IETF Logo Mail Archive

[lamps] AD Review of draft-ietf-lamps-cms-kemri-07

Roman Danyliw <rdd@cert.org> Mon, 05 February 2024 20:36 UTC

Return-Path: <rdd@cert.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0001C14CE51 for <spasm@ietfa.amsl.com>; Mon, 5 Feb 2024 12:36:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ktm8EcGgBMqz for <spasm@ietfa.amsl.com>; Mon, 5 Feb 2024 12:36:37 -0800 (PST)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0066.outbound.protection.office365.us [23.103.208.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51157C14F6E3 for <spasm@ietf.org>; Mon, 5 Feb 2024 12:36:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=WuAXocYyUvyfKtqGR0dBlL9Gp4CT7ftky3qYUnCN7GwOseHwkHE1T2PZ3WFSQ6CXjvhwCv9W91eWq3u1yL/cKGdUMgIPJtD4rCWWAMG/chS7+C13DLveWYklgRH/FHK286d1WlpYuCLxjJ3/d+DON0eJrEOnm3DEkmTtIe6mzI7m/wGenG+ADkacF+HnO3Ejt6PICo/EassQaYpwVnRsemJ8RwVGO+dMgAB6fVBlBwseD5HPiTi2mm0PUYaqxrEmJcpxYQ0zC416AE21yWXTgz0ig8vtflZwhR2l1AoYY6Q7fqQAoddSUTn0p5vowVcG8+yxgnKSjrhXnEh6edOnnQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=43xMMm5+2C/F91PAJJwd0DDKNouweTMKGtLi4m09uWc=; b=Z43f8nPNPr2FnfrEgVWc6ZS679HzHQOA+mJDSrpWcqi+en9J7qI/VsHxMeXpFxdW0rwIqltoZF4J1bJuAhnX8ZnS8xQH2v1Xa6u4WunR6B4gzJO8BTBbMLl6o7ob91ROY8frY2djo9tySLsf8jSN78H/PeAzuLQgYxDniaJBj16sFGO1H52JUbPPoClpXQz8TgNisrnrHmOoSz1SKZt1faLSXXZqiOsje2yQqbGnC4Xj/ZCPB1fLEBB0NnDQX2bwPQGXA9Lgt8XDpwBaEh+xImmV/prlcE/GMDGabpSUhspFncALaxMf3724+QztvawC0YC9+AIFyTtCB+Iu5IHU4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=43xMMm5+2C/F91PAJJwd0DDKNouweTMKGtLi4m09uWc=; b=Ze30jGwmXftEGBbFsVafe8uc7utBREQSPRKZ1utN6LwWuc2e909RMglbn3xMgS2qgObJoy+MhgsVorFJrgAvfqWYekyW3sEdB5ATmP9DC0MB/N8InAbUGR5iEXoeWzWj7AnpTOf0b3iod0dMdq+11LYhEKwQriAsgKgJhw59qaI=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1608.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17e::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.33; Mon, 5 Feb 2024 20:36:33 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f%4]) with mapi id 15.20.7249.032; Mon, 5 Feb 2024 20:36:33 +0000
From: Roman Danyliw <rdd@cert.org>
To: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: AD Review of draft-ietf-lamps-cms-kemri-07
Thread-Index: AdpYYE7zFocAApMORNmBPmHMh5CQkQ==
Date: Mon, 05 Feb 2024 20:36:33 +0000
Message-ID: <BN2P110MB11075090AAB266C26B0B663FDC47A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1608:EE_
x-ms-office365-filtering-correlation-id: 28c764f3-9bcb-4b39-f228-08dc268a241b
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8wCYlWZbGg1L4ScoT4Nk6WzacGbCwIHhGl1rEgkhAqPCGd/848x0763cjYJzJTB0Z1taMRRJT2zVGoli39hjhOoNDDbNqkfcMOe2hTcfTwnlwA6b2LtfasG/aHQoCKoOJ62ibMsPp/dp+WZpNetftW34tW2fetip1hZIe+V0W83dvYMfrhnzN5nRnjkGQKH07qVf4Z3PrvSygVxEruqai1n7m6C3UQK5wrew/1XJ9v03YCVh28ga2SlhXGhvb8++jlwQkN/yUPTNeqGsfnB6yNxdOqwbc3hdX4wK6cvRLa3yiiIMsseNFcBeuja1BhT/24UY8Wg2ax00x9tcPWEYoVZ9r9WTqWJkc7e94QlODhM62i+K+fi2pG+F39o3B5uIROkMRccrJCgA41hy0k5ifrkSG2Is3QV1HU4JJdFLEkryUkr5sGQw7H6FlK9yXnSGk3onxB4euCkHkU29eo5IgUGH9zBhUW/N5YgcV0AYNX0OrjkDSelGVS3fhNi3BME+QyXJFo09g5ai2LCbd7wYW41VIA99OyDbEQRMl7Bj8Jv8H7jRdxqibmNTHKGXoRkvY36CXH1z6GlEQJjy8kOJmBMdminfCn2mFiqjfmxbfbM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(396003)(39830400003)(366004)(136003)(230922051799003)(230473577357003)(64100799003)(186009)(1800799012)(451199024)(55016003)(33656002)(41320700001)(38070700009)(508600001)(9686003)(41300700001)(86362001)(2906002)(66574015)(82960400001)(83380400001)(26005)(66556008)(66946007)(66446008)(8936002)(66476007)(7696005)(122000001)(6506007)(71200400001)(52536014)(64756008)(8676002)(5660300002)(38100700002)(76116006)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4t5Vo4QOvCx5VOJLV818Fo8PVTK4Bd1sm7O+9KOeklPZp2nRX2auyzNXxiCsrEQxeZBn/d+KAsgzk68S5m+W4DwIyqxfYEHQPusNgYp1lH2UhfY77EFk4pe18yND01mevcflJVqcbPmrgwIeDTbVMtud2TtD9dX31NylqoO8TVqcnwsVvqXaxp/K7zYoW9UjR+DDXo75xvR3xecUmYbPgJDontkRMKcb3bFtxSGVRX/E1GyU00LA+Ra2hJrrqODl7jmIxI/hWP83YCXR2TeYLo1vt6Y+D4UbOYa2LilMYHfnzP7Ju5n6wfA3MNDi4570lSdbdlWDAfU/3/DAskS/UwTXL3gb41Eo6+hyLekCp70cjsAKsULTJAvZ9EKV2PN3deGD+ImYlc4FIutV4zfsh4SB3BydMvbf53DxuQy93Ka6Z3uJA4fQaTd8p52OIXlCVh199oJFyWQ1PGCHxma7myx+2lj9b9T1WSbXcAv9qwQWZDyS4Me3Lzvq5mXM2Ur8jX8lBsjTy2uqwIoEtFryrUKS88Z+pAtKamgtsspXIdnxMQ8IT8nIb0o3h0falcBmXA4VHNxzzruYj6NKziRWmalQ6JqfTPbzkkNTMGTQbIWRLvWN5IElPwTycaVLSs8JtlufOu3dHIO6n/EhXPUpEwPwQhuGJDAbjutsKcfhFyV9FxOIxrJHl3fdf2LpUBwcIOifEb//2pREsZjEW1sVWoSTkoHt/yHSJPfn1AUnf/vLgKP7ujYZgln0KOP7dAXEJxOZAJDvfCNK8S4ggsRXrcscoauhXlG8SCsuJ+gc/HMeeCXCpBdbfIT3B14Nv/SW0i4w51cP92+OLMBXjRQutNWIzVKk+5vO0+eowo/0M4gmhPFUI2dR8sopmemOIPInzPSwwX9fMh7MxURIs9oadCIAtBy23UXYi1CggTr56KOhvpiJ6x15uJQbDd4MHgazKqhBcfL5VH0vGkJUVp+5X6A9H+qzhDK3qYv/wyXXitg2szRGSXQuj1y0Ikm2UM9qhu9uK9Veh6lI1PGkS6lKlO2lRmb4qTZgOtbwqULqXn6XaZrWykIP1JIe/iOpbPTBc3evc0jMulnfCMTYDAEyftqJDYi69N6MMkABn9zahTmtRROVoj3D3cQGbBUvPRh6vts/8kLovv38KfAJ9WEhLpzu036I2+HA/Nm978d+jLvqYcGEszVUA1hbLB7bJy1+KkvBbnU5EDtdrTLXPMvP8XS6fsOz5RUFVuCpgs+XbSJcNsLT2Ixbvz1iru6p6cFEWVF7vRY4BBJFSZNF2ADsqaFkFpyHk24rlIenF1yl8mSJB1MM5YLdzAiwEiCE57eYFyO/z5zPsmFWFBjsxkFmJitBtZ4EQedT/vxlfMage+pyPXD1uh89L2g6IQsw0qAspKmw+67iHY4TMyiNs0xbc/lwBHLfhqzHVyK5409pMprZ6mLnTpIkxFiNPmhEcTVUqI8QEB6QRjTi9ghfUoLohApk/JJraJAU43yZF0RrDfg=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 28c764f3-9bcb-4b39-f228-08dc268a241b
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2024 20:36:33.2888 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1608
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/qV5eVYKb0RGKxIt_jj3aMR8eACY>
Subject: [lamps] AD Review of draft-ietf-lamps-cms-kemri-07
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2024 20:36:41 -0000

Hi!

Last October, I performed an AD review on -05 (https://mailarchive.ietf.org/arch/msg/spasm/DrkREuxsrIRWHRR4qj6yWxVufIQ/).  After IETF LC, new analysis of this document was reported (https://mailarchive.ietf.org/arch/msg/spasm/TTtMQlcpGRq_bThfJl-HnqqGLGI/) requiring WG deliberations.  After IETF 118, this document was sent back to the WG.  This document has gone through another WGLC and is back to the IESG with "publication requested."

Thank you to Falko Strenzke and Johannes Roth for reporting this attach against CMS and the WG's timely response.  This is a second AD review on -07.  Feedback is below.

** Section 1

   In this environment, security depends on three things.  First, the
   KEM algorithm must be secure against adaptive chosen ciphertext
   attacks.  Second, the key-encryption algorithm must provide
   confidentiality and integrity protection.  Third, the choices of the
   KDF and the key-encryption algorithm need to provide the same level
   of security as the KEM algorithm.

Should normative MUST be used to describe these three crucial properties of the environment?

** Section 3.  Process question.
     Note that this requirement expands the original purpose of the ukm
     described in Section 10.2.6 of [RFC5652]; it is not limited to
     being used with key agreement algorithms.

> > (per -05) Does this imply that this RFC should formally “update” RFC5652?

> Yes, I'll add that to the title page.

[Roman on -07] Thanks for adding this to the meta.  Can a sentence be added to the abstract to explicitly say that RFC5652 is being updated?

** Section 6.1.  

> > (per -05) Since SMIME-CAPS is being used in the formal definition of the KEY-ALGORITHM class, 
> > RFC 5912 needs to be a normative reference.  RFC5912 is informational, but it already in the DOWNREF registry.

> I think you mean KEM-ALGORITHM.

> RFC 5911 and RFC 5912 are both in the DOWNREF registry, so I do not think any further action is needed here.

[Roman -07] My mistake, yes, KEM-ALGORITHM.  I was mixing two issues: commenting that something is in the DOWNREF registry and whether a reference should be informative.  From the ASN.1:

==[ snip ]==
     KEMAlgorithmInformation-2023
       { iso(1) identified-organization(3) dod(6) internet(1)
         security(5) mechanisms(5) pkix(7) id-mod(0)
             id-mod-kemAlgorithmInformation-2023(TBD3) }
     DEFINITIONS EXPLICIT TAGS ::=
     BEGIN
     -- EXPORTS ALL;
     IMPORTS
       ParamOptions, PUBLIC-KEY, SMIME-CAPS
==[ snip ]==

SMIME-CAPS and PUBLIC-KEY is being imported.  Those data structures are defined in RFC5912 which is currently informative.  Shouldn't RFC5912 be a normative reference?

Regards,
Roman

v2.23.0 | Report a Bug | By Email