[Gen-art] Gen-ART LC review of draft-kivinen-ipsecme-signature-auth-06.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 06 July 2014 20:20 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFECC1A0A9F for <gen-art@ietfa.amsl.com>; Sun, 6 Jul 2014 13:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSXRBZhQKFaN for <gen-art@ietfa.amsl.com>; Sun, 6 Jul 2014 13:20:30 -0700 (PDT)
Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06A5F1A0A9E for <gen-art@ietf.org>; Sun, 6 Jul 2014 13:20:29 -0700 (PDT)
Received: by mail-pa0-f44.google.com with SMTP id rd3so4299962pab.3 for <gen-art@ietf.org>; Sun, 06 Jul 2014 13:20:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=fufBzkIwvelywWH+O+o8kiEs/J0zOC0V2wbcr0VPyTU=; b=GB72Rkb45tO3h+cB9YH/L+3ezLgK5ybAyrYq3jF/+xwc4lG/UxRYrcmAqM0wOgyiLN zBFLskC29ny9+7xu9rjtl+aPzXPFW40T/zVubju2OFdkyQ989Zu8cumb0pYcZWSY2HRn 6ZCRsTih38uVwn9grQEet478g0VchxWBaSzlEn90IjmAgLgMs80538HtdTCZ9eA2tsWe kgEBXw4CrgsZrHhfZ4N40tQzZyFtzbm6fXtqbZedBFYNhfatOuYQJgtXq8yeUVMEMm2s nfx+mIz2AhlEIVhFQCj8AEyiik5tWMk6tZ/pwrzW3Ti5bd4ls0jkCbCLmfeVDIl8V3pz uW8Q==
X-Received: by 10.66.220.169 with SMTP id px9mr15665110pac.79.1404678029651; Sun, 06 Jul 2014 13:20:29 -0700 (PDT)
Received: from [192.168.178.23] (88.196.69.111.dynamic.snap.net.nz. [111.69.196.88]) by mx.google.com with ESMTPSA id ib5sm50442866pbb.55.2014.07.06.13.20.27 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 06 Jul 2014 13:20:29 -0700 (PDT)
Message-ID: <53B9AF84.3000405@gmail.com>
Date: Mon, 07 Jul 2014 08:20:20 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: draft-kivinen-ipsecme-signature-auth.all@tools.ietf.org, General Area Review Team <gen-art@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/iw7Geq8IKKuQz--cJ8w7q-odKNc
Subject: [Gen-art] Gen-ART LC review of draft-kivinen-ipsecme-signature-auth-06.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jul 2014 20:20:32 -0000
I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments
you may receive.
Document: draft-kivinen-ipsecme-signature-auth-06.txt
Reviewer: Brian Carpenter
Review Date: 2014-07-07
IETF LC End Date: 2014-07-15
IESG Telechat date:
Summary: Almost ready
--------
Minor issues:
-------------
In the Security Considerations, it says:
This means that the security of the authentication method is the
security of the weakest component (signature algorithm, hash
algorithm, or curve). This complicates the security analysis of the
system. Note that this kind of mixing of security levels can be
disallowed by policy.
As a security ignoramus, I would have liked to see some discussion of
downgrade attacks here. Also, the remark about "policy" seems incomplete.
Is it an implementation requirement that some sort of policy must be
supported? Is there a recommended default policy?
Nits:
-----
I found this sentence unnecessarily nested and hard to read:
o The RSA digital signature format in IKEv2 is specified to use
RSASSA-PKCS1-v1_5 padding, but "Additional Algorithms and
Identifiers for RSA Cryptography for use in PKIX Profile"
([RFC4055])) recommends the use of the newer RSASSA_PSS (See
section 5 of [RFC4055]) instead.
Why not
o The RSA digital signature format in IKEv2 is specified to use
RSASSA-PKCS1-v1_5 padding, but section 5 of "Additional Algorithms
and Identifiers for RSA Cryptography for use in PKIX Profile"
[RFC4055] recommends the use of the newer RSASSA_PSS instead.
- [Gen-art] Gen-ART LC review of draft-kivinen-ipse… Brian E Carpenter
- Re: [Gen-art] Gen-ART LC review of draft-kivinen-… Joel M Snyder
- Re: [Gen-art] Gen-ART LC review of draft-kivinen-… Brian E Carpenter
- [Gen-art] Gen-ART LC review of draft-kivinen-ipse… Tero Kivinen
- Re: [Gen-art] Gen-ART LC review of draft-kivinen-… Jari Arkko