> Fri, 27 August 2021 16:19 UTC

Return-Path: <valery@smyslov.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C83B3A148C; Fri, 27 Aug 2021 09:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=smyslov.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7-O6NWPHFMu; Fri, 27 Aug 2021 09:19:52 -0700 (PDT)
Received: from direct.host-care.com (direct.host-care.com [198.136.54.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6F0E3A1488; Fri, 27 Aug 2021 09:19:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To: References:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ddT5aP/NZfqYe16O1ZQEbWbVYihrGJp1IjEAAVEeLEE=; b=trMNplqtpFawsn7dxcPvYMoX6B XN9gjrFh5BIcZMamDB8x1ROExKsjCx8XaJ4G+LMQUTj+DItP3wsg+AIVXCcHDTj6FERalTUj2QSCQ maNgWX8C4QIUkpKdNjhigE95ts/V20LLB3ldQcNxYzAL8m3BTFVIx9TqnO86P0pE6TLKeSsWWSuq0 f7EnS0rdDEZ407uW3QcE4AYZgly1hvffjPDFuOuG15Z+EVaKu43ltz2tEVUlgsfnw3N2CVxFEjoXq NtVyPCLDMg4q4PMj6tsbNQSK8kUE1ZmVC+LKe4DdAP/w1nvCYg61r2Iz+9RQBlzEcjCK+Z6nNMfnU sON26yiw==;
Received: from [93.188.44.204] (port=55235 helo=buildpc) by direct.host-care.com with esmtpsa (TLS1.2) tls TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <valery@smyslov.net>) id 1mJea4-0000T5-4K; Fri, 27 Aug 2021 12:19:48 -0400
From: Valery Smyslov <valery@smyslov.net>
To: 'Kent Watsen' <kent+ietf@watsen.net>
Cc: secdir@ietf.org, draft-ietf-netconf-crypto-types.all@ietf.org, netconf@ietf.org
References: <162982978380.3381.17549750696257276827@ietfa.amsl.com> <0100017b8819bf19-1f20d528-72e4-462c-884a-6c29eff0769b-000000@email.amazonses.com> <017c01d79b5e$a00a0000$e01e0000$@smyslov.net>
In-Reply-To: <017c01d79b5e$a00a0000$e01e0000$@smyslov.net>
Date: Fri, 27 Aug 2021 19:19:41 +0300
Message-ID: <018401d79b5f$591b51c0$0b51f540$@smyslov.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0185_01D79B78.7E6889C0"
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQGndKy5sGszK4BuDx47nymU5VnBUwHC5W7jAisjdPWryGQXwA==
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - direct.host-care.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - smyslov.net
X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net
X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cTTDzYVIGUXbR2gElAOns6-AY1E>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 16:19:58 -0000

Spotted a typo in own message – of course it was meant Quantum computer, not a Post Quantum one

(I have no idea what Post Quantum computer may mean :-), I know only Post-quantum cryptography).

 

 

In addition, the requirement, that "Implementations SHOULD fail the write-request if ever
the strength of the private key is greater then the strength of the
underlying transport" looks wrong to me. You don't need to have
1024 bits transport protocol strength to transfer 1024 bit key, since
even for say 256 bits it's infeasible to break.

 

IDK about this.  Again, I saw this constraint once in a DoD setting.  

 

          My (another) point was that there is generally no point to increase

          security strength beyond some level. Currently it is believed

          that 128 bit of symmetric key is infeasible to break (provided the algorithm is not broken itself),

          If you are lucky have full-sized Post Quantum computer, it’ll be 256 bits.

          It’s enough to transfer symmetric keys with say 1024 bits of entropy

          (FWIW). So the requirement that the strength of transport must

          be always greater than the strength of transported key 

          seems not a good requirement to me. Instead require that

          the strength of transport be sufficient to make

          infeasible for an attacker to break it.

v2.23.0 | Report a Bug | By Email