Last Call Review of draft-ietf-avtcore-aria-srtp-06
review-ietf-avtcore-aria-srtp-06-secdir-lc-laurie-2014-09-18-00

Request Review of draft-ietf-avtcore-aria-srtp
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-09-11
Requested 2014-09-04
Draft last updated 2014-09-18
Completed reviews Genart Last Call review of -07 by Alexey Melnikov (diff)
Secdir Last Call review of -06 by Ben Laurie (diff)
Opsdir Last Call review of -06 by Jouni Korhonen (diff)
Genart Last Call review of -09 by Meral Shirazipour (diff)
Secdir Last Call review of -09 by Ben Laurie (diff)
Assignment Reviewer Ben Laurie
State Completed
Review review-ietf-avtcore-aria-srtp-06-secdir-lc-laurie-2014-09-18
Reviewed rev. 06 (document currently at 11)
Review result Has Issues
Review completed: 2014-09-18

Review
review-ietf-avtcore-aria-srtp-06-secdir-lc-laurie-2014-09-18

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: ready with issues, or maybe not ready (AD's choice!)

Firstly, I'm not generally keen on RFCs for "vanity" ciphers - or,
indeed, any cipher that's been as lightly reviewed as ARIA has. The
Security ADs may feel differently, so I defer to them.

Secondly, ARIA-CTR and ARIA-GCM both use SHA-1 as a hash function, and
I believe we are trying to deprecate that practice.

Thirdly, I am not familiar enough with SRTP to understand why short
authentication tags are needed, but in general its a bad idea, so I
feel the Security Considerations should explain more fully than
"Ciphersuites with short tag length may be
   considered for specific application environments stated in 7.5 of
   [RFC3711], but the risk of weak authentication described in
   Section 9.5.1 of [RFC3711] should be taken into account."

How would I take this risk into account?

Finally, given that short tags are a risk, why are there no modes with
full-length tags?