Last Call Review of draft-ietf-curdle-cms-eddsa-signatures-06
review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31-00
| Request | Review of | draft-ietf-curdle-cms-eddsa-signatures |
|---|---|---|
| Requested revision | No specific revision (document currently at 08) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2017-07-25 | |
| Requested | 2017-07-11 | |
| Authors | Russ Housley | |
| I-D last updated | 2017-07-31 | |
| Completed reviews |
Genart Last Call review of -06
by Jouni Korhonen
(diff)
Secdir Last Call review of -06 by Dacheng Zhang (diff) Opsdir Last Call review of -07 by Sheng Jiang (diff) Genart Telechat review of -07 by Jouni Korhonen (diff) |
|
| Assignment | Reviewer | Dacheng Zhang |
| State | Completed | |
| Review |
review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31
|
|
| Reviewed revision | 06 (document currently at 08) | |
| Result | Has Issues | |
| Completed | 2017-07-31 |
review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies the conventions for using Edwards-curve Digital Signature Algorithm (EdDSA) for curve25519 and curve448 in the Cryptographic Message Syntax (CMS). I think this document can be published after some tiny updates. The comments are listed as follows: 1. In security considerations, the first and the second paragraphs are about how implementations protect the private keys and how they guarantee the quality of random numbers. Normally, this such considerations are out of scope of protocol specifications. But I am ok if the authors would like to keep them. 2. In the 4th paragraph of security considerations, ' the same private key SHOULD NOT be used with more than one EdDSA set of parameters.' -> ' the same private key MUST NOT be used with more than one EdDSA set of parameters.' Since we already know that the same private key used for multiple algorithms will cause potential risks, we should use a stronger word here. 3. In the 5th paragraph of security considerations, ' the same hash function should be used for all operations.' ->' the same hash function SHOULD be used for all operations.' 4. In the 1st paragraph, 'When signing with Ed25519, the digestAlgorithm SHOULD include id-sha512' ->' When signing with Ed25519, the digestAlgorithm MUST include id-sha512'. 'When signing with Ed448, the digestAlgorithm SHOULD include id-shake256-len' -> 'When signing with Ed448, the digestAlgorithm MUST include id-shake256-len'. Cheers Dacheng _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview