Re: [Last-Call] Secdir last call review of draft-ietf-cose-webauthn-algorithms-06

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks again for your review, Linda.  https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-07#section-5.2 adds the requested clarification that SHA-256, SHA-384, and SHA-512 are the SHA-2 hash functions.

				-- Mike

-----Original Message-----
From: Linda Dunbar <linda.dunbar@xxxxxxxxxxxxx> 
Sent: Wednesday, May 27, 2020 5:22 PM
To: Matthew A. Miller <linuxwolf+ietf@xxxxxxxxxxxxxxxx>; secdir@xxxxxxxx
Cc: cose@xxxxxxxx; draft-ietf-cose-webauthn-algorithms.all@xxxxxxxx; last-call@xxxxxxxx
Subject: [EXTERNAL] RE: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06

Matthew, 

That is what I was thinking. Can you add a sentence in Section 5.2 to say that this is for the collection of SHA-256, SHA-384, SHA-512 algorithms? 
Otherwise, the two sections of the document don't  match. 

Thank you
Linda Dunbar

-----Original Message-----
From: Matthew A. Miller <linuxwolf+ietf@xxxxxxxxxxxxxxxx>
Sent: Wednesday, May 27, 2020 4:55 PM
To: Linda Dunbar <linda.dunbar@xxxxxxxxxxxxx>; secdir@xxxxxxxx
Cc: cose@xxxxxxxx; draft-ietf-cose-webauthn-algorithms.all@xxxxxxxx; last-call@xxxxxxxx
Subject: Re: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06

Hello Linda,

Thanks for the review.  Speaking on the author's behalf, SHA-2 is defined as the collection of hash algorithms, including all of those cited (SHA-256, SHA-384, SHA-512).  Do you believe it is critical to call this out explicitly?


- m&m

Matthew A. Miller
On 20/05/26 17:51, Linda Dunbar via Datatracker wrote:
> Reviewer: Linda Dunbar
> Review result: Not Ready
> 
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the security area directors.
>  Document editors and WG chairs should treat these comments just like 
> any other  last call comments.
> 
> This document is to list down the COSE&JOSE Algorithms to be 
> registered to IANA. But it seems the description is not complete. In 
> the Section 2: among the
> 4 algorithms listed under RSASSA-PKCS1-v1_5, three are NOT 
> recommended, one is deprecated. Under the Security Consideration 
> (Section 5), Section 5.2 describes why SHA-2 is "Not Recommended", 
> Section 5.3 describes why SHA-1 is "Deprecated".  What about the 
> description on why SHA-512,  SHA-384, and SHA-256 are not recommended?  Is the missing description intended?
> 
> Best Regards,
> 
> Linda Dunbar
> 
> 
> 
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux