>>> depend on NIST standard process and development? Is the statement talking >>> about all IETF security standards? > > > As I tried to explain in http://tools.ietf.org/html/draft-tschofenig-perpass-surveillance-00 the IETF is currently not in the business of developing cryptographic primitives. This work is done outside the IETF (to a large extend). > > Of course, our security protocols have to use cryptographic primitives and there is the question where do these come from. > > It turns out that there are not that many organizations in the world who have the necessary level of expertise. NIST is one of them. Indeed. Some IETF standards normatively reference NIST cryptographic standards, and many of them are the mandatory to implement algorithm. So, these IETF standards do depend on the NIST standards, and indirectly on the process by which the NIST standards were developed. The IETF has developed it own cryptographic mechanisms when there has been a void. RFC 3217 is one example. When that work was done by the S/MIME WG, the group went to great lengths to get cryptographers to participate. This is not the preferred approach, but sometimes there is a void that needs to be filled. Russ