I have reviewed this document as part of the security directorate's 


ongoing effort to review all IETF documents being processed by the 


IESG.  These comments were written primarily for the benefit of the 


security area directors.  Document editors and WG chairs should treat 


these comments just like any other last call comments.




[Note this document describes various RSA modes. I am not a cryptographer]

This document is Ready with nits

This document describes various RSA methods. It explains and describes
various attacks and why certain decisions are made for security reasons
throughout the document. Therefore, the Security Considerations section
simply states:

	   Security considerations are discussed throughout this memo.

Which I think is correct. (Although I would use the word "document"
instead of "memo" which I think is more common witin IETF)

The only real question I have is regarding this paragraph:

   While RSAES-PKCS1-v1_5
   (Section 7.2) and RSASSA-PKCS1-v1_5 (Section 8.2) have traditionally
   been employed together without any known bad interactions (indeed,
   this is the model introduced by PKCS #1 v1.5), such a combined use of
   an RSA key pair is NOT RECOMMENDED for new applications.


I thought that issuing malicious encryption commands to a RSASSA-PKCS1-v1_5
based (software) device could lead to compromise of the private key, and
that this was the Bleichenbacher attack? and that forbidding encryption
for a signing-only service would have a security advantage?


Nits:

	u distinct odd primes

Do you mean an odd number of primes? As primes are always odd, unless
you mean odd in the English sense :)

	Four types of primitive are

Add "s" to primitive ?


Paul