Hi David,
At 18:44 10-01-2012, david(_dot_)black(_at_)emc(_dot_)com wrote:
I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please
I appreciate that you have spent your time and effort in performing
the review. I find the review useful.
From a pure security perspective, use of HMAC with specified secure hashes
(SHA2-family) and an approach of hashing the "redaction key" down to a binary
key for HMAC would be a stronger approach. I suggest that authors consider
approach, but there may be practical usage concerns that suggest
not adopting it.
[2] The second open issue is absence of security considerations for
the redaction
key. The security considerations section needs to caution that the
redaction key
is a secret key that must be managed and protected as a secret
key. Disclosure
of a redaction key removes the redaction from all reports that used that key.
As part of this, guidance should be provided on when and how to change the
redaction key in order to limit the effects of loss of secrecy for a single
redaction key.
The comments are from a security perspective. To be candid,
redaction is silly as the email folks know how to get around
that. The secret key does not even have to be broken; a cookie in
the message would get you the information you want. The cost of
preserving the secrecy is not worth it in my opinion.
Regards,
-sm
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf