Roman Danyliw has entered the following ballot position for
draft-ietf-ipsecme-qr-ikev2-10: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

These are all editorial.

** Section 1.  Per “Recent achievements in developing quantum computers …”, is
there a citation?

** Section 1. Per:
   If the preshared key has
   sufficient entropy and the PRF, encryption and authentication
   transforms are quantum-secure, then the resulting system is believed
   to be quantum resistant, that is, invulnerable to an attacker with a
   quantum computer.

-- The definition of quantum resistant doesn’t seem exactly precise.  A
quantum-resistant algorithm isn’t “invulnerable to an attacker with a quantum
computer”, rather isn’t it instead no easier to attack than with known
classical architectures?

-- The first clause says the underlying primitives are quantum-secure, but then
says that this translated into something being quantum-resistant.  I found it
confusing to mix both terms (which sometimes are used interchangeably)

** Section 1.  Per “This document describes a way to extend IKEv2 to have a
similar property; assuming that the two end systems share a long secret key
then the resulting exchange is quantum resistant.”, I stumbled over this
language a bit because I wasn’t sure which property you were referencing – was
it the list of things in the previous paragraph’s last sentence that made it
“quantum-secure”?

** Section 3. Per the description of modified IKEv2 key derivation:

-- Recommend explicitly citing the relevant section:
OLD:
Then, it computes this modification of the standard IKEv2 key derivation:

NEW:
Then, it computes this modification of the standard IKEv2 key derivation from
Section 2.14 of [RFC7296]:

-- Recommend explaining the notation/relationship between the “prime versions”
of the sub-keys (i.e., SK_d’ and SK_pi’ and SK_pr’) in the this SKEYSEED
formula with the SKEYSEED formula in Section 2.14 of [RFC72196].

** Editorial Nits:

-- Section 1.  Editorial. s/this note/this document/ -- trying to be consistent
on how the I-D references itself.

-- Section 4.  Editorial.  Recommended clarity:

OLD:
This will not affect the strength against a
   passive attacker; it would mean that an attacker with a quantum
   computer (which is sufficiently fast to be able to break the (EC)DH
   in real time) would not be able to perform a downgrade attack.

NEW:
This will not alter the resistance to a passive attack as even an attacker with
a quantum computer (which is sufficiently fast to be able to break the (EC)DH
in real time) would not be able to perform a downgrade attack.

-- Section 5.2.3.  Typo. s/Addtionally/Additionally/

-- Section 6.  Typo. s/transmited/transmitted/


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to