Last Call Review of draft-ietf-csi-hash-threat-
review-ietf-csi-hash-threat-secdir-lc-laganier-2010-03-15-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

Document Abstract:

   This document analysis the use of hashes in SEND, possible threats
   and the impact of recent attacks on hash functions used by SEND.
   Current SEND specification [rfc3971] uses the SHA-1 [sha-1] hash
   algorithm and X.509 certificates [rfc5280] and does not provide
   support for the hash algorithm agility.  The purpose of the document
   is to provide analysis of possible hash threats and to decide how to
   encode the hash agility support in SEND.

Summary: Most of the document tries to explains how an attack on a given
property of a hash function does or does not translate into an attack on other
hash-based cryptographic primitives (signature, certificate.) IMHO This
document is not the right place to do so (these are documented elsewhere.)
Moreover, the document fail to clearly articulate how attacks against these
hash-based cryptographic primitives translates or does not translate into
attacks against the SEND protocol itself. Thus I think the document in its
current form is not ready for publication and requires more work.

Detailed comments:

- Section 3 explains what is a first-preimage attack, a second preimage attack,
a collision attacks, etc. I do no think this document is the right place to do
this. A simple reference to the definition of the attacks could be added if
necessary, e.g. "For a definition of the various attacks against hash function
properties, see [HAC] [...] [HAC] Handbook of Applied Cryptography, Alfred J.
Menezes et al., 2001,

http://www.cacr.math.uwaterloo.ca/hac/&quot

;

- Section 3.1. explains that the "impacts of collision attacks on current uses
of CGAs and the CGA hash agility are analyzed in the update of the CGA
specification [rfc4982]", yet it goes on with explaining what is the purpose of
a CGA etc. If RFC4982 has done the analysis already, simply cite it, and state
the result, e.g. "impacts of collision attacks on current uses of CGAs and the
CGA hash agility are analyzed in the update of the CGA specification [rfc4982]
which concludes that no current hash vulnerability impacts the security
properties afforded by the use of CGAs".

- Section 3.2 similarly goes on musing on attacks against X.509 certificates.
Again, I'd rather have the section refer to an analysis of the vulnerabilities
introduced by the use of hashes by X.509 certificates, and simply state the
conclusion of the analysis in this document. If no proper analysis has been
done, then it could be done in this document, but this section as is doesn't
seem to do that in an appropriate way.

- Section 3.3. has a similar problem as above. It muses on non-repudiation etc.
but does not say what I'm interested in. If security of SEND does not rely on
non-repudiation property of the signature, state it and explain why. I am not
interested in how to attack the non-repudiation property of a signature using a
hash vulnerability, I am interested in how can (or can't) I attack SEND using a
non-repudiation vulnerability...

Editorial: the use of the English language could be improved.

--julien