Re: [COSE] Secdir last call review of draft-ietf-cose-webauthn-algorithms-06

Wed, 03 Jun 2020 09:52:09 -0700 

Thanks again for your review, Linda.  
https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-07#section-5.2 
adds the requested clarification that SHA-256, SHA-384, and SHA-512 are the 
SHA-2 hash functions.

                                -- Mike

-----Original Message-----
From: Linda Dunbar <[email protected]> 
Sent: Wednesday, May 27, 2020 5:22 PM
To: Matthew A. Miller <[email protected]>; [email protected]
Cc: [email protected]; [email protected]; 
[email protected]
Subject: [EXTERNAL] RE: Secdir last call review of 
draft-ietf-cose-webauthn-algorithms-06

Matthew, 

That is what I was thinking. Can you add a sentence in Section 5.2 to say that 
this is for the collection of SHA-256, SHA-384, SHA-512 algorithms? 
Otherwise, the two sections of the document don't  match. 

Thank you
Linda Dunbar

-----Original Message-----
From: Matthew A. Miller <[email protected]>
Sent: Wednesday, May 27, 2020 4:55 PM
To: Linda Dunbar <[email protected]>; [email protected]
Cc: [email protected]; [email protected]; 
[email protected]
Subject: Re: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06

Hello Linda,

Thanks for the review.  Speaking on the author's behalf, SHA-2 is defined as 
the collection of hash algorithms, including all of those cited (SHA-256, 
SHA-384, SHA-512).  Do you believe it is critical to call this out explicitly?


- m&m

Matthew A. Miller
On 20/05/26 17:51, Linda Dunbar via Datatracker wrote:
> Reviewer: Linda Dunbar
> Review result: Not Ready
> 
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the security 
> area directors.
>  Document editors and WG chairs should treat these comments just like 
> any other  last call comments.
> 
> This document is to list down the COSE&JOSE Algorithms to be 
> registered to IANA. But it seems the description is not complete. In 
> the Section 2: among the
> 4 algorithms listed under RSASSA-PKCS1-v1_5, three are NOT 
> recommended, one is deprecated. Under the Security Consideration 
> (Section 5), Section 5.2 describes why SHA-2 is "Not Recommended", 
> Section 5.3 describes why SHA-1 is "Deprecated".  What about the 
> description on why SHA-512,  SHA-384, and SHA-256 are not recommended?  Is 
> the missing description intended?
> 
> Best Regards,
> 
> Linda Dunbar
> 
> 
> 
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose

Reply via email to