[smime] [Errata Rejected] RFC5084 (4774)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 19 March 2018 10:36 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D32126E64; Mon, 19 Mar 2018 03:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gks9s9Zxvhr9; Mon, 19 Mar 2018 03:36:08 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8893126FB3; Mon, 19 Mar 2018 03:36:06 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 13CA8B80C90; Mon, 19 Mar 2018 03:36:00 -0700 (PDT)
To: quannguyen@google.com, housley@vigilsec.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: Kathleen.Moriarty.ietf@gmail.com, iesg@ietf.org, smime@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20180319103600.13CA8B80C90@rfc-editor.org>
Date: Mon, 19 Mar 2018 03:36:00 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/MfPALyuxrNUR-_-okNL91wxuFPU>
Subject: [smime] [Errata Rejected] RFC5084 (4774)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 10:36:10 -0000

The following errata report has been rejected for RFC5084,
"Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid4774

--------------------------------------
Status: Rejected
Type: Technical

Reported by: QUAN NGUYEN <quannguyen@google.com>;
Date Reported: 2016-08-11
Rejected by: Kathleen Moriarty (IESG)

Section: 3.2

Original Text
-------------
aes-ICVlen       AES-GCM-ICVlen DEFAULT 12

A length of 12 octets is RECOMMENDED.

Corrected Text
--------------
aes-ICVlen       AES-GCM-ICVlen DEFAULT 16

A length of 16 octets is RECOMMENDED.

Notes
-----
Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug to use 12 bytes authentication tag (aes-ICVlen) as default if the code path [1] uses CMS. According to Ferguson's attack (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12 bytes authentication tag length has only 96 - 32 = 64 bits security which is not good enough nowadays. Furthermore, once a forgery happens then authentication is leaked.

[1] In other code paths, all providers use 16 bytes authentication tag as default.

------
AD Note: through on list discussions, it is clear this errata should be rejected.

The first half of this errata must be rejected.  We do not change the ASN.1
for something like this under just about any circumstances.

Changing the recommendation of a value should probably not be done by an
erratum but by publishing a new document.  We could make discuss and make
the recommendation change in the new S/MIME document in the LAMPS group
rather than in this document.

A possible way forward is a short draft that updates RFC 5084 to recommend the use of 16 octet authentication tags in all situations.
 --VERIFIER NOTES-- 
   AD Note: through on list discussions, it is clear this errata should be rejected.

The first half of this errata must be rejected. We do not change the ASN.1
for something like this under just about any circumstances.

Changing the recommendation of a value should probably not be done by an
erratum but by publishing a new document. We could make discuss and make
the recommendation change in the new S/MIME document in the LAMPS group
rather than in this document.

A possible way forward is a short draft that updates RFC 5084 to recommend the use of 16 octet authentication tags in all situations.

--------------------------------------
RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03)
--------------------------------------
Title               : Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)
Publication Date    : November 2007
Author(s)           : R. Housley
Category            : PROPOSED STANDARD
Source              : S/MIME Mail Security
Area                : Security
Stream              : IETF
Verifying Party     : IESG