Re: [secdir] secdir review of draft-mavrogiannopoulos-ssl-version3

Nikos Mavrogiannopoulos <nmav@gnutls.org> Wed, 11 May 2011 13:00 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67D2E080C; Wed, 11 May 2011 06:00:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjDM7Wa7mw3j; Wed, 11 May 2011 05:59:59 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id D2933E07EB; Wed, 11 May 2011 05:59:59 -0700 (PDT)
Received: by pzk5 with SMTP id 5so312964pzk.31 for <multiple recipients>; Wed, 11 May 2011 05:59:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=HldC8fAj+e+9S0pey/O5igSVxMdTZKZAjPJxc9AFuJM=; b=VQm8lSaLcTpcsqPbXIzM9kT2G8zyAT078OCFJFvOvy6ffAbIKFrgrFinafyFH8ciCP gFekQJro3NO8sgbYECEDPcnFXtjNDK9VDHXaG68NrRB5qtfCYyCVJuJxVEzu6p5xGwTj LQw0McDgufCLpD9j5ioawoDz9PNHRhn0AmJ/4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=SECyS+GBAa3HOFVELbr7GaEgqY/bgXZF6Zqz8nhAKPnOJYMwr9FUYA8Cg3IVJYA7Ie sAffKvT1K4igswGZ7f0kVMRphcIpD/mwJmDG1F2+nVn60ZSrqSQqOYiBWKFM+xz9rEyD uQYHqZcX5VPnfIOzWAuDZhlN0N/Bu7Swxb9c8=
MIME-Version: 1.0
Received: by 10.68.71.233 with SMTP id y9mr7995512pbu.150.1305118799492; Wed, 11 May 2011 05:59:59 -0700 (PDT)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.68.59.70 with HTTP; Wed, 11 May 2011 05:59:59 -0700 (PDT)
In-Reply-To: <315e69dc80b49e18950a478f6ab49972.squirrel@www.trepanning.net>
References: <315e69dc80b49e18950a478f6ab49972.squirrel@www.trepanning.net>
Date: Wed, 11 May 2011 14:59:59 +0200
X-Google-Sender-Auth: LZAs4QOqSCFmdHQ3MGCZFbM9wp0
Message-ID: <BANLkTikR1JNLaZaKt4hJPs7=SvFXTF4Z_A@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Sat, 14 May 2011 10:50:11 -0700
Cc: draft-mavrogiannopoulos-ssl-version3.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-mavrogiannopoulos-ssl-version3
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2011 13:00:00 -0000

On Mon, May 2, 2011 at 7:52 PM, Dan Harkins <dharkins@lounge.org> wrote:
>  Hello,
>  I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.

Hello and thank you for reviewing the document.

[...]
>  Trivial editorial changes to give normative behavior normative wording:
[applied]

>  Removal of wording that no longer applies in the current environment
>  (and was not really unique to the US anyway):
>   - section 5.6.3, remove note about US export law restricting RSA
>     moduli to 512 bits or less.
>   - Appendix D.1, remove mention of US export restrictions limiting
>     RSA keys used for encryption to 512 bits.

I think it is essential to the document the US export restrictions to be kept
as it is. My reasoning would be:
1. To keep the discussion in context, and answer to the question why the export
ciphersuites are defined?
2. To show that cryptography at that time (1998) was driven from political
decisions.

For this reason I suggest instead the following text to the foreword:
"The US export rules discussed in the document do not apply today
but are kept intact for to provide context for the
discussion of the EXPORT cipher-suites."

>  Trivial editorial change to conform to RFC structure
>   - make section 7 into section 8 and move Appendix F into a new
>     section 7 entitled "Security Considerations".

Although this is today the current format, it was not in 1998 and
this document is already widespread through copies such as
www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt. For this
reason I'd like to keep the differences between the two documents
as minimal as possible.

best regards,
Nikos