Last Call Review of draft-ietf-avtcore-aria-srtp-06
review-ietf-avtcore-aria-srtp-06-secdir-lc-laurie-2014-09-18-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: ready with issues, or maybe not ready (AD's choice!)

Firstly, I'm not generally keen on RFCs for "vanity" ciphers - or,
indeed, any cipher that's been as lightly reviewed as ARIA has. The
Security ADs may feel differently, so I defer to them.

Secondly, ARIA-CTR and ARIA-GCM both use SHA-1 as a hash function, and
I believe we are trying to deprecate that practice.

Thirdly, I am not familiar enough with SRTP to understand why short
authentication tags are needed, but in general its a bad idea, so I
feel the Security Considerations should explain more fully than
"Ciphersuites with short tag length may be
   considered for specific application environments stated in 7.5 of
   [RFC3711], but the risk of weak authentication described in
   Section 9.5.1 of [RFC3711] should be taken into account."

How would I take this risk into account?

Finally, given that short tags are a risk, why are there no modes with
full-length tags?