Re: [secdir] Security review of draft-ietf-core-coap-14
Carsten Bormann <cabo@tzi.org> Wed, 03 April 2013 16:32 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECB2A21F8F4D; Wed, 3 Apr 2013 09:32:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.249
X-Spam-Level:
X-Spam-Status: No, score=-106.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ojmdp5MNsFQZ; Wed, 3 Apr 2013 09:32:28 -0700 (PDT)
Received: from informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) by ietfa.amsl.com (Postfix) with ESMTP id 3526521F8F44; Wed, 3 Apr 2013 09:32:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from smtp-fb3.informatik.uni-bremen.de (smtp-fb3.informatik.uni-bremen.de [134.102.224.120]) by informatik.uni-bremen.de (8.14.4/8.14.4) with ESMTP id r33GWMfb003447; Wed, 3 Apr 2013 18:32:22 +0200 (CEST)
Received: from [192.168.217.105] (p548925A8.dip.t-dialin.net [84.137.37.168]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp-fb3.informatik.uni-bremen.de (Postfix) with ESMTPSA id 6FDA239D6; Wed, 3 Apr 2013 18:32:22 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Content-Type: text/plain; charset="iso-8859-1"
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <515AD9A2.4030003@isode.com>
Date: Wed, 03 Apr 2013 18:32:20 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <12392981-A884-47C7-BE99-98988F5411D1@tzi.org>
References: <515AD9A2.4030003@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.1503)
X-Mailman-Approved-At: Wed, 03 Apr 2013 09:43:13 -0700
Cc: draft-ietf-core-coap.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] Security review of draft-ietf-core-coap-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 16:32:29 -0000
Alexey, thank you for this thoughtful review. Re your two minor items: > raw public key depends on the cipher suite used. Implementations in > RawPublicKey mode MUST support the mandatory to implement cipher > suite TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 as specified in > [I-D.mcgrew-tls-aes-ccm-ecc], > > It looks like this reference is Normative, while you have it as Informative. We will add this as a normative reference in draft-ietf-core-coap-15. > asymmetric public key pair installed. An identifier is calculated > from the public key as described in Section 2 of > [I-D.farrell-decade-ni]. All implementations that support checking > RawPublicKey identities MUST support at least the sha-256-120 mode > (SHA-256 truncated to 120 bits). Implementations SHOULD support also > > I think you need a Normative reference to SHA-256 here. Actually, we specifically require the sha-256-120 mode from draft-farrell-decade-ni (the parenthetical remark is just explanatory), which is a normative reference and in turn has SHA-256 (FIPS PUB 180-3) as a normative reference. (We also reference RFC 6347, which does not reference SHA-256, but references RFC 5246, which finally references FIPS PUB 180-2. Of course, we could reference FIPS PUB 180-4, if that helps, but we would like to avoid the "transitive closure" effect. Or maybe draft-farrell-decade-ni should be updated to FIPS PUB 180-4 before publication. Or maybe not, which is another reason not to try doing the transitive closure.) > P.S. I have some Apps specific issues with the document, but I send these separately in my AppsDir review. Looking forward to it! Grüße, Carsten
- [secdir] Security review of draft-ietf-core-coap-… Alexey Melnikov
- Re: [secdir] Security review of draft-ietf-core-c… Carsten Bormann