Last Call Review of draft-kivinen-ipsecme-signature-auth-06
review-kivinen-ipsecme-signature-auth-06-genart-lc-carpenter-2014-07-06-00

Request Review of draft-kivinen-ipsecme-signature-auth
Requested rev. no specific revision (document currently at 07)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2014-07-15
Requested 2014-07-01
Other Reviews Genart Telechat review of -07 by Brian Carpenter
Review State Completed
Reviewer Brian Carpenter
Review review-kivinen-ipsecme-signature-auth-06-genart-lc-carpenter-2014-07-06
Posted at http://www.ietf.org/mail-archive/web/gen-art/current/msg10309.html
Reviewed rev. 06 (document currently at 07)
Review result Almost Ready
Draft last updated 2014-07-06
Review completed: 2014-07-06

Review
review-kivinen-ipsecme-signature-auth-06-genart-lc-carpenter-2014-07-06

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-kivinen-ipsecme-signature-auth-06.txt
Reviewer: Brian Carpenter
Review Date: 2014-07-07
IETF LC End Date: 2014-07-15
IESG Telechat date:

Summary:  Almost ready
--------

Minor issues:
-------------

In the Security Considerations, it says:

   This means that the security of the authentication method is the
   security of the weakest component (signature algorithm, hash
   algorithm, or curve).  This complicates the security analysis of the
   system.  Note that this kind of mixing of security levels can be
   disallowed by policy.

As a security ignoramus, I would have liked to see some discussion of
downgrade attacks here. Also, the remark about "policy" seems incomplete.
Is it an implementation requirement that some sort of policy must be
supported? Is there a recommended default policy?

Nits:
-----

I found this sentence unnecessarily nested and hard to read:

   o  The RSA digital signature format in IKEv2 is specified to use
      RSASSA-PKCS1-v1_5 padding, but "Additional Algorithms and
      Identifiers for RSA Cryptography for use in PKIX Profile"
      ([RFC4055])) recommends the use of the newer RSASSA_PSS (See
      section 5 of [RFC4055]) instead.

Why not

   o  The RSA digital signature format in IKEv2 is specified to use
      RSASSA-PKCS1-v1_5 padding, but section 5 of "Additional Algorithms
      and Identifiers for RSA Cryptography for use in PKIX Profile"
      [RFC4055] recommends the use of the newer RSASSA_PSS instead.