OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Comments on the KMIP specification

I have reviewed the KMIP Spec V1.4. Attached are my comments:

 

1.       There are several references to NIST standards that are out of date: FIPS 180-4 was updated in 2015. FIPS 186-4 was updated in 2013. NIST SP 800-38A had an addendum in 2010. NIST SP 800-38B was updated in 2016. NIST SP 800-38c was updated in 7/2007. NIST SP 800-57-1 was updated in 2016.

2.       Several of the listed algorithms, such as MD2, MD4, and MD5 have not been approved by NIST, so why are they included?

3.       9.1.3.2.7: RSA is listed as “RSA Encryption”. These are digital signature algorithms. RSA encryption is a different algorithm used for key transport.

4.       The SHA3 algorithms are not listed.

5.       Listed is a “NIST key wrap algorithm.” The algorithm referenced is AES key wrap.

6.       Many of the algorithms have limitations specified by NIST, such as disallowed, acceptable, for legacy use. These use limitations would be useful to include.

 

THANKS….

 

Annabelle Lee

 

Principal Technical Executive

 

Alee@epri.com

202.293.6345 (w)

202.316.3461 (c)

 

Electric Power Research Institute (EPRI)

1325 G St., NW, Suite 1080

Washington, DC 20005

 

Together...Shaping the Future of Electricity

 

*** This email message is for the sole use of the intended recipient(s) and may contain information that is confidential, privileged or exempt from disclosure under applicable law. Unless otherwise expressed in this message by the sender or except as may be allowed by separate written agreement between EPRI and recipient or recipient’s employer, any review, use, distribution or disclosure by others of this message is prohibited and this message is not intended to be an electronic signature, instrument or anything that may form a legally binding agreement with EPRI. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of this message. Please be advised that the message and its contents may be disclosed, accessed and reviewed by the sender's email system administrator and/or provider. ***

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]