With respect to the FIPS 186 references, as it's been explained to me FIPS
186-1 allowed 512-1024, FIPS 186-2 without Change Notice 1 allowed 512-1024,
FIPS 186-2 with Change Notice 1 only allows 1024, FIPS 186-3 allows
1024-3072 and adds the SHA2 family (we should point to
draft-ietf-pkix-sha2-dsa-ecdsa). I think we need to add the following in 4.3
because the different versions of FIPS changed which keys is allowed:
For 512-bit RSA with SHA-1 see [RFC3279] and [FIPS186-2] without Change
Notice 1, for 512-bit RSA with SHA-256 RSA see [RFC4055] and [FIPS186-2]
without Change Notice 1, for 1024-bit through 3072-bit RSA with SHA-256 see
[RFC4055] and [FIPS186-2] with Change Notice 1, and for 4096-bit RSA with
SHA-256 see [RFC4055] and [RFC3447]. The first reference provides the
signature algorithm's object identifier and the second provides the
signature algorithm's definition.
For 512-bit DSA with SHA-1 see [RFC3279] and [FIPS186-2] without Change
Notice 1, for 512-bit DSA with SHA-256 see [KEYMALG2] and [FIPS186-2]
without Change Notice 1, for 1024-bit DSA with SHA-1 see [RFC3279] and
[FIPS-2] with Change Notice 1, for 1024-bit DSA with SHA-256 see [KEYMALG2]*
and [FIPS186-2] with Change Notice 1. The first reference provides the
signature algorithm's object identifier and the second provides the
signature algorithm's definition.
For 512-4096-bit RSA-PSS with SHA-256 see [RSAPSS].
* KEYMALG2 refers to: Dang, Q., Santesson, S., Moriarty, K., Brown, D., and
T. Polk, "Internet X.509 Public Key Infrastructure: Additional Algorithms
and Identifiers for DSA and ECDSA", draft-ietf-pkix-sha2-dsa-ecdsa,
work-in-progress.
We also need to change the security considerations rationale for why we
don't go bigger than 2048-bis DSA from:
In particular, [FIPS186-3] defines DSA key sizes between up to 1024 bits.
To:
In particular, [FIPS186-2] without Change Notice 1 allowed DSA key sizes
between 512 and 1024 bits and [FIPS186-2] with Change Notice 1 only allowed
DSA key sizes of 1024 bits.
We also need to revert back to FIPS 186-2, we don't need to point to FIPS
186-3.
spt
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Alfred
HÎnes
Sent: Friday, September 26, 2008 1:16 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: draft-ietf-smime-3850bis-06 rqmts inconsistency
Folks,
after a couple of draft revisions, I have undertaken a new
review the latest S/MIME v3.2 Cert Handling draft,
draft-ietf-smime-3850bis-06.
The (very few) editorial issues I found have been communicated
off-list to the authors.
The single technical issue I found concerns Section 4.3 (and
the related security considerations):
The last lines in 4.3 , ...
+ The following are the DSA key size requirements for S/MIME
receiving
+ agents during certificate and CRL signature verification:
+
+ 512 <= key size <= 1024 : MAY (see Section 6)
... are not reasonable, since in the first part of the
section, 'DSA with SHA-256' is listed as SHOULD+, and 'DSA with SHA-1'
is listed as SHOULD- .
If there are SHOULD requirements for DSA, then at least one
key size for DSA needs to have at least the same requirements
level, isn't it?
This topic has a related discussion in the Security
Considerations of the draft, the penultimate paragraph of Sec
6, which seems to be outdated by FIPS 186-3.
It looks like the shift in the Ref. from 186-2 to 186-3 has
introduced inconsistencies into the draft.
So what are the proper requirements to be posed for supported
DSA key size? (That's 'L' in FIPS 186-3, isn't it?)
Please take Section 4.2 of FIPS 186-3 into consideration;
there, key sizes L of 1024, 2048, and 3072 are specified.
Kind regards,
Alfred.
--
+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. |
| Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 |
| D-71254 Ditzingen | E-Mail: ah(_at_)TR-Sys(_dot_)de
|
+------------------------+--------------------------------------------+