----- Original Message ----- From: "Kathleen Moriarty" <[email protected]> Sent: Tuesday, May 12, 2015 8:27 PM
> Kathleen Moriarty has entered the following ballot position for > draft-ietf-opsawg-hmac-sha-2-usm-snmp-06: Yes > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-hmac-sha-2-usm-snmp/ > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for your work on this draft! It's great to see the improvements > in security. > > This is just a comment and not critical at all… I found this sentence at > the bottom of the second bullet of 4.1 a little odd: > as opposed to the truncation to 12 octets in HMAC-MD5-96 and HMAC- > SHA-96. > > Since the guideline is to truncate the size in half and have 80 or more > bits for a HMAC, you are covered and already cite the appropriate RFCs. > Is this there just for history of previous solutions? Or would it be > better to just state the guidance so folks understand why you chose the > truncation size? You can do nothing with my comment, it's just a > question as the text had me curious. And I see that you have included > the HMAC truncation guidance in the security considerations section > already. Kathleen I am puzzled. That section, 4.1, is entitled "Deviations from the HMAC-SHA-96 Authentication Protocol" (and HMAC-MD5-96 is then added in the first paragraph). It goes on to say "Precisely, they differ from the HMAC-MD5-96 and HMAC- SHA-96 authentication protocols in the following aspects: " so omitting that last sentence would seem, IMHO, to weaken that 'precisely'. As you say, the Security Considerations do do a good job of covering the idea of truncation in general. So I think that that sentence you comment on has a place in the I-D.. Tom Petch _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
