Re: [IPsec] WG Last Call on draft-ietf-ipsecme-rfc4307bis

paul Tue, 19 Apr 2016 06:40:04 -0700

On Tue, 19 Apr 2016, Valery Smyslov wrote:

 And you think the paragraph above is not clear enough? If not then
 provide text that will say it even more clearly.



I think all these changes are good. If I don't hear any objections in
the next day or so of the co-authors, I'll push them through.

Paul

Section 4.2:

Old:
  Recommendations for when a hash function is involved in a signature:

New:
   When Digital Signature authentication method is implemented, then
   the following recommendations are applied for hash functions:

(stress that this table is concerned only with Digital SignatureAuthentication method).



Old:
  With the use of Digital Signature, RSASSA-PKCS1-v1.5 MAY be
  implemented.  RSASSA-PSS MUST be implemented.

New:
   When Digital Signature authentication method is used with RSA signature
   algorithm, then RSASSA-PSS MUST be supported and RSASSA-PKCS1-v1.5 MAY be
   supported.

(stress that this requirement is applied to RSA only, not to ECDSA etc.)


Old:
  Recommendation of Authentication Method described in [RFC7427]
  notation:

      +------------------------------------+------------+---------+
     |  Description                        | Status     | Comment |
      +------------------------------------+------------+---------+
     |  RSASSA-PSS with SHA-256            | SHOULD     |         |
     |  ecdsa-with-sha256                  | SHOULD     |         |
     |  sha1WithRSAEncryption              | SHOULD NOT |         |
     |  dsa-with-sha1                      | SHOULD NOT |         |
     |  ecdsa-with-sha1                    | SHOULD NOT |         |
     |  RSASSA-PSS with Empty Parameters   | SHOULD NOT |         |
     |  RSASSA-PSS with Default Parameters | SHOULD NOT |         |
      +------------------------------------+------------+---------+

New:
   The following table lists recommendations for authentication methods in
   [RFC7427] notation. These recommendations are applied only if Digital
   Signature authentication method is implemented.

      +------------------------------------+------------+---------+
     |  Description                        | Status     | Comment |
      +------------------------------------+------------+---------+
     |  RSASSA-PSS with SHA-256            | MUST     |         |
     |  ecdsa-with-sha256                  | SHOULD     |         |
     |  sha1WithRSAEncryption              | SHOULD NOT |         |
     |  dsa-with-sha1                      | SHOULD NOT |         |
     |  ecdsa-with-sha1                    | SHOULD NOT |         |
     |  RSASSA-PSS with Empty Parameters   | SHOULD NOT |         |
     |  RSASSA-PSS with Default Parameters | SHOULD NOT |         |
      +------------------------------------+------------+---------+

(RSASSA-PSS with SHA-256 changed to MUST, so that there is no confusion

with the above statements, but at the same time the text added clarifyingthat these recommendations are only applicable if Digital Signature auth isimplemented,

which is SHOULD according to the table 6).

Regards,
Valery.

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec


_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] WG Last Call on draft-ietf-ipsecme-rfc4307bis

Reply via email to