[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[radext] #99: AD Review of RADIUS Crypto-Agility Requirements



#99: AD Review of RADIUS Crypto-Agility Requirements

 Hi,

 This is the AD review of
 draft-ietf-radext-crypto-agility-requirements-06.txt. The document is in
 good shape. Because of the relative broad applicability and security
 impact of the document, I will send it to IETF Last Call, although as a
 WG document targetting Informational status this would not have been
 mandatory. I have a number of comments and questions which I request to
 be taken into consideration together with the other IETF LC comments.

 The technical comments are marked T and the Editorial comments are
 marked E.

 T1. I am a little concerned by the fact that the second paragraph of
 section 1.2 speaks in terms of 'compliance', 'unconditional compliance'
 and 'conditional compliance' with 'this specification' which is actually
 an Informational document. Is this really needed? We tend to avoid such
 strict language in IETF documents.

 T2. In section 4.2 I see the following:

    Guidance on acceptable algorithms can be found in [NIST-SP800-131A];
    it is RECOMMENDED that mandatory-to-implement cryptographic
    algorithms be chosen from among those classified as "Acceptable" with
    no known deprecation date.

 I acknowledge that the NIST document is rather new, but such documents
 have a timely nature by definition and may change faster than we want
 this RFC to change. I would suggest to include at least a note saying
 that if [NIST-SP800-131A] its successors need to be taken as reference.
 Or, if we do not want to assume the risk of a blank check we should
 observe that this recommendation is valid at the time of the publication
 of this document.

 T3. Also in section 4.2 I see the following:

    In addition to the goals referred to above, [RFC4962] Section 2
    describes additional security requirements, which translate into the
    following requirements for RADIUS crypto-agility solutions:

 It may be my understanding but I could not find in section 2 of
 [RFC4962] the requirements that translate into 'strong, fresh, session
 key' and 'Limit key scope'. Can you explain me what I am missing?


 E1. Idnits complains:

   == You're using the IETF Trust Provisions' Section 6.b License Notice
 from
      12 Sep 2009 rather than the newer Notice from 28 Dec 2009.  (See
      http://trustee.ietf.org/license-info/)

 E2. I am wondering what the scope of section 1.3 is. Maybe it's my
 English, but why is the section named 'The Charge'? Do you mean 'Scope'?
 It looks to me that dropping this section or making it (or a shorter
 version) part of Section 1.4 as background information would be better.

 E3. Page 5, second paragraph s/can selected/can be selected/

 Thanks and Regards,

 Dan

-- 
-----------------------------------+----------------------------------------
 Reporter:  dromasca@â             |       Owner:            
     Type:  defect                 |      Status:  new       
 Priority:  major                  |   Milestone:  milestone1
Component:  Crypto-Agility         |     Version:  1.0       
 Severity:  Submitted WG Document  |    Keywords:            
-----------------------------------+----------------------------------------

Ticket URL: <https://wiki.tools.ietf.org/wg/radext/trac/ticket/99>
radext <http://tools.ietf.org/radext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>