On Thu, Oct 24, 2013 at 7:39 AM, Abdussalam Baryun
<abdussalambaryun(_at_)gmail(_dot_)com> wrote:
Hi Russ
The comment has a statement which I am against;
IETF standards depend on NIST standards and the process by which they are
developed.
The statement contradicts the first, that IETF references also other
government algorithms.
I do not see a contradiction. I think that the sentence is to be
interpreted as "SOME IETF standards depend on SOME NIST standard."
This is true and it does not rule out that some IETF standards can
depend on other standards (or any standard at all).
Clearly the concern is that if some NIST standard is considered
"suspect" because of a loss of transparency (e.g., the PRNG based on
elliptic curves), the same loss of trustfulness will taint any IETF
standard that uses it. IETF standards that do not use NIST products
are clearly not affected by this.
Is this a specific or general dependence? And does IETF standards really
depend on NIST standard process and development? Is the statement talking
about all IETF security standards?
Best regards
Abdussalam
On Wednesday, October 23, 2013, IAB Chair wrote:
Today, the IAB sent comments to the US National Institute for Standards
and Technology (NIST) in the matter of the NIST Special Publication 800-90A
(Recommendation for Random Number Generation Using Deterministic Random Bit
Generators) review proceeding. In the statement, the IAB supports
re-opening of the comment period on NIST SP 800-90A, and the IAB also makes
recommendations relating to the review process for cybersecurity and
cryptographic standards to enhance transparency and openness.
The full statement is available from the IAB website:
http://www.iab.org/wp-content/IAB-uploads/2013/10/IAB-NIST-FINAL.pdf
On behalf of the IAB,
Russ Housley
IAB Chair