IETF Logo Mail Archive

Re: [lamps] AD Review of draft-ietf-lamps-cms-kemri-07

Russ Housley <housley@vigilsec.com> Tue, 06 February 2024 22:22 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 061ADC14F6E4 for <spasm@ietfa.amsl.com>; Tue, 6 Feb 2024 14:22:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzJjRt-lx5u2 for <spasm@ietfa.amsl.com>; Tue, 6 Feb 2024 14:22:30 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B687C14F6EF for <spasm@ietf.org>; Tue, 6 Feb 2024 14:22:30 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 8A7E2C1CFF; Tue, 6 Feb 2024 17:22:29 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 7C385C2419; Tue, 6 Feb 2024 17:22:29 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <BN2P110MB1107350F4F02C107DF6BB45FDC46A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Date: Tue, 06 Feb 2024 17:22:19 -0500
Cc: "spasm@ietf.org" <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <443A9465-EAEE-42FB-9C87-7F97B622BFEC@vigilsec.com>
References: <BN2P110MB11075090AAB266C26B0B663FDC47A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <AD61BB66-30AC-485D-AF50-8BB7B67CE1AF@vigilsec.com> <BN2P110MB1107350F4F02C107DF6BB45FDC46A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
To: "Roman D. Danyliw" <rdd@cert.org>
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QC-GzBwT6YomtYA7CJZURTeweTM>
Subject: Re: [lamps] AD Review of draft-ietf-lamps-cms-kemri-07
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 22:22:34 -0000


> On Feb 6, 2024, at 4:08 PM, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi!
> 
>> -----Original Message-----
>> From: Russ Housley <housley@vigilsec.com>
>> Sent: Monday, February 5, 2024 4:06 PM
>> To: Roman Danyliw <rdd@cert.org>
>> Cc: spasm@ietf.org
>> Subject: Re: [lamps] AD Review of draft-ietf-lamps-cms-kemri-07
>> 
>> Warning: External Sender - do not click links or open attachments unless you
>> recognize the sender and know the content is safe.
>> 
>> 
>> Roman:
>> 
>>> Last October, I performed an AD review on -05
>> (https://mailarchive.ietf.org/arch/msg/spasm/DrkREuxsrIRWHRR4qj6yWxVufIQ
>> /).  After IETF LC, new analysis of this document was reported
>> (https://mailarchive.ietf.org/arch/msg/spasm/TTtMQlcpGRq_bThfJl-
>> HnqqGLGI/) requiring WG deliberations.  After IETF 118, this document was
>> sent back to the WG.  This document has gone through another WGLC and is
>> back to the IESG with "publication requested."
>>> 
>>> Thank you to Falko Strenzke and Johannes Roth for reporting this attach
>> against CMS and the WG's timely response.  This is a second AD review on -07.
>> Feedback is below.
>>> 
>>> ** Section 1
>>> 
>>>  In this environment, security depends on three things.  First, the
>>>  KEM algorithm must be secure against adaptive chosen ciphertext
>>>  attacks.  Second, the key-encryption algorithm must provide
>>>  confidentiality and integrity protection.  Third, the choices of the
>>>  KDF and the key-encryption algorithm need to provide the same level
>>>  of security as the KEM algorithm.
>>> 
>>> Should normative MUST be used to describe these three crucial properties of
>> the environment?
>> 
>> I think this is saying where KEMRecipientInfo is appropriate to apply. Mostly,
>> people that write RFCs that specify the conventions for a particular KEM will
>> need to make sure they understand these requirements.  For example,
>> rfc5990bis.  Likewise, the authors of the document that is written for ML-KEM
>> will need to consider these too.
> 
> I think we agree.  My synthesize is that the above is roughly an applicability statement for KEMRecipientInfo -- that is, normative constraints on how/where the solution can be applied.  For that reason, I was wondering if this met the bar the RFC2119 language.

There are MUST and SHOULD statements in the Security Considerations around these points.  I worry that elevating the sentences in the Introduction will cause a conflict with the careful choices that were made in the Security Considerations.

A MUST example: To be appropriate for use with this specification, the KEM algorithm MUST explicitly be designed to be secure when the public key is used many times.

A SHOULD example: The KDF SHOULD offer at least the security level of the KEM.

These topics overlap with that Introductory material.

Russ

v2.23.0 | Report a Bug | By Email