Skip to main content

IETF conflict review for draft-irtf-cfrg-randomness-improvements
conflict-review-irtf-cfrg-randomness-improvements-00

Document history

Date Rev. By Action
2020-08-17
00 Amy Vezza
The following approval message was sent
From: The IESG
To: irtf-chair@irtf.org,
    Internet Research Steering Group ,
    draft-irtf-cfrg-randomness-improvements@ietf.org,
    …
The following approval message was sent
From: The IESG
To: irtf-chair@irtf.org,
    Internet Research Steering Group ,
    draft-irtf-cfrg-randomness-improvements@ietf.org,
    Colin Perkins ,
    Alexey Melnikov ,
    cfrg-chairs@ietf.org
Cc: iana@iana.org,
    IETF-Announce ,
    The IESG
Subject: Results of IETF-conflict review for draft-irtf-cfrg-randomness-improvements-13

The IESG has completed a review of draft-irtf-cfrg-randomness-improvements-13
consistent with RFC5742.

The IESG has no problem with the publication of 'Randomness Improvements for
Security Protocols'  as an
Informational RFC.

The IESG has concluded that this work is related to IETF work done in the TLS
WG, but this relationship does not prevent publishing.

The IESG would also like the IRTF to review the comments in the datatracker
related to this document and determine whether or not they merit
incorporation into the document. Comments may exist in both the ballot and
the history log.

The IESG review is documented at:
https://datatracker.ietf.org/doc/conflict-review-irtf-cfrg-randomness-improvements/

A URL of the reviewed Internet Draft is:
https://datatracker.ietf.org/doc/draft-irtf-cfrg-randomness-improvements/

The process for such documents is described in RFC 5743

Thank you,

The IESG Secretary



2020-08-17
00 Amy Vezza IESG has approved the conflict review response
2020-08-17
00 Amy Vezza Closed "Approve" ballot
2020-08-17
00 Amy Vezza Conflict Review State changed to Approved No Problem - announcement sent from Approved No Problem - announcement to be sent
2020-08-13
00 Cindy Morgan Conflict Review State changed to Approved No Problem - announcement to be sent from IESG Evaluation
2020-08-12
00 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2020-08-12
00 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2020-08-12
00 Martin Vigoureux [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux
2020-08-12
00 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2020-08-12
00 Robert Wilton [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton
2020-08-11
00 Benjamin Kaduk
[Ballot comment]
Section 1

  of the same length.  CSPRNGs are critical building blocks for TLS and
  related transport security protocols.  TLS in particular …
[Ballot comment]
Section 1

  of the same length.  CSPRNGs are critical building blocks for TLS and
  related transport security protocols.  TLS in particular uses CSPRNGs
  to generate several values: session IDs, ephemeral key shares, and
  ClientHello and ServerHello random values.  [...]

Session IDs seem to be a (legacy) TLS 1.2 construct at this point,
right?  But neither RFC 5246 nor 5077 specifically says the ID has to be
or involve a CSPRNG output, which makes me wonder if I'm misinterpreting
this statement.

  3.  If the CSPRNG is broken or controlled by Adv, the output of the
      proposed construction remains indistinguishable from random
      provided the private key remains unknown to Adv.

When I first read this, I wondered about an attacker that controlled the
CSPRNG and also had access to an oracle that could perform signatures
using the private key (but not the private key itself).  It seems
(intuitively, thus not reliably) that keeping the tag1 value
confidential would stymie such an attacker, though if the tag1 is just
device-specific information and the attacker has access to the HSM then
keeping tag1 confidential may not be possible.  On the other hand, the
draft discusses a scenario with a single HSM shared across multiple
machines, so perhaps just having access to the HSM is not as strong of
an ability as intuition suggests.  On the gripping hand, if tag1 was
confidential and that was enough protection, then even an attacker that
knew the private key (but not tag1) would still not be able to break the
construction ... so I conclude that I'm still confused about this case.
2020-08-11
00 Benjamin Kaduk [Ballot Position Update] New position, Yes, has been recorded for Benjamin Kaduk
2020-08-11
00 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2020-08-11
00 Martin Duke [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke
2020-08-10
00 Murray Kucherawy [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy
2020-08-09
00 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2020-08-07
00 Roman Danyliw [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw
2020-08-07
00 Cindy Morgan Placed on agenda for telechat - 2020-08-13
2020-08-07
00 Cindy Morgan Created "Approve" ballot
2020-08-07
00 Cindy Morgan Conflict Review State changed to IESG Evaluation from AD Review
2020-08-07
00 Roman Danyliw New version available: conflict-review-irtf-cfrg-randomness-improvements-00.txt
2020-07-14
00 Alissa Cooper Shepherding AD changed to Roman Danyliw
2020-07-14
00 Alissa Cooper Conflict Review State changed to AD Review from Needs Shepherd
2020-07-14
00 Alissa Cooper Removed from agenda for telechat
2020-07-13
00 Cindy Morgan Placed on agenda for telechat - 2020-07-16
2020-07-13
00 Colin Perkins IETF conflict review requested