Last Call Review of draft-ietf-curdle-cms-eddsa-signatures-06
review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31-00

Request Review of draft-ietf-curdle-cms-eddsa-signatures
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-07-25
Requested 2017-07-11
Draft last updated 2017-07-31
Completed reviews Genart Last Call review of -06 by Jouni Korhonen (diff)
Secdir Last Call review of -06 by Dacheng Zhang (diff)
Opsdir Last Call review of -07 by Sheng Jiang (diff)
Genart Telechat review of -07 by Jouni Korhonen (diff)
Assignment Reviewer Dacheng Zhang
State Completed
Review review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31
Reviewed rev. 06 (document currently at 08)
Review result Has Issues
Review completed: 2017-07-31

Review
review-ietf-curdle-cms-eddsa-signatures-06-secdir-lc-zhang-2017-07-31

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document specifies the conventions for using Edwards-curve Digital Signature Algorithm (EdDSA) for curve25519 and curve448 in the Cryptographic Message Syntax (CMS). I think this document can be published after some tiny updates.

The comments are listed as follows:

1. In security considerations, the first and the second paragraphs are about how implementations protect the private keys and how they guarantee the quality of random numbers. Normally, this such considerations are out of scope of protocol specifications. But I am ok if the authors would like to keep them. 

2. In the 4th paragraph of security considerations, ' the same private key SHOULD NOT be used with more than one EdDSA set of parameters.' -> ' the same private key MUST NOT be used with more than one EdDSA set of parameters.' Since we already know that the same private key used for multiple algorithms will cause potential risks, we should use a stronger word here.

3. In the 5th paragraph of security considerations, ' the same hash function should be used for all operations.' ->' the same hash function SHOULD be used for all operations.'

4. In the 1st paragraph, 'When signing with Ed25519, the digestAlgorithm SHOULD include id-sha512' ->' When signing with Ed25519, the digestAlgorithm MUST include id-sha512'. 'When signing with Ed448, the digestAlgorithm SHOULD include id-shake256-len' -> 'When signing with Ed448, the digestAlgorithm MUST include id-shake256-len'.

Cheers

Dacheng

_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview