John;
I will add your comment below as the second paragraph of Section 4. You are
correct, it does clarify the discussion.
Robert.
----------
From: Linn, John[SMTP:jlinn(_at_)rsasecurity(_dot_)com]
Sent: Thursday, December 02, 1999 11:17 AM
To: 'Robert Zuccherato'; ietf-smime(_at_)imc(_dot_)org
Cc: 'Burt Kaliski'
Subject: RE: Working Group Last Call:
draft-ietf-smime-small-subgroup-02.t xt
Robert,
Thanks for your quick and thoughful consideration of the comments. Your
responses look good; we've a residual content-level observation to make on
only one item:
[Sec. 4]
Re: "This isn't clear to me. For example, if an attacker modified both
public keys to be yb=ya=1 and the parties authenticated each other over a
telephone conversation in which they read out the agreed upon key. Now,
they
will both agree on the same key and they will have a certain level of
authentication, but the attacker will be able to eavesdrop. Thus, it is
important that each party's *public key* be authenticated, which is the
point I was trying to make with this section. However, I agree that the
way
things are presently worded may be misleading. I will change the first
sentence of the second paragraph to "In some ephemeral-ephemeral key
agreements protection may be required for both entities." "
Good points. As you observe, E-E gives an attacker more flexibility since
both parties' public keys can be changed and they can be coerced into
computing the same key from a small space. In E-S, only the sender's
public
key can be changed, and only the recipient can be coerced by an outsider
attacker into computing a key from a small space. While this may be
apparent, it seems useful to state explicitly for purposes of clarifying
comparison.
[Sec. 3, minor editorial]
Re: How about if I add a sentence following the first paragraph of Section
3
stating "Implementer's should note that some of the procedures described
in
this section may be the subject of patents or pending patents."
"Implementer's" -> "Implementers".
--jl