The first half of this errata must be rejected. We do not change the ASN.1
for something like this under just about any circumstances.
Changing the recommendation of a value should probably not be done by an
erratum but by publishing a new document. We could make discuss and make
the recommendation change in the new S/MIME document in the LAMPS group
rather than in this document.
Jim
-----Original Message-----
From: smime [mailto:smime-bounces(_at_)ietf(_dot_)org] On Behalf Of RFC
Errata System
Sent: Thursday, August 11, 2016 11:48 AM
To: housley(_at_)vigilsec(_dot_)com;
stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie;
Kathleen(_dot_)Moriarty(_dot_)ietf(_at_)gmail(_dot_)com;
paul(_dot_)hoffman(_at_)vpnc(_dot_)org;
blaker(_at_)gmail(_dot_)com
Cc: quannguyen(_at_)google(_dot_)com; rfc-editor(_at_)rfc-editor(_dot_)org;
smime(_at_)ietf(_dot_)org
Subject: [smime] [Technical Errata Reported] RFC5084 (4774)
The following errata report has been submitted for RFC5084, "Using AES-CCM
and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax
(CMS)".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5084&eid=4774
--------------------------------------
Type: Technical
Reported by: QUAN NGUYEN <quannguyen(_at_)google(_dot_)com>
Section: 3.2
Original Text
-------------
aes-ICVlen AES-GCM-ICVlen DEFAULT 12
A length of 12 octets is RECOMMENDED.
Corrected Text
--------------
aes-ICVlen AES-GCM-ICVlen DEFAULT 16
A length of 16 octets is RECOMMENDED.
Notes
-----
Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug
to
use 12 bytes authentication tag (aes-ICVlen) as default if the code path
[1] uses
CMS. According to Ferguson's attack
(http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-
GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12
bytes authentication tag length has only 96 - 32 = 64 bits security which
is not
good enough nowadays. Furthermore, once a forgery happens then
authentication is leaked.
[1] In other code paths, all providers use 16 bytes authentication tag as
default.
Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please use
"Reply
All" to discuss whether it should be verified or rejected. When a decision
is
reached, the verifying party (IESG) can log in to change the status and
edit the
report, if necessary.
--------------------------------------
RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03)
--------------------------------------
Title : Using AES-CCM and AES-GCM Authenticated Encryption
in the
Cryptographic Message Syntax (CMS)
Publication Date : November 2007
Author(s) : R. Housley
Category : PROPOSED STANDARD
Source : S/MIME Mail Security
Area : Security
Stream : IETF
Verifying Party : IESG
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime