Identity-Based Signatures for Mobile Ad Hoc Network (MANET) Routing Protocols
draft-ietf-manet-ibs-05

The DISCUSS has been cleared.  Both Stephen and I sent a message to the iesg@ietf about this document to see if others had an opinion, but received no reply.  I'm approving the publication.

[Ballot comment]

Thanks for adding the text about public analysis being needed as part
of the experiment. I've cleared my DISCUSS on that basis.

I do think the text you've used in -05 could be improved still though,
you say that "it is intended" to promote this to the standards track,
but, while that is of course a good intention for the authors, I do not
think that the IETF can be said to have that intention - whether or
not that'll happen will depend on the experiment surely and the IETF
is not making promises about that. So I'd prefer if you had said "it
may be appropriate" instead, as suggested below. But I'm fine with
letting whoever is the sponsoring AD handle that as it'd not be
reasonable to block an experimental RFC on just that basis.

I'm also moving to an ABSTAIN on this, as I'm not convinced that
IBE is at all valuable here, given it's IMO fatal flaws in terms of
inherent key escrow. That is also not a DISCUSS as a) that's my
personal opinion and we don't have an IETF consensus against
IBE for that reason, and b) this is experimental so even if we did
have such a consensus, I'd bet it'd be limited to standards track
specifications. If you do intend for this to end up on the standards
track, then I'd suggest you also try to establish some IETF
consensus for when it is appropriate (if ever) for an IETF
standards-track specification to incorporate inherent key escrow.
(But, I would imagine establishing such a consensus would be
hard, if it's even possible.)

--- OLD DISCUSS BELOW

My main discuss point on -02 of this was:

(1) I am concerned that RFC6507 may not be ready for use in
standards-track RFCs. So far it has not been and I have found
no peer reviewed security or cryptographic analysis that
indicates that it is has been studied to see if it is good
enough for that. I've also not seen any MANET list discussion
of that aspect (and indeed the MANET list discussion I did
see seems to involve very few people).  I asked on the CFRG
list about RFC6507 and it seems [1] to be the case that
no-one has so far really evaluated its security, other than
folks associated with the author's institution. (Which
applies to both 6507 and this I think.) I also didn't find
any references to 6507 in Google scholar.  Lastly, I think we
should be, and be seen to be, more careful than usual with
this draft - given the situation with DUAL-EC-DRBG, and that
this is a new signature scheme that allows the KMS to fake
anyone's signature and the author involved.  Note that that
last is not any imputation of misbehaviour, but the IETF
would not be  doing due-dilligence if we didn't explicitly
consider that aspect.

  [1] https://www.ietf.org/mail-archive/web/cfrg/current/msg05540.html

The authors have added section 6.1 and changed the intended
status to experimental which does almost entirely resolve the
above. I have one issue with the text of 6.1 though that I think
needs fixing before we can proceed. I'll state that in the form of
an OLD/NEW suggestion in case that just works:

OLD:
  This specification is thus published as experimental, in order to
  encourage its use and reports of its use.  Once experiments have been
  carried out and reported, it is intended to advance this
  specification, with any changes identified by such experimentation,
  to standards track.

NEW:
  This specification is thus published as experimental, in order to
  encourage its use and reports on its use.  Once experiments have been
  carried out and reported, and when some public analysis of the underlying
          cryptographic algorithms is available, it may be appropriate  to advance this
  specification, with any changes identified by such experimentation and
          analysis, to standards track.

My reasoning is as follows: the main problem (I see) with this being on
the standards track is the total lack of public analysis of the signature
algorithm. That is not fixed via usage or reports of usage.

-- OLD COMMENTS BELOW

The text below were additional discuss points.

While I'm ok with these not being specified in an experimental
RFC, I think the absence of those bits of specification means
that this is clearly not a complete spec that'd allow interop.
(So that would need to be fixed before trying to get this back on
the standards track.) The text does now at least ack that the
revocation trick or some equivalent is needed, but fails to
specify a concrete way of doing that. And while the authors don't
agree with me that private key provisioning needs to be
specified in an interoperable manner, I think that if one
was to produce any IBC standard that has to be a part of
the work, otherwise nodes are limited to working with a
KMS in a proprietary fashion, which is a kind of vendor
lockin.

The old discuss points are below. I think this would be
better if these issues were also called out in section
6.1 but I'll not block on that basis. Perhaps the responsible
AD might think about whether that really needs to be
mentioned or not.

(2) How does a router get its private key? Why is it ok to
not specify that? Seems like an interop fail if that is not
done.

(4) 4.1: The usual revocation trick of including a time value
in the name is referred to at the end of this section but
without sufficient detail to allow interop. Why is that ok?

[Ballot discuss]

My main discuss point on -02 of this was:

(1) I am concerned that RFC6507 may not be ready for use in
standards-track RFCs. So far it has not been and I have found
no peer reviewed security or cryptographic analysis that
indicates that it is has been studied to see if it is good
enough for that. I've also not seen any MANET list discussion
of that aspect (and indeed the MANET list discussion I did
see seems to involve very few people).  I asked on the CFRG
list about RFC6507 and it seems [1] to be the case that
no-one has so far really evaluated its security, other than
folks associated with the author's institution. (Which
applies to both 6507 and this I think.) I also didn't find
any references to 6507 in Google scholar.  Lastly, I think we
should be, and be seen to be, more careful than usual with
this draft - given the situation with DUAL-EC-DRBG, and that
this is a new signature scheme that allows the KMS to fake
anyone's signature and the author involved.  Note that that
last is not any imputation of misbehaviour, but the IETF
would not be  doing due-dilligence if we didn't explicitly
consider that aspect.

  [1] https://www.ietf.org/mail-archive/web/cfrg/current/msg05540.html

The authors have added section 6.1 and changed the intended
status to experimental which does almost entirely resolve the
above. I have one issue with the text of 6.1 though that I think
needs fixing before we can proceed. I'll state that in the form of
an OLD/NEW suggestion in case that just works:

OLD:
  This specification is thus published as experimental, in order to
  encourage its use and reports of its use.  Once experiments have been
  carried out and reported, it is intended to advance this
  specification, with any changes identified by such experimentation,
  to standards track.

NEW:
  This specification is thus published as experimental, in order to
  encourage its use and reports on its use.  Once experiments have been
  carried out and reported, and when some public analysis of the underlying
          cryptographic algorithms is available, it may be appropriate  to advance this
  specification, with any changes identified by such experimentation and
          analysis, to standards track.

My reasoning is as follows: the main problem (I see) with this being on
the standards track is the total lack of public analysis of the signature
algorithm. That is not fixed via usage or reports of usage.

[Ballot comment]

The text below were additional discuss points.

While I'm ok with these not being specified in an experimental
RFC, I think the absence of those bits of specification means
that this is clearly not a complete spec that'd allow interop.
(So that would need to be fixed before trying to get this back on
the standards track.) The text does now at least ack that the
revocation trick or some equivalent is needed, but fails to
specify a concrete way of doing that. And while the authors don't
agree with me that private key provisioning needs to be
specified in an interoperable manner, I think that if one
was to produce any IBC standard that has to be a part of
the work, otherwise nodes are limited to working with a
KMS in a proprietary fashion, which is a kind of vendor
lockin.

The old discuss points are below. I think this would be
better if these issues were also called out in section
6.1 but I'll not block on that basis. Perhaps the responsible
AD might think about whether that really needs to be
mentioned or not.

(2) How does a router get its private key? Why is it ok to
not specify that? Seems like an interop fail if that is not
done.

(4) 4.1: The usual revocation trick of including a time value
in the name is referred to at the end of this section but
without sufficient detail to allow interop. Why is that ok?

[Ballot discuss]

(Updated after 1 year when author resumed discussion.)

(1) I am concerned that RFC6507 may not be ready for use in
standards-track RFCs. So far it has not been and I have found
no peer reviewed security or cryptographic analysis that
indicates that it is has been studied to see if it is good
enough for that. I've also not seen any MANET list discussion
of that aspect (and indeed the MANET list discussion I did
see seems to involve very few people).  I asked on the CFRG
list about RFC6507 and it seems [1] to be the case that
no-one has so far really evaluated its security, other than
folks associated with the author's institution. (Which
applies to both 6507 and this I think.) I also didn't find
any references to 6507 in Google scholar.  Lastly, I think we
should be, and be seen to be, more careful than usual with
this draft - given the situation with DUAL-EC-DRBG, and that
this is a new signature scheme that allows the KMS to fake
anyone's signature and the author involved.  Note that that
last is not any imputation of misbehaviour, but the IETF
would not be  doing due-dilligence if we didn't explicitly
consider that aspect.

  [1] https://www.ietf.org/mail-archive/web/cfrg/current/msg05540.html

(2) How does a router get its private key? Why is it ok to
not specify that? Seems like an interop fail if that is not
done.

(3) cleared

(4) 4.1: The usual revocation trick of including a time value
in the name is referred to at the end of this section but
without sufficient detail to allow interop. Why is that ok?

(5) cleared

[Ballot comment]
I would like to see the outcome of Stephen's DISCUSS.  I assume he will hold it until he is satisfied, so I don't need to withhold my "no objection" pending that outcome.

[Ballot comment]
I'm going to hang back until the telechat. Having read the thread on Stephen's DISCUSS, I don't have enough information to determine what I should ballot.

[Ballot comment]
I support Stephen's discuss points and don't have others to add and see that discussion is underway, thanks.

Adrian references a SecDir review, but I'm not able to find one going back quite a ways on the SecDir or Manet archives.  Is it somewhere else?

[Ballot discuss]

(1) I am concerned that RFC6507 may not be ready for use in
standards-track RFCs. So far it has not been and I have found
no peer reviewed security or cryptographic analysis that
indicates that it is has been studied to see if it is good
enough for that. I've also not seen any MANET list discussion
of that aspect (and indeed the MANET list discussion I did
see seems to involve very few people).  I asked on the CFRG
list about RFC6507 and it seems [1] to be the case that
no-one has so far really evaluated its security, other than
folks associated with the author's institution. (Which
applies to both 6507 and this I think.) I also didn't find
any references to 6507 in Google scholar.  Lastly, I think we
should be, and be seen to be, more careful than usual with
this draft - given the situation with DUAL-EC-DRBG, and that
this is a new signature scheme that allows the KMS to fake
anyone's signature and the author involved.  Note that that
last is not any imputation of misbehaviour, but the IETF
would not be  doing due-dilligence if we didn't explicitly
consider that aspect.

  [1] https://www.ietf.org/mail-archive/web/cfrg/current/msg05540.html

(2) How does a router get its private key? Why is it ok to
not specify that? Seems like an interop fail if that is not
done.

(3) I think this is the first asymmetric scheme the WG have
adopted. If that's wrong then this discuss point is fairly
moot:-) When did the WG discuss whether to adopt IBS as its
first asymmetric appraoch and not traditional signature
schemes that don't have spoofing by the KG/KMS as an inherent
property? That might be a reasonable decision, but I don't
see where that decision was made, nor why. (That could be
just that I've not looked far enough back in the WG list
archives, in which case this is easy.)

(4) 4.1: The usual revocation trick of including a time value
in the name is referred to at the end of this section but
without sufficient detail to allow interop. Why is that ok?

(5) RFC6507 isn't compatible with e.g. Curve25519 or perhaps
other "rigid" curves. Given that CFRG are in the process of
picking new curves, with better properties, wouldn't it be
better for the WG to wait and have the choice of using those
as well or instead?

[Ballot comment]
I have cleared my Discuss. I am satisfied that the author has engaged properly in discussion with the SecDir reviewer and that the document itself is sound.

The only addition I can see arising from this debate is some text to further explain the trust model in using IBS: it may not be suitable for everyone, but it's offered as an option for those for whom it is suitable.

[Ballot discuss]
There is an on-going discussion between Martin Thomson and Christopher Dearlove about the key authorities and mechanisms described in this document. This Discuss is to track that conversation and wait for a resolution.

Notification list changed to manet-chairs@tools.ietf.org, draft-ietf-manet-ibs.all@tools.ietf.org, manet@ietf.org, T.Clausen@computer.org from manet-chairs@tools.ietf.org, draft-ietf-manet-ibs@tools.ietf.org, "Adrian Farrel" <afarrel@juniper.net>, "Thomas H. Clausen" <T.Clausen@computer.org>

Notification list changed to manet-chairs@tools.ietf.org, draft-ietf-manet-ibs@tools.ietf.org, "Adrian Farrel" <afarrel@juniper.net>, "Thomas H. Clausen" <T.Clausen@computer.org> from manet-chairs@tools.ietf.org, draft-ietf-manet-ibs@tools.ietf.org, Thomas.Clausen@inria.fr, "Thomas Clausen" <Thomas.Clausen@inria.fr>, "Adrian Farrel" <afarrel@juniper.net>, "Thomas H. Clausen" <T.Clausen@computer.org>

Notification list changed to manet-chairs@tools.ietf.org, draft-ietf-manet-ibs@tools.ietf.org, Thomas.Clausen@inria.fr, "Thomas Clausen" <Thomas.Clausen@inria.fr>, "Adrian Farrel" <afarrel@juniper.net>, "Thomas H. Clausen" <T.Clausen@computer.org> from manet-chairs@tools.ietf.org, draft-ietf-manet-ibs@tools.ietf.org, Thomas.Clausen@inria.fr, "Thomas Clausen" <Thomas.Clausen@inria.fr>, "Adrian Farrel" <afarrel@juniper.net>

Notification list changed to manet-chairs@tools.ietf.org, draft-ietf-manet-ibs@tools.ietf.org, Thomas.Clausen@inria.fr, "Thomas Clausen" <Thomas.Clausen@inria.fr>, "Adrian Farrel" <afarrel@juniper.net> from manet-chairs@tools.ietf.org, draft-ietf-manet-ibs@tools.ietf.org, Thomas.Clausen@inria.fr, "Thomas Clausen" <Thomas.Clausen@inria.fr>

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-manet-ibs-03. Please report any inaccuracies and respond to any questions as soon as possible.

IANA's reviewer has the following comments:

IANA understands that, upon approval of this document, a single action requires completion.

In the Cryptographic Functions registry under the Mobile Ad hoc NETwork (MANET) Parameters heading at

https://www.iana.org/assignments/manet-parameters/

two new cryptographic functions are to be registered as follows:

Value: [TBD-at-registration ]
Algorithm: ECCSI
Description: ECCSI [RFC6507]
Reference: [ RFC-to-be ]

Value: [TBD-at-registration ]
Algorithm: ECCSI-ADDR
Description: ECCSI [RFC6507] with an address (source or originator) joined to identity
Reference: [ RFC-to-be ]

IANA notes that the values 7 (ECCSI) and 8 (ECCSI-ADDR) have been suggested by the authors for the values of these registrations.

As this document requests registrations in an Expert Review or Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

IANA understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Identity-Based Signatures for MANET Routing Protocols) to Proposed Standard

The IESG has received a request from the Mobile Ad-hoc Networks WG
(manet) to consider the following document:
- 'Identity-Based Signatures for MANET Routing Protocols'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2014-10-27. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract

  This document updates RFC7182, which specifies a framework for, and
  specific examples of, integrity check values (ICVs) for packets and
  messages using the generalized packet/message format specified in
  RFC5444.  It does so by defining an additional cryptographic function
  that allows the creation of an ICV that is an identity-based
  signature, defined according to the ECCSI (Elliptic Curve-Based
  Certificateless Signatures for Identity-Based Encryption) algorithm
  specified in RFC6507.


This document contains a downward normative reference (a downref [RFC3967 and RFC4897]) to the informational RFC 6507.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-manet-ibs/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-manet-ibs/ballot/


No IPR declarations have been submitted directly on this I-D.

Document Shepherd Write-Up for draft-ietf-manet-ibs-03

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

    The intended status is “Proposed Standard”,
    and this is indicated in the title page header.
(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

    This document builds on RFC7182 and RFC6507, and
    provides a framework for using Identity-Based
    Signatures in MANET routing protocols.

Working Group Summary:

    The document was presented at the WG meeting at
    IETF’90, and had reasonable discussion both before
    and after this meeting. There were significant
    expression of support for adoption as WG document,
    a couple of reviews posted after adoption, which were
    addressed. On the author’s initiative, external
    verification of the example provided in Appendix A
    was sought from a crypto-expert.

    WGLC saw positive support for publication, with
    nobody appearing to be “in the rough"

Document Quality:
Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted?

    There are existing implementations of this extension
    mechanism, known to the document shepherd.

    Dr. Benjamin Smith provided independent verification
    of the example provided in Appendix A, and is
    recognized for this in the acknowledgements.

    No media type, nor MIB doctor, review done, as this
    was not needed

Personnel:

Who is the Document Shepherd? Who is the Responsible Area Director?

    The document shepherd is:
          Thomas Clausen

    The responsible Area Director is:
          Adrian Farrell


(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

    The document shepherd performed a total of five
    reviews of this document, during WG processing:

    1) Initially, prior to WG adoption

    2) Extensively, following WG adoption, providing       
        substantial comments

    3) Extensively, following the author addressed the
        review comments from 2), to satisfaction

    4) Extensively, once WGLC was terminated, considering
        WGLC comments received, which resulted in a
        document revision (-03) fixing nits, format
        issues, and a reference issue.

    5) Finally, a review of the -03 version

    The document shepherd estimates, that the -03 version
    of the document is technically identical to the -02
    version which was WGLCed.

    The document shepherd believes, that the -03 version
    of the document is ready for being forwarded to the
    IESG.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

    The document shepherd is satisfied that sufficient
    reviews have been performed.

(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

    This document addresses security, within the
    framework set forth in RFC7182, and uses RFC6507
    for the cryptographic functions. Both RFC7182 and
    RFC6507 has received extensive scrutiny from the
    security community.

    As such, the document shepherd believes that the
    habitual SEC-DIR review for standards track documents
    is expected — but that no additional reviews are
    necessary, nor beneficial.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

    The document shepherd raised, in his review,
    (http://www.ietf.org/mail-archive/web/manet/current/msg16728.html)
    the question of if “Updates RFC7182” is appropriate.

    The document author and the document shepherd both
    are “on the balance” as to if it is, or is not

    Both parties, however, believe that either way is
    tolerable, and agreed to seek advice from the
    responsible AD on this particular matter
    (http://www.ietf.org/mail-archive/web/manet/current/msg16728.html)

    The argument for “is not appropriate” goes like this:

          What this document does is:
              (i)  only things permissible by RFC7182, and
              (ii) makes registration from IANA registries
                    set up by RFC7182
                    (noting, of course, that RFC7181 doesn’t
                    “Updates 5444” when making registrations
                    for TC messages from the repositories
                    set up by RFC5444 as a case of precedent)

    The argument for “is appropriate” is, that the
    way this document interprets  might not
    be as is described in RFC7182.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

    The author has confirmed to not be aware of any
    IPR that requires disclosure regarding this specific
    documents.

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

    There have been no IPR disclosures filed that
    reference this document.

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

    As described under Working Group Summary, the
    consensus behind this document appears quite solid.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

    There have been no threats of appeal raised, nor
    has any extreme discontent been indicated.

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

    IDNITS raises only concerns on a DOWNREF, addressed
    in 15) below.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

    Such reviews are not required for this document.

(13) Have all references within this document been identified as either normative or informative?

    Yes.
(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

    No.

(15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

    This document, intended for publication on std.
    track, has a downref to RFC6507, which is published
    as informational.

    RFC6507 does not appear in the downrefergistry
    (http://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry)
    and must thus be explicitly called out in the
    IETF Last Call.

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

    Advice from the responsible AD is sought on if
    this document “Updates RFC7182”, or not, as
    previously indicated.

    If, on the responsible ADs advice, this document
    updates RFC7182, then this is called out in the
    appropriate places.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

    All protocol extensions that the document makes, are
    associated with the appropriate reservations

    Referenced IANA registries have been clearly
    identified

    No new IANA registries are created

    The designated expert for the registry confirmed on
    14/09/03 that he finds the registrations
    requested in this document as aggreable:

    http://www.ietf.org/mail-archive/web/manet/current/msg16912.html

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

    No new IANA registries are created.

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

    No such checks required nor performed: no XML code,
    BNF rules, MIB definitions, or other formal language
    for which automatic checks exist, is included in this
    document.