IETF Logo Mail Archive

Re: [lamps] AD review of draft-ietf-lamps-cmp-algorithms-07

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Mon, 08 November 2021 11:11 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0118B3A0B83 for <spasm@ietfa.amsl.com>; Mon, 8 Nov 2021 03:11:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODVyz4XwVSvW for <spasm@ietfa.amsl.com>; Mon, 8 Nov 2021 03:11:43 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on20600.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::600]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACDC3A0B42 for <spasm@ietf.org>; Mon, 8 Nov 2021 03:11:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GmbF7kgdyD/Ae08DNKB6tR2NZPsgH6e4HOuMgAYJPDcfA0+yG3FfFpU9MQKr4K6AohkMp2GvmASN/2Yg9kCit1qMZ9hwZfqHe9vSqMgUbQLSEboo7hDA4E4azn2BsSQgE6TJgoT+uA9dm5ncfxxDR7WhL84B2ikhPZoiyOjE3ZwMkIVeGGirnzOKWQz0wwyTK980wya+zQRb2taD99EdMHYEvteo1Z3s4Jxoi5KqAliKypFZQ9c9ow+9iySvtOvIeMpgF7QatYwQAkTkWlkSGU8p/BGBjzHGveoSID6dUgbO3X4eE2yp8Fl7hWZSNBdumDBJe1k5nhPjliXd46aDWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TfFGCn+UnQihJKQ2ruZ83X3oA2DYS/IDTlH0zOT33zc=; b=UgBB/zFiVRuYG78SjML/F68wKe9dmnMMjpPlkliEru4CLgqRRwpeWJH1vTxCLAVODRxgXCxZ2aYxT8kVUxMgAzEcDLbJioRMlW+rdJAdvagrfjy1Z7+BOz3UnKg/d4fZIdaRBABTVowQyrMxCttonXCUwgHMdcNLg7tw0XJJ5zNegbAkIr+CVmsi2QxoNBskby/qJvz9c6MnhN3+pISCqYFPG3wT5CwyqIcihpSf+y9MzJ+/5+1kzM6Llz9r+MYj3hOiPu1SDtmci6KjPX+NeJb/s53XDlRy33YeEQUWbC3zw66+aKNQwYznfDzrSNrdCqEjMdi2uUdKZ5lp0PEBQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TfFGCn+UnQihJKQ2ruZ83X3oA2DYS/IDTlH0zOT33zc=; b=ujQnj1VRfKDAibEPgZeWSzAwiiIdwGth2E6I0gIe06B14lUt9BI3cvu+y9pk3BC3dv+DitBgsasldKCwq0xWDHpVx3dzXc9Lqsnyd62hQV83Cp5lzdAlwEYGgW/jyUjUFfHZqiKJ/pL9Kjwv9904uSFrX4pE8YuhuR2morTc9MTPyLu3AIl/5xNvttdFms+1FOgX7Rf0QgPIPg/3ZilzwC1QClU8YjjuqZfzxogv/GIsH85UdalnHeXA8sRio+RDDsaSy//qxQJR8z58tZdHzN0GaYhi0M/kBBZrgCm/45F1gc1gA2pZWuDkx5rzyovcUGD07mpfJ9ZvC+gAZfUxVw==
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM9PR10MB4545.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:26f::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.13; Mon, 8 Nov 2021 11:11:34 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::39c3:e100:ecf5:3596]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::39c3:e100:ecf5:3596%7]) with mapi id 15.20.4669.016; Mon, 8 Nov 2021 11:11:34 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, Roman Danyliw <rdd@cert.org>
CC: LAMPS WG <spasm@ietf.org>
Thread-Topic: AD review of draft-ietf-lamps-cmp-algorithms-07
Thread-Index: AdfKsmHop5v82zipS+Kei9oAXI0KtQF6h4rQAGbB71AADVeZ8ACI07tg
Date: Mon, 08 Nov 2021 11:11:34 +0000
Message-ID: <AM0PR10MB2418BF38FA42EBFA3A5BE9A9FE919@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <BN1P110MB0939774B07F1FF05E5DBBC42DC849@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <AM0PR10MB2418AFBC3AA679C2371A3175FE8D9@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <BN1P110MB09392B30E65D3D02F45ED706DC8E9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CH0PR11MB5739D66C79B70AB79AC41F4B9F8E9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739D66C79B70AB79AC41F4B9F8E9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-11-08T11:11:32Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=b683b9ed-ffa3-47d3-ad34-d6022fe05c47; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3ab1cf05-9660-4c3d-3391-08d9a2a886a1
x-ms-traffictypediagnostic: AM9PR10MB4545:
x-microsoft-antispam-prvs: <AM9PR10MB454520008E4CAAB0AA06D17EFE919@AM9PR10MB4545.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: a0SX9QRsinDhl3IJIodsZ0VblFsj89LjlcIIBc7MP057FOXvCObCCurqlMAkZdc29idzGN+C66z7bCazEizihDXiVSfrcl0ke3ibYS7O/Die3jgYtJm6TOq4UTsQNxuEWy2GXdB91iJx1dmJW/4NxfEGpHjrn/Z307MrToJSm50RdRf3RjJtb3P634+fxLHdMZULdsDOkAgx934BIH6AaS8EeQm9JUXAks9Uhgeb6ykyYvLz1kCh+e34pK8aOKOh1cV0FFThhaqQXQIsnUXNh33yPciipOw7/XtewXsN/p7lIyVZZMpnDaIKUHAiX7q1cXFifLIRRWkLLF1jkuDp4+QzXl+YX/I4sFaPzfGXpXZD+GRf5clqCmj5dxRgFqWRCY+MBrmjQgMRo1yVtGpMh0Gko/zZzx4pbMPU2SxAW0k0z9d7aBFFAbM/SpHGxu74zOyjDyOGwZTF75ADZhpBFwZ0QhOvVhkRW76JG/0GPdS2vG0AhLYRlEwg9ZGvXWYEwHZ2d1INnlownhesUQ2WsvbYbs3wbG6iWP8L0yUfuJA0//tq2H6SExs8mTLweWQjzPiXJ52lZb1N8Lcfm1wrdjhXo4ec0EO+4WlwhVwZ0HE227wKYr4kHMApIMoQqcZK7IQF09E2kHgrGD48FaNN2LrHxVH13IEkjySYOLNNGwqtojKedNItqhJmmthA4mUf58+xRhNIceZD52u6dmLgEA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(6506007)(508600001)(26005)(110136005)(7696005)(71200400001)(5660300002)(86362001)(9686003)(52536014)(38100700002)(8676002)(8936002)(82960400001)(66946007)(4326008)(186003)(122000001)(83380400001)(316002)(38070700005)(76116006)(2906002)(55016002)(66476007)(66446008)(66556008)(64756008)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zW+6hJnsgBGyESA/wkeLhW63zH2Y5UDcfXWDOu3fjxPBxBqSd3KKU/AGJZVdCvydwpNhJufmm0pCcoRCSFk2qtg+lUXGuoQ+crLZCzm7fMr7H9eaktxvwnYL/8E3J1HqtkBlbTDltObzZj26mPKhONRaMj5nPGN5LWhg5wNjbZ6QMKhY6v1QLG+S/SSipMnoFY0vUvoM6DbG2iwVkvm6s45BA9lixIc6Ui7Z2CYc5CaJOeJtw8ZTJOqXGkc7bzZIUFs0t8QwL61V50sTkKVcDZz0m+kjRvj+d8sfAxE82au9DmaK8CdydPERDzGnf9b985icrB2l0LuI7fYUCqwChHb03AxC/7IWvvt9ac80jRLgEeRhJdvKh0FsbMO+7ShghiJ0lH5ZxgEl5DLocrCtYgz1+EvCmvI4SEjPZ8N9Xe79BGy5tsTSByAFigIovZQWChuK3p88gr9o+2ZYCrD5YZv96+EhnlJAAGCFn6RVnt3Zo7kXFwku923PvNvTAHJdImfLmc/GC1DHOe5KRhFQPGFntGk3lG3MyRdwAfZ4qEqeuTOy7bqCeUKVy12H2I7WFGCBWzEXP9Gm245/h7gm+JmgFPuYyayDgZRki01z2IcF4l1387rkOGVblyFU/OnMbZvER3arVeOcVzQ1DOxDjHUlJO/f4yb5dG/AguhoIcHIQX0muPyd7/+fBOrF0NfdpVNyp7VlLoiOhpKNeZwLr6auBPT3yCiWDw7tDQdoN6tmRa+8o2F0NdZhWE+CUoSF9uplv9SzOVeMtLTprPzZfzknloj/Co8qF+JM27KsjP/YNAf4CNgBfJeZwk7rxBxMeZlTR+qLExB9QpgTfs/mCTd4V0UHaorUZQwGgr2pJpbDh8+lcbZryRryeCmQFjk86rJNO7zMmmbpOKRS4uyBxw8ltBKNf/CEUlrYGrohTZILoYUZuPnD4ai6yFX4GlxeXMqVi6PSNmfcDEwx+3XhKsD5MFC7lm3SYkMZbw7hN8VpupdDI50k2iWq4z1jASc9Sw6EoNyxC/jDCrT7RAfue+Xd6OErY6UnJ3+ENotkpctKDWHBwwWt21nPnCvitfIk4Jrjd2ZOONfh5CpCO3jFGIFEySLsT3x1i2mJO/tbVXdot+zX2JYA5I8mj4mI7DZQJjoNiDxxz3OnggbI0C6pLaXWnbw8KE68l2YOCd6W9xZSCXiGBHF+ehE2+g99E4bBwH4Kb8Rvqfqz62Ta+hM9gRvd4Bshx2E1HV9LUgtw4s/2Yd0wNpOLgdKiqDtuhuV7dfecxY6rgR5hIKVlVtkb12p/ikV60XY5fin835naAhzkjNCxi+v3g9uc9wyUZ0a6CuG9GxugEOCm/r3HmxDPsQoFKP6XnfH0s3YD4M0VHJGo3WQphdQ+o84qrlnrokSnjvFTNasIAEKy6mVdRiMUIqmvctH7W4ZQeb+AUCFe39KD+QOObJZWzGu14YJMmQV7fe3inH0X5qmBhq5JHXux5n5KCbY0AM5kXS/LeK43y/hGO1jXoPjtCxa0OnbgQP+BthpmkdhKg1VctLT//DVXMshH2OG2wPltL/tztgDRqxU1OzLepr+cbelMpYUHL4Q6TsuZccSFyA/ndbqa2+hVFmXlHoVG2U2VHIqP11LgdjQMRGoalQ9VsfLlv5I0h16ElpNVJQ289sU8ZH4TnbAzXg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3ab1cf05-9660-4c3d-3391-08d9a2a886a1
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2021 11:11:34.5823 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 50dwSomp6cQGntnPRLu7BahM6GjbfUGfHrseRlaP4DO+J4JnTidI8/28T11cQRDRVUp2TsvRRoo1yQTrw6oEKGTIkaCLGEViYymkrx78zuQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4545
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/osOssjofX2yKJkN-oOzX9fgSUGI>
Subject: Re: [lamps] AD review of draft-ietf-lamps-cmp-algorithms-07
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 11:11:49 -0000

Roman, Mike

> Von: Mike Ounsworth <Mike.Ounsworth@entrust.com>
> Gesendet: Freitag, 5. November 2021 19:00
> 
> Hi Roman!
> 
> > AES128 + RSA2048 would be more consistent based on the principle of
> matching relative key strength. However, if prior specs said AES256+RSA2048, I
> think we should be careful about weaking the requirement regardless of
> consistency.

As the algorithm use profile from RFC 4210 Appendix D.2 was not maintained for a long time, AES was just mentioned as a further alternative. The mandatory algorithm back then was 3-DES.
I am not aware of any document stating AES256 for transporting private keys. As it is a critical operation, one could recommend to use the maximum strength available, but we should mandate only strength comparable to the key transported. > 

> A couple thoughts here:
> 
> 1. I don't think we have any language stating that these profiles are
> requirements. The language (from Hendrik's slides for Monday) is the column
> header " Recommended for managing keys up to". It's a nit-pick, I know.

My understanding would be that at least the strength of the key to be managed should be used. Higher strength should also be allowed.

> 
> 2. An implementation doing AES256+RSA2048 exceeds the profile that
> recommends AES128+RSA2048. That's fine, unless there's an on-the-wire
> interop concern here? For example if an existing CMP client handling RSA2048
> keys only has an AES256 implementation and would barf if the server suddenly
> started using AES128? I assume that sort of thing would be caught in product
> testing.
> 
> Or is your concern more to do with optics / security proofs / FIPS and CMVP
> style certifications if we lower the required AES strength of a profile?

Hendrik

v2.23.0 | Report a Bug | By Email