Re: RFC 7169 on The NSA (No Secrecy Afforded) Certificate Extension

Al Arsenault <a.arsenault.81@gmail.com> Wed, 02 April 2014 11:44 UTC

Return-Path: <a.arsenault.81@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 935FD1A01F1 for <ietf@ietfa.amsl.com>; Wed, 2 Apr 2014 04:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Spu7XP4SXZhR for <ietf@ietfa.amsl.com>; Wed, 2 Apr 2014 04:44:55 -0700 (PDT)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 242941A01EC for <ietf@ietf.org>; Wed, 2 Apr 2014 04:44:55 -0700 (PDT)
Received: by mail-qg0-f45.google.com with SMTP id j5so57842qga.4 for <ietf@ietf.org>; Wed, 02 Apr 2014 04:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=c+bA1NkQ4MZdrD3bED0JPAAHBbV1oeNcqqmVnXLxh6Q=; b=r55t4+A9CM0RdI9S0hB3p7K7dHtLhCr4XEfzJzyM438pDIBjyBOhjgZaTkeGbh92TB J5Ak4XMufv16lL88mtOhAzEM42da2lqa5nGtUjKwXvc5PK8tdI4lpNpSGkVK9hMuaBAC c61q1MD4xNxhumTSN3KocvHCmYnpF1Qu2tUTtENktJfCOdFHJ0btcaWqCVjLJAoXvBr6 8G8BDEh912RK6AXbf1H+ERyNX+q6sB3V9Q4p5jRDnOGA8Pkxrtf3A0TRUJPNuJ02aett XSSzE91UuODZsjiAoZIK2topBRUWL07/gCUnhsFfk8qai+QrDgYIItw6cwH3J49RERez oZXw==
MIME-Version: 1.0
X-Received: by 10.140.20.36 with SMTP id 33mr22194255qgi.37.1396439091210; Wed, 02 Apr 2014 04:44:51 -0700 (PDT)
Received: by 10.140.18.197 with HTTP; Wed, 2 Apr 2014 04:44:51 -0700 (PDT)
In-Reply-To: <533be22e.0382440a.2187.ffff90e5@mx.google.com>
References: <20140401220128.3CD897FC3A9@rfc-editor.org> <m2a9c437i6.wl%randy@psg.com> <533be22e.0382440a.2187.ffff90e5@mx.google.com>
Date: Wed, 2 Apr 2014 07:44:51 -0400
Message-ID: <CAEC7viAbxd=kpKAzMkYUA3L5jXAcp-9kVN1-oyO3=FMpLvcTmw@mail.gmail.com>
Subject: Re: RFC 7169 on The NSA (No Secrecy Afforded) Certificate Extension
From: Al Arsenault <a.arsenault.81@gmail.com>
To: Leaf Yeh <leaf.yeh.sdo@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c12accfb6ef504f60dcf57
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/pa3d9Ig1uc7l-EtWRdsE1q4mbtA
X-Mailman-Approved-At: Wed, 02 Apr 2014 08:51:15 -0700
Cc: IETF Disgust <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 11:46:45 -0000

RFC 7169 lacks a needed reference to RFC 3514.  The author should have
specified that if a certificate with the NSA extension set to "TRUE" is
used with IPsec or TLS, the Evil Bit as specified in 3514 SHOULD also be
set in any appropriate IP headers.

I would argue that this is the case even if the subject of the certificate
has no explicit evil intent. That's the best way to characterize the
system.




On Wed, Apr 2, 2014 at 6:10 AM, Leaf Yeh <leaf.yeh.sdo@gmail.com> wrote:

> This extension is needed on Apr. 1st.
>
> Leaf
>
>
> -----Original Message-----
> From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Randy Bush
> Sent: Wednesday, April 02, 2014 8:22 AM
> To: IETF Disgust
> Subject: Re: RFC 7169 on The NSA (No Secrecy Afforded) Certificate
> Extension
>
> >         RFC 7169
> >         Title:      The NSA (No Secrecy Afforded)
> >                     Certificate Extension
> >         URL:        http://www.rfc-editor.org/rfc/rfc7169.txt
>
> i do not understand why this extension is needed.  the 5eyes have all your
> keys.  the flag should always be on.  is the real intent that, when the
> extension/flag is not on in a received certificate, then you know it is
> bogus?
>
> randy
>
>