On Thu, Oct 24, 2013 at 7:39 AM, Abdussalam Baryun <abdussalambaryun@xxxxxxxxx> wrote: > Hi Russ > > The comment has a statement which I am against; > IETF standards depend on NIST standards and the process by which they are > developed. > > The statement contradicts the first, that IETF references also other > government algorithms. I do not see a contradiction. I think that the sentence is to be interpreted as "SOME IETF standards depend on SOME NIST standard." This is true and it does not rule out that some IETF standards can depend on other standards (or any standard at all). Clearly the concern is that if some NIST standard is considered "suspect" because of a loss of transparency (e.g., the PRNG based on elliptic curves), the same loss of trustfulness will taint any IETF standard that uses it. IETF standards that do not use NIST products are clearly not affected by this. > Is this a specific or general dependence? And does IETF standards really > depend on NIST standard process and development? Is the statement talking > about all IETF security standards? > > Best regards > Abdussalam > > > On Wednesday, October 23, 2013, IAB Chair wrote: >> >> Today, the IAB sent comments to the US National Institute for Standards >> and Technology (NIST) in the matter of the NIST Special Publication 800-90A >> (Recommendation for Random Number Generation Using Deterministic Random Bit >> Generators) review proceeding. In the statement, the IAB supports >> re-opening of the comment period on NIST SP 800-90A, and the IAB also makes >> recommendations relating to the review process for cybersecurity and >> cryptographic standards to enhance transparency and openness. >> >> The full statement is available from the IAB website: >> http://www.iab.org/wp-content/IAB-uploads/2013/10/IAB-NIST-FINAL.pdf >> >> On behalf of the IAB, >> Russ Housley >> IAB Chair >> >