Mike, Thank you for the change.
Linda -----Original Message----- From: Mike Jones <[email protected]> Sent: Wednesday, June 3, 2020 11:52 AM To: Linda Dunbar <[email protected]>; Matthew A. Miller <[email protected]>; [email protected] Cc: [email protected]; [email protected]; [email protected] Subject: RE: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06 Thanks again for your review, Linda. https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-cose-webauthn-algorithms-07%23section-5.2&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C4025d38884ae4d1a9a5b08d807de6562%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C1%7C637267999048635328&sdata=oGsafk80fAFxgfMfx3wUPwlrVexjGyVvsHDZfrKdpyo%3D&reserved=0 adds the requested clarification that SHA-256, SHA-384, and SHA-512 are the SHA-2 hash functions. -- Mike -----Original Message----- From: Linda Dunbar <[email protected]> Sent: Wednesday, May 27, 2020 5:22 PM To: Matthew A. Miller <[email protected]>; [email protected] Cc: [email protected]; [email protected]; [email protected] Subject: [EXTERNAL] RE: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06 Matthew, That is what I was thinking. Can you add a sentence in Section 5.2 to say that this is for the collection of SHA-256, SHA-384, SHA-512 algorithms? Otherwise, the two sections of the document don't match. Thank you Linda Dunbar -----Original Message----- From: Matthew A. Miller <[email protected]> Sent: Wednesday, May 27, 2020 4:55 PM To: Linda Dunbar <[email protected]>; [email protected] Cc: [email protected]; [email protected]; [email protected] Subject: Re: Secdir last call review of draft-ietf-cose-webauthn-algorithms-06 Hello Linda, Thanks for the review. Speaking on the author's behalf, SHA-2 is defined as the collection of hash algorithms, including all of those cited (SHA-256, SHA-384, SHA-512). Do you believe it is critical to call this out explicitly? - m&m Matthew A. Miller On 20/05/26 17:51, Linda Dunbar via Datatracker wrote: > Reviewer: Linda Dunbar > Review result: Not Ready > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the security > area directors. > Document editors and WG chairs should treat these comments just like > any other last call comments. > > This document is to list down the COSE&JOSE Algorithms to be > registered to IANA. But it seems the description is not complete. In > the Section 2: among the > 4 algorithms listed under RSASSA-PKCS1-v1_5, three are NOT > recommended, one is deprecated. Under the Security Consideration > (Section 5), Section 5.2 describes why SHA-2 is "Not Recommended", > Section 5.3 describes why SHA-1 is "Deprecated". What about the > description on why SHA-512, SHA-384, and SHA-256 are not recommended? Is > the missing description intended? > > Best Regards, > > Linda Dunbar > > > _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
