IETF Logo Mail Archive

Re: [lamps] AD review of draft-ietf-lamps-cmp-algorithms-07

Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 05 November 2021 18:00 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B26F3A130E for <spasm@ietfa.amsl.com>; Fri, 5 Nov 2021 11:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-syW1rD0w8c for <spasm@ietfa.amsl.com>; Fri, 5 Nov 2021 11:00:02 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88E423A12F5 for <spasm@ietf.org>; Fri, 5 Nov 2021 11:00:02 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1A5DnhM7008386; Fri, 5 Nov 2021 12:59:45 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=dBR+WI/73kSoEnEu/eSpe1+oys2KCl5HHPQlR5p4Dow=; b=SUWtd9UmvXbJIvtcOsKQ5SWZWxNdphERehsTcy16ziiEoLDYzpLNx8KJoXZQJiWd++OH Y8Sqc8mJ8Xfvs3wmOert8WBxXltB+r9jylir4Hr752VWAOYdB1upWF0+ja30zUEWioHT cri3splqF+gFV7a39kHky2pTbC9BsRkjkb6h6jQMBXuNz2pLD4t8YhzM6y7WdJoYmPxg QC4P9OsKcygFzYZeMayNw6TdJoJF5rP1HaUlPiYIzLov/XD6c/lLbcnLfVWsRJtQycF2 Ch+Xxr/vfSNIy0vlz4OIJ0k02i7hSBTmBfj7bklq8qKfSJiocOvT+gGSzHQCx9GyiZBH 5w==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2045.outbound.protection.outlook.com [104.47.66.45]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3c4t3mtddv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 05 Nov 2021 12:59:44 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CewIala5PQZEV2kh615QAkgOIM9FnZCvfxQklLsLceHBnay8ccLlq4mznbhkgJt8gOubJo7ZKR02TsleAsN2vPy3aoGg/ViAmBdS3DXdGEr7/vfYBS9/kv4Z7N0fborBKHYrsLVKIXkSh1WubA3L8lpYIc8iHswQhSeKK5KJrn2BzBpevNe/lrWR/Ad2Redomg4WHRhZUXj+/tMujDGkXMly6oYOAgxpmQ0J0Lmbl3yYH1afAgs3ZLeNf14/f71Zigs9ugW+X4g6VkmYVXEog6thxjig/ZngJPOpPwad8WXMA5dW/fYaFptwafz0ldK17b5lAhRc0bXyOiPfhRwV7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dBR+WI/73kSoEnEu/eSpe1+oys2KCl5HHPQlR5p4Dow=; b=Ui7qwHVFsafgFtJWBuyLBZqspxMmqayqxgEZEB22O4GBzDgjR3i7W5Ow+JsFJifx4TumPh714lDiG35UOnzD3t54yyb7/xfmP/Nkj31985KPLKqiHXFa/xOD1G7DUYiFjsoaZNxpijXNafLV9viYoLEYy8otEO5blPkpbhoso0hgcWja7mPziDRIqaJzAY2nXPC1ik/7MgwFhvyjNT7e8bjJymrNjXwsBfEWcloIMOmmwnIkoIo9biebPc1sAc9bAMqNPIdZppeJHkWk35vpvEL9xZlRJ5TnVudgRwPSIpqwYTkfAnx6swHfp8otDJ+FMSdxn/JOFMEW4QYcO8MGbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CH0PR11MB5441.namprd11.prod.outlook.com (2603:10b6:610:d0::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11; Fri, 5 Nov 2021 17:59:40 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bcf2:571f:eb41:1737]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bcf2:571f:eb41:1737%2]) with mapi id 15.20.4649.018; Fri, 5 Nov 2021 17:59:40 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Roman Danyliw <rdd@cert.org>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
CC: LAMPS WG <spasm@ietf.org>
Thread-Topic: AD review of draft-ietf-lamps-cmp-algorithms-07
Thread-Index: AdfKsmHop5v82zipS+Kei9oAXI0KtQF6h4rQAGbB71AADVeZ8A==
Date: Fri, 05 Nov 2021 17:59:40 +0000
Message-ID: <CH0PR11MB5739D66C79B70AB79AC41F4B9F8E9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <BN1P110MB0939774B07F1FF05E5DBBC42DC849@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <AM0PR10MB2418AFBC3AA679C2371A3175FE8D9@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <BN1P110MB09392B30E65D3D02F45ED706DC8E9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN1P110MB09392B30E65D3D02F45ED706DC8E9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-11-04T18:04:00Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=b683b9ed-ffa3-47d3-ad34-d6022fe05c47; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=entrust.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 71a681bb-e1c1-4fdc-80fe-08d9a0860a19
x-ms-traffictypediagnostic: CH0PR11MB5441:
x-microsoft-antispam-prvs: <CH0PR11MB544152C0FAFA9A909083D62D9F8E9@CH0PR11MB5441.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uBcxOtuyg+GcUY8t1L4dwaXrb0afslmYSU+GF+FTqcDNkdDx7cMndpLthbilAwvxyqUaDLmAOcnntXdpT8nVuJLs9sESCSCg881J/rw0aQW7ZtP2dxs5gf6nuj6QNKTbDgNSy/5WWoSmey+1lykGymYNoMDmA3Nc50EvbAjNcM6c3U2SnaoZbW2mM0mUXy6myR/kxaYcWjY5L8JbTskm41jWUaNrSnhqhuKGmJ3Le1NibaVm+Ral2bFn4ysM4CxcBngqnZ1ep77GOLGG+1sMDM7UViUN/gNmNbSLNzPzHErOij102GUBqOBNmpqNXjfboRM6w0I/pX3IAav6VR9DDQa9/QQfpm7Zf/DR3lfGjZHPBKJCOCvVo8I7lEjmtNWFV7PvFbjCkzLmflY9LUPgX52U9bwB0m0ApY0G7Subj0OnLqZD9i2F60EDXtpxuzo9Iq4ah57EfuFgLrQ3S3HFpbngLulhbdwIVSU70qn5IKAaKRBnrDCfZtkzABRn8QVexvysXGult+cdSxBhzVpx121/irwn+dAsLO3Ejm/oyptDU5i1tBE/Z7ZNc1vAMMgeZCMgsLPhQeBiIyQyP03PmlrRHFXzE28BMTZJd7qU76bAmNJbu2AoYBZwL2wO7chNczY5v+B9uB5nHkn1CE9VcnHBvrPiEwtBAm6PLZA6E6bhmHJWNFngWX+Uf5i3GXjmbJAQvoYohEwvuJy/ds+gFSSsJ+eD/C9SYcay1i+Kzy2Wb62OnbxOYUNQ7xSlQqUPDS9PwxmZg/UYaOFZboBDR5TjSb/Ox3TCdgB2ru2CJ1U=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(2906002)(8936002)(66476007)(6506007)(4326008)(76116006)(5660300002)(38070700005)(53546011)(316002)(7696005)(186003)(110136005)(30864003)(38100700002)(83380400001)(122000001)(8676002)(966005)(9686003)(86362001)(33656002)(508600001)(66946007)(52536014)(55016002)(71200400001)(66446008)(66556008)(26005)(64756008)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4bZMRRZXWhPhUttBL9taEp1B2uFFfo+kunvLD5mXuPZUuZw9Ll85LFnVzH+mLYU18L2alz7TDNU9qdc4PM5na8VzgdsYneahx3QYE706/MRNs6BUZniwJgi6oKA8eCaNrPBnoXgZiX1r8J3UqCdMDyySDpZDMDjO2qA3AOI2tE9kaxH/SRce6O4zvf3aHIi5PHROTCD6cm8115QupkGBVGp4dWhy909bf7WdVjwsNTVFkHchsDiQ4DaA7zusu7AEVxmw/mExLt3s/q0VVa3qt9csb8rDSSVeIrfQAnYKordiNsyk1IrXw23Q+2tsBaiPefFkMXpwyuHQA2MRu6b/VYCNTZXKuyMBtSyO8MQUrzQ4PHoyBlq9bwZB1d8HjbCkKHxxBXCcTMaKz6IhxK7Y12AXOue7BFwDKs3NbjSuPvBVZlRbJcqypqj9ZzF0GZP5uzazTCYyGzqPuj+ft21N5xJo1kylWKtQ1Y4MttrpzDBjaq1PLLqxGSM15+wpyp1dZXGKIOCCvmtmACct83lnWVikMwxv8EdnstHC1CrjttMiYxxqNJK/QaNkWeRoOPx2W4sVcoAhxrY6v339etPweWnwIEjMtq8wnnYNqGjgoqaDoSj7AbMIfwZudlHzNpVbUaZei+jdSCCbZ+hvD5VPTi+awAmZ2h70EkObEOi8p9KByeVRAJh1PtzJ66/HTZZXhz+0xb0rtWqVTWjUkI7Sak83niA3/GWhkai2JREz+RZoa1VIE56mndJnqHwFBdtiBw9bRuFluv3qgtHBxRG6CygniNb7X9hJKQq5oCaxskEhrbvDnvctQXFGTBtcXe8lwlNbvSHqmtTKPr6b1KLHM2elXMFy53NAf3YvqbJL5Ed5MA8p7wNy0U8g01PyIlZUui/Ye4vDhHmVdUJ2bIRbRfF6ciJ6Ik3jcLJ3sL6xd9YxDa+Y0IvbRluI88kei/iw9CW55vb0J5r8LqXXk/jNTg1pnIP9c/oIEtAmGtvCy6H073DkMF/PbDQXBg7FAX35EfqKk2+N2PIMCX0e6dSSHJEPDtHhvXTJGLdgBR9XlkQ8KpUetKbb8sAZfzWUrsIo+BMJE//TgPQoQ7A5ItlD+Ejsm3QoZHVzCNUHmSrEyOkYe+aPRIOu37diO5QL+hf9ANXcYO6MOagbjh3ba3fE6B0eEM4xr2e2xDNtpqk8xbw/TcvkDRwdDpMIXTFK5ws8GEyjqjErguqZAb9EtuTeIPOjeJ7ZbgRqTTBrDiR0Itr8XboVuPM6lccYvR3wQlZ0tO8FTLzwkIe2DenFJNwd8xg6ZWFPD/Z9oGkAWEV7crJL+NBcF2B6MhSLztUy0Z7hiM40NDMxtaIwNqPghQ8RftPB6a8RacFuSheod32bxS35A1xoj6uJ19OUlCcs8dmSyYFNSaoGvxfYer4SDfQFY4+TOEI3NrqbCRd4GjS9lPURcEgw29BV76tKL1JI+2wOF9OQQ84w2OsxwZ/HtsRKTDk+9+ymbJj5+TjtK2y5F86UMsRscyR1OrwWfla/HNe7t7LXxdx2nyB55Ubq32ITJN8Y6lSpp8MmlGhCflxtIkiAZYoVlDdw9zRD4z41zB3EAiPlrqYjhX5ohD0OxTrIjds/N3ThncFSy20v+VwygfeW78gbT9TTKQmYbPbeoANXr2PHvR21fqqpHWzPuO3MKA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 71a681bb-e1c1-4fdc-80fe-08d9a0860a19
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2021 17:59:40.3150 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SgM/Q0Jt7It4MnuxL+kER9gVmMjrOusErK+TOCxARPWKYsuvtPZfPAcO8FZNsgzYSlfChHbrJ7o663GDq8QEagrWEuOIjF4O8MwI3F2X1jI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5441
X-Proofpoint-GUID: x_UGqFOcK6xfFImKPtXbnyz8PXbYz9Wo
X-Proofpoint-ORIG-GUID: x_UGqFOcK6xfFImKPtXbnyz8PXbYz9Wo
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-05_02,2021-11-03_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 priorityscore=1501 bulkscore=0 clxscore=1011 malwarescore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111050100
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PK9YnxJpIPeW2tLm5vVzhGLWncs>
Subject: Re: [lamps] AD review of draft-ietf-lamps-cmp-algorithms-07
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 18:00:07 -0000

Hi Roman!

> AES128 + RSA2048 would be more consistent based on the principle of matching relative key strength. However, if prior specs said AES256+RSA2048, I think we should be careful about weaking the requirement regardless of consistency.

A couple thoughts here:

1. I don't think we have any language stating that these profiles are requirements. The language (from Hendrik's slides for Monday) is the column header " Recommended for
managing keys up to". It's a nit-pick, I know.

2. An implementation doing AES256+RSA2048 exceeds the profile that recommends AES128+RSA2048. That's fine, unless there's an on-the-wire interop concern here? For example if an existing CMP client handling RSA2048 keys only has an AES256 implementation and would barf if the server suddenly started using AES128? I assume that sort of thing would be caught in product testing.

Or is your concern more to do with optics / security proofs / FIPS and CMVP style certifications if we lower the required AES strength of a profile?


---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Roman Danyliw
Sent: November 5, 2021 7:32 AM
To: Brockhaus, Hendrik <hendrik.brockhaus@siemens.com>
Cc: LAMPS WG <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] AD review of draft-ietf-lamps-cmp-algorithms-07

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Hi!

> -----Original Message-----
> From: Brockhaus, Hendrik <hendrik.brockhaus@siemens.com>
> Sent: Thursday, November 4, 2021 2:04 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: LAMPS WG <spasm@ietf.org>
> Subject: AW: AD review of draft-ietf-lamps-cmp-algorithms-07
>
> Roman
>
> I aligned with Mike, John, and Hans.
> Please see our feedback on your comments regarding Section 7 and
> Section 9 below.
>
> > Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Roman Danyliw
> > Gesendet: Dienstag, 26. Oktober 2021 23:49
> >
> > Hi!
> >
> > I did an AD review of draft-ietf-lamps-cmp-algorithms-07 with my
> > comments below.  Thanks for this work to evolve CMP.
> >
> > ** Section 7.  I would have benefit from a bit more clarity on the
> > direction provided in this section.
> >
> > -- "The following criteria will help implementers choose appropriate
> > algorithms for managing certificates"
> >
> > The bulleted list seems like only part of the criteria.  As a
> > non-exhaustive list, additional considerations might be the
> > capabilities of the end-point (e.g., does the target deployment have
> > hardware acceleration for some, are some algorithms simply out of
> > reach due to available compute or expected software support); or
> > perhaps
> local policy or compliance requirements?
> >
> > -- "The cryptographic strength of the algorithm with the lowest security."
> >
> > It seems like some words are missing here.  Is the intent here to
> > guide the selection towards the algorithm that provides the minimum
> > amount of strength relative to the needed security requirements?
>
> Thank you for this feedback. We propose the following changes.
> In addition to that we think another table in the introduction of
> Section 7 listing the different algorithms sorted by its security
> level (bits of security) would help. We plan to present such a table
> during the LAMPS session for further discussion.
>
> Old:
>    The following criteria will help implementers choose appropriate
>    algorithms for managing certificates:
>
>    *  The cryptographic strength of the algorithm with the lowest
>       security.
>
>       Note: To avoid consuming too much computational resources it is
>       recommended to choose a set of algorithms offering roughly the
>       same level of security.
>
>    *  The entropy of the shared secret information or password when MAC-
>       based message protection is used, e.g., MSG_MAC_ALG.
>
>    Finally, the cryptographic strength of the system SHOULD be at least
>    as strong as the algorithms and keys used for the certificate being
>    managed.
>
> New:
> The overall cryptographic strength of a CMP deployment will depend on
> several factors, including:
>
> * Algorithm profile: The overall strength of the profile will be the strength
>    of the weakest algorithm it contains.
>
> * Message protection: The overall strength of the CMC message protection
>    - MAC-based protection: The entropy of the shared secret information or
>      password when MAC-based message protection is used, e.g.,
>      MSG_MAC_ALG.
>    - Signature-based protection: The strength of the key pair and signature
>      algorithm when signature-based protection is used, e.g.,
> MSG_SIG_ALG
>
> * Certificates managed: Finally, the cryptographic strength of the system
>    SHOULD be at least as strong as the algorithms and keys used for the
>    certificate being managed.
>
> To avoid consuming too much computational resources it is recommended
> to choose a set of algorithms offering roughly the same level of
> security. Below are provided several algorithm profiles which are
> balanced, assuming the implementor chooses MAC secrets and / or
> certificate profiles of at least equivalent strength.

Works for me.  Thanks.

> >
> > ** Section 7.1.  The text in this section seems it should explicit
> > say that it is updating RFC4210.
> >
> > OLD
> > The following table contains definitions of algorithms used within
> >
> > NEW
> > The following table updates the definitions of algorithms used
> > within
>
> I am fine with this change.

Thanks.

> >
> > ** Section 7.1.  If an algorithm is listed in the "Change from 4210"
> > column, should it be considered the equivalent of being added to the
> > "other" column (per Appendix D.2 of RFC4210?  If so, please be
> > explicit about
> that.
>
> We will delete the column "Changes from 4210" and introduced two
> columns, "Optional" and "Deprecated". "Deprecated" contains all
> algorithms define in RFC 4210 Appendix D.2 which SHOLUD NOT be used any more.

That's even a better.

> >
> > ** Section 7.1.  Table 1.
> >
> > -- What does it mean for PasswordBasedMac to be in both the
> > Mandatory and
> > Change-from-4210 column for the MSG_MAC_ALG row?  It was already the
> > MTI in RFC4210.  Same question and situation with D-H for the
> PROT_ENC_ALG row.
>
> PBMAC1 became MANDATORY and PasswordBasedMac became OPTIONAL.
>
> >
> > -- Should 3-DES be considered "other" in MSG_MAC_ALG and
> PROT_SYM_ALG?
>
> 3-DES (3-key-EDE, CBC mode) became Deprecated as you proposed below.
>
> >
> > -- Editorial.  In PROT_SYM_ALG and SYM_PENC_ALG, the "3-DES
> > (3-key-EDE), CBC Mode" should read "3-DES (3-key-EDE, CBC mode)" per
> > the
> text in RFC4210.
>
> Thanks for the clarification, we can fix this.
>
> This is the Update we propose for Section 7.1 Old
>    Change from 4210: Shows the changes in the Mandatory and Other
>    algorithms from RFC 4210 [RFC4210].  These are included for backwards
>    compatibility considerations.
>
>
> +============+===============+==================+==================
> =+
>    |Name        |Use            | Mandatory        |Change from 4210   |
>
> +============+===============+==================+==================
> =+
>    |MSG_SIG_ALG |protection of  | RSA              |DSA/SHA1           |
>    |            |PKI messages   |                  |Others: RSA/MD5,   |
>    |            |using signature|                  |ECDSA              |
>    +------------+---------------+------------------+-------------------+
>    |MSG_MAC_ALG |protection of  | PasswordBasedMac |PasswordBasedMac
> |
>    |            |PKI messages   | (RECOMMENDED:    |Others: HMAC, X9.9 |
>    |            |using MACing   | PBMAC1)          |                   |
>    +------------+---------------+------------------+-------------------+
>    |SYM_PENC_ALG|symmetric      | AES-wrap         |3-DES(3-key-EDE),  |
>    |            |encryption of  |                  |CBC Mode           |
>    |            |an end entity's|                  |Others: AES, RC5,  |
>    |            |private key    |                  |CAST-128           |
>    |            |where symmetric|                  |                   |
>    |            |key is         |                  |                   |
>    |            |distributed    |                  |                   |
>    |            |out-of-band    |                  |                   |
>    +------------+---------------+------------------+-------------------+
>    |PROT_ENC_ALG|asymmetric     | D-H              |D-H                |
>    |            |algorithm used |                  |Others: RSA, ECDH  |
>    |            |for encryption |                  |                   |
>    |            |of (symmetric  |                  |                   |
>    |            |keys for       |                  |                   |
>    |            |encryption of) |                  |                   |
>    |            |private keys   |                  |                   |
>    |            |transported in |                  |                   |
>    |            |PKIMessages    |                  |                   |
>    +------------+---------------+------------------+-------------------+
>    |PROT_SYM_ALG|symmetric      | AES-CBC          |3-DES(3-key-EDE),  |
>    |            |encryption     |                  |CBC Mode           |
>    |            |algorithm used |                  |Others: AES, RC5,  |
>    |            |for encryption |                  |CAST-128           |
>    |            |of private key |                  |                   |
>    |            |bits (a key of |                  |                   |
>    |            |this type is   |                  |                   |
>    |            |encrypted using|                  |                   |
>    |            |PROT_ENC_ALG)  |                  |                   |
>
> +------------+---------------+------------------+-------------------+
>
> New
> Optional: Algorithms which are OPTIONAL to support
>
> Deprecated: Algorithms from RFC 4210 [RFC4210] which SHOULD NOT be
> used anymore
>
> +============+===============+==========+=================+========
> =====
> ++
> |Name        |Use            |Mandatory |Optional       |Deprecated   |
> +============+===============+==========+=================+========
> =====
> ++
> |MSG_SIG_ALG |protection of  |RSA       |ECDSA, EdDSA     |combinations |
> |            |PKI messages   |          |                 |with MD5 and   |
> |            |using signature|          |                 |SHA1         |
> +------------+---------------+----------+-----------------+-------------+
> |MSG_MAC_ALG |protection of  |PBMAC1    |PasswordBasedMac,|             |
> |            |PKI messages   |          |HMAC, X9.9       |             |
> |            |using MACing   |          |                 |             |
> +------------+---------------+----------+-----------------+-------------+
> |SYM_PENC_ALG|symmetric      |AES-wrap  |                 |3-DES        |
> |            |encryption of  |          |                 |(3-key-EDE,  |
> |            |an end entity's|          |                 |CBC Mode),   |
> |            |private key    |          |                 |CAST-128, RC5|
> |            |where symmetric|          |                 |             |
> |            |key is         |          |                 |             |
> |            |distributed    |          |                 |             |
> |            |out-of-band    |          |                 |             |
> +------------+---------------+----------+-----------------+-------------+
> |PROT_ENC_ALG|asymmetric     |D-H       |ECDH, RSA        |             |
> |            |algorithm used |          |                 |             |
> |            |for encryption |          |                 |             |
> |            |of (symmetric  |          |                 |             |
> |            |keys for       |          |                 |             |
> |            |encryption of) |          |                 |             |
> |            |private keys   |          |                 |             |
> |            |transported in |          |                 |             |
> |            |PKIMessages    |          |                 |             |
> +------------+---------------+----------+-----------------+-------------+
> |PROT_SYM_ALG|symmetric      |AES-CBC   |                 |3-DES        |
> |            |encryption     |          |                 |(3-key-EDE,  |
> |            |algorithm used |          |                 |CBC Mode),   |
> |            |for encryption |          |                 |CAST-128, RC5|
> |            |of private key |          |                 |             |
> |            |bits (a key of |          |                 |             |
> |            |this type is   |          |                 |             |
> |            |encrypted using|          |                 |             |
> |            |PROT_ENC_ALG)  |          |                 |             |
> +------------+---------------+----------+-----------------+-------------+

I really like this table.  It's much clearer.

> Currently we propose a mandatory algorithm use profile with 112bit strength.
> As recommendations are going from RSA2048 to RSA3072 we discussed, if
> it is better to make a profile mandatory offering 128 bit strength.
> Currently we also mandate to use AES256 for key-wrap and encryption
> for delivering centrally generated RSA2048 keys pairs. The encryption
> is stronger than delivered key pair. Should we mandate AES128 only?

Can you be more specific on which text says profiles have 112bits of strength and the KeyWrap+RSA guidance?  Is the 112bits implicitly derived from using RSA-2048?

AES128 + RSA2048 would be more consistent based on the principle of matching relative key strength. However, if prior specs said AES256+RSA2048, I think we should be careful about weaking the requirement regardless of consistency.

> Currently HMAC and X9.9 are listed as OPTIONAL for MSG_MAC_ALG as they
> were listed in RFC 4210 D.2. We propose to remove x9.9 and keep HMAC.
> Regarding use of HMAC we would propose adding a Security Consideration
> as follows.
>
>    Symmetric key-based MAC algorithms as described in Section 6.2  MAY be
>    used as MSG_MAC_ALG.  The implementor MUST choose a suitable PRF
>    and ensure that the key  has sufficient entropy to match the overall security
>    level of the algorithm  profile. These considerations are outside the scope
>    of the profile.

I'm fine with keeping HMAC.  I don't really know much about the user community of X9.9.  It doesn't look like something we're recommend now.  When you say remove it, do you mean SHOULD NOT/Deprecate column?  We should also likely confirm that with the WG.

> @Russ and Roman, what is your opinion?
>
> >
> > ** Section 9.  Can a reference be added for the theoretical weakness
> > in PasswordBasedMac?
>
> We are not aware of any clear description of PasswordBasedMac weakness.
> Therefor we propose the following change:
>
> Old
>    When using MAC-based message protection the use of PBMAC1 is
>    preferable to that of PasswordBasedMac: first, PBMAC1 is a well-known
>    scrutinized algorithm, which is not true for PasswordBasedMac and
>    second, there exists a theoretical weakness in PasswordBasedMac,
>    where the generated MAC key can be easily distinguished from a random
>    key.
>
> New
> When using MAC-based message protection the use of PBMAC1 is
> preferable to that of PasswordBasedMac. First, PBMAC1 is a well-known
> scrutinized algorithm, which is not true for PasswordBasedMac. Second,
> the PasswordBasedMac algorithm as specified in RFC 4211 section 4.4 is
> essentially
> PBKDF1 (as defined in RFC 2898 section 5.1) with an HMAC step at the end.
> Here we update to use the PBKDF2-HMAC construct defined as PBMAC1 in
> RFC 8018. PBKDF2 is superior to PBKDF1 in an improved internal
> construct for iterated hashing, and in removing PBKDF1's limitation of
> only being able to derive keys up to the size of the underlying hash
> function. Additionally, PBKDF1 is not recommended for new applications
> as stated in Section 5 of RFC 8018 and no longer an approved algorithm
> by most standards bodies, and therefore presents difficulties to
> implementors who are submitting their CMP implementations for
> certification, hence moving to a PBKDF2-based mechanism. This change
> is in alignment with RFC 9045 which updates RFC
> 4211 to allow the use of PBMAC1 in CRMF.

This is much clearer.  Thanks.

> >
> > ** Section 9.  Editorially, the first paragraph ("RFC 4210 Appendix
> > D.2 ...) and the two paragraphs of "In Section 7 ..." and "To keep
> > the list ...", seem to be saying the same thing.  Recommend a merge.
> >
>
> Okay, maybe we just remove the paragraph "To keep the list of algorithms"
>
> > ** Section 9.
> > In such systems the weakened algorithms should
> >    be disabled from further use.
> >
> > Can this document make stronger recommendations about deprecating
> > certain algorithms such as 3-DES SHA-1 with normative language
> > rather than keeping it in the "other" category in the profiles?
>
> We updated Table 1 in Section 7.1 accordingly. Use of MD5, SHA-1,
> 3-DES, CAST-128, and RC5 is deprecated.
> Therefore we propose updating the section as follows.
>
> Old
>    It is recognized that there may be older CMP implementations in use
>    that conform to the algorithm use profile from Appendix D.2 of
>    RFC 4210 [RFC4210].  For example, the use of AES is now mandatory for
>    PROT_SYM_ALG but in RFC 4210 [RFC4210] 3-DES was mandatory.  In most
>    cases the newer mandatory algorithms were listed as "other"
>    algorithms in RFC 4210 [RFC4210].  Therefore, it is expected that
>    many CMP systems may already support the recommended algorithms in
>    this specification.  In such systems the weakened algorithms should
>    be disabled from further use.  If critical systems cannot be
>    immediately updated to conform to the recommended algorithm use
>    profile, it is recommended a plan to migrate the infrastructure to
>    conforming profiles be adopted as soon as possible.
>
> New
>    It is recognized that there may be older CMP implementations in use
>    that conform to the algorithm use profile from Appendix D.2 of
>    RFC 4210 [RFC4210].  For example, the use of AES is now mandatory for
>    PROT_SYM_ALG but in RFC 4210 [RFC4210] 3-DES was mandatory.
>    Therefore, it is expected that
>    many CMP systems may already support the recommended algorithms in
>    this specification.  In such systems the weakened algorithms should
>    be disabled from further use.  If critical systems cannot be
>    immediately updated to conform to the recommended algorithm use
>    profile, it is recommended a plan to migrate the infrastructure to
>    conforming profiles be adopted as soon as possible.

Thanks for the text.

Regards,
Roman

> Hendrik

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!NwM9O539Oeipl6SKmy8vetAtfLdTV8T7NN9QpjDYy5RiXvDZT0IQ7XKRqzUi-rLAqsGMhhAHTg$
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email