Roman Danyliw has entered the following ballot position for draft-ietf-ipsecme-qr-ikev2-10: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- These are all editorial. ** Section 1. Per “Recent achievements in developing quantum computers …”, is there a citation? ** Section 1. Per: If the preshared key has sufficient entropy and the PRF, encryption and authentication transforms are quantum-secure, then the resulting system is believed to be quantum resistant, that is, invulnerable to an attacker with a quantum computer. -- The definition of quantum resistant doesn’t seem exactly precise. A quantum-resistant algorithm isn’t “invulnerable to an attacker with a quantum computer”, rather isn’t it instead no easier to attack than with known classical architectures? -- The first clause says the underlying primitives are quantum-secure, but then says that this translated into something being quantum-resistant. I found it confusing to mix both terms (which sometimes are used interchangeably) ** Section 1. Per “This document describes a way to extend IKEv2 to have a similar property; assuming that the two end systems share a long secret key then the resulting exchange is quantum resistant.”, I stumbled over this language a bit because I wasn’t sure which property you were referencing – was it the list of things in the previous paragraph’s last sentence that made it “quantum-secure”? ** Section 3. Per the description of modified IKEv2 key derivation: -- Recommend explicitly citing the relevant section: OLD: Then, it computes this modification of the standard IKEv2 key derivation: NEW: Then, it computes this modification of the standard IKEv2 key derivation from Section 2.14 of [RFC7296]: -- Recommend explaining the notation/relationship between the “prime versions” of the sub-keys (i.e., SK_d’ and SK_pi’ and SK_pr’) in the this SKEYSEED formula with the SKEYSEED formula in Section 2.14 of [RFC72196]. ** Editorial Nits: -- Section 1. Editorial. s/this note/this document/ -- trying to be consistent on how the I-D references itself. -- Section 4. Editorial. Recommended clarity: OLD: This will not affect the strength against a passive attacker; it would mean that an attacker with a quantum computer (which is sufficiently fast to be able to break the (EC)DH in real time) would not be able to perform a downgrade attack. NEW: This will not alter the resistance to a passive attack as even an attacker with a quantum computer (which is sufficiently fast to be able to break the (EC)DH in real time) would not be able to perform a downgrade attack. -- Section 5.2.3. Typo. s/Addtionally/Additionally/ -- Section 6. Typo. s/transmited/transmitted/ _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
