Skip to main content

Last Call Review of draft-ietf-curdle-cms-eddsa-signatures-06
review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31-00

Request Review of draft-ietf-curdle-cms-eddsa-signatures
Requested revision No specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-07-25
Requested 2017-07-11
Authors Russ Housley
I-D last updated 2017-07-31
Completed reviews Genart Last Call review of -06 by Jouni Korhonen (diff)
Secdir Last Call review of -06 by Dacheng Zhang (diff)
Opsdir Last Call review of -07 by Sheng Jiang (diff)
Genart Telechat review of -07 by Jouni Korhonen (diff)
Assignment Reviewer Dacheng Zhang
State Completed
Request Last Call review on draft-ietf-curdle-cms-eddsa-signatures by Security Area Directorate Assigned
Reviewed revision 06 (document currently at 08)
Result Has issues
Completed 2017-07-31
review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

This document specifies the conventions for using Edwards-curve Digital
Signature Algorithm (EdDSA) for curve25519 and curve448 in the Cryptographic
Message Syntax (CMS). I think this document can be published after some tiny
updates.

The comments are listed as follows:

1. In security considerations, the first and the second paragraphs are about
how implementations protect the private keys and how they guarantee the quality
of random numbers. Normally, this such considerations are out of scope of
protocol specifications. But I am ok if the authors would like to keep them.

2. In the 4th paragraph of security considerations, ' the same private key
SHOULD NOT be used with more than one EdDSA set of parameters.' -> ' the same
private key MUST NOT be used with more than one EdDSA set of parameters.' Since
we already know that the same private key used for multiple algorithms will
cause potential risks, we should use a stronger word here.

3. In the 5th paragraph of security considerations, ' the same hash function
should be used for all operations.' ->' the same hash function SHOULD be used
for all operations.'

4. In the 1st paragraph, 'When signing with Ed25519, the digestAlgorithm SHOULD
include id-sha512' ->' When signing with Ed25519, the digestAlgorithm MUST
include id-sha512'. 'When signing with Ed448, the digestAlgorithm SHOULD
include id-shake256-len' -> 'When signing with Ed448, the digestAlgorithm MUST
include id-shake256-len'.

Cheers

Dacheng

_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview