In my experience, many countries other than the US also reference and use/follow many NIST specifications and many NIST recommendations/guidance. Also, there is some non-governmental commercial pressure to follow NIST specifications, recommendations, & guidance. For example, insurers of financial sector firms often write a requirement for the insured firm to at least be compliant with listed NIST specifications, recommendations, & guidance as part of the insurance (or re-insurance) policy for a bank, stock brokerage, or such like. I am not certain, but I think the legal requirement in the US is limited to US Federal Government offices/agencies/departments other than the US Department of Defense. For example, I do not think there are legal requirements for commercial firms or individual states to follow NIST specifications, recommendations, & guidance. My understanding, possibly confused, is that US DoD writes its own guidance, at least on cryptographic matters. Yours, Ran > On Dec 25, 2019, at 06:57, Uri Blumenthal <uri@xxxxxxx> wrote: > > NIST standards are mandatory for a subset of US citizens. But enough of businesses outside the US pay attention to what NIST says to make adding the reference relevant and useful. > >> On Dec 25, 2019, at 01:52, Valery Smyslov <svan@xxxxxxxx> wrote: >> >> >> Hi Watson, >> >> thank you for spending your time on this review in Christmas Eve. >> >> The capitalization issue has been already noticed and fixed. >> >> I’m not sure the draft should mention NIST levels, because >> they are relevant mostly for US customers. I think that >> generic recommendations on key sizes are more appropriate >> for this document. >> >> Regards, >> Valery. >> >> Damn misclick. I meant With Nits. >> >> On Tue, Dec 24, 2019 at 8:02 PM Watson Ladd via Datatracker <noreply@xxxxxxxx> wrote: >> Reviewer: Watson Ladd >> Review result: Not Ready >> >> Twas the night before Christmas >> when all through the house >> someone was desperately trying to get a review done on time. >> >> I didn't see anything wrong per se in the draft itself, but I found the >> capitalization of quantum computer an odd choice. IKEv2 is a complicated >> protocol, and I am not 100% sure that this draft does what we want it to: It >> would be great if someone could check very carefully in some symbolic model, >> ala what has been done in TLS. The guidance on sizes seems to rule out NIST >> level 1, but not any higher levels: might be worth calling out this explicitly. >> >> _______________________________________________ >> secdir mailing list >> secdir@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/secdir >> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview >> >> >> -- >> "Man is born free, but everywhere he is in chains". >> --Rousseau. >> _______________________________________________ >> secdir mailing list >> secdir@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/secdir >> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > -- > last-call mailing list > last-call@xxxxxxxx > https://www.ietf.org/mailman/listinfo/last-call -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
