IETF Logo Mail Archive

Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00

Paul Wouters <paul@nohats.ca> Tue, 02 October 2018 21:43 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB9D13117D for <saag@ietfa.amsl.com>; Tue, 2 Oct 2018 14:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPzkzZ2LBexT for <saag@ietfa.amsl.com>; Tue, 2 Oct 2018 14:43:54 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C0F1310E3 for <saag@ietf.org>; Tue, 2 Oct 2018 14:43:53 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42Pt2F3nZkzKCF; Tue, 2 Oct 2018 23:43:49 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1538516629; bh=aQ5dPAj8L7uY3wse2j14FTeAe42VxXSXfx6Wu3EpY5w=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=u/nMHlNLeZZDstBsH1ehqZMsr3g0Zy9SsbgAwyooamxPkY3zB3Vg3AM/XsH3ocAZY D02eTlQPT/Rr34bxPIQWiWVQxoLfOMqGTLy1VLID2u4MH8hwqjaFrlg4nTu9Y4gQNU qRYe5LZ/dQU1x34LtKgzAoVmG12cvsJGQLL4BB0w=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 3mB3kOZfp1Ft; Tue, 2 Oct 2018 23:43:46 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 2 Oct 2018 23:43:45 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id BEA382E75A2; Tue, 2 Oct 2018 17:43:44 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca BEA382E75A2
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B534F40781FE; Tue, 2 Oct 2018 17:43:44 -0400 (EDT)
Date: Tue, 02 Oct 2018 17:43:44 -0400
From: Paul Wouters <paul@nohats.ca>
To: Carl Wallace <carl@redhoundsoftware.com>
cc: saag@ietf.org
In-Reply-To: <D7D94F2D.C22E0%carl@redhoundsoftware.com>
Message-ID: <alpine.LRH.2.21.1810021736351.12702@bofh.nohats.ca>
References: <alpine.LRH.2.21.1810021055160.25461@bofh.nohats.ca> <D7D94F2D.C22E0%carl@redhoundsoftware.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/BsjgLiKK2UuvAV4xwCVHUj7qG2c>
Subject: Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2018 21:43:55 -0000

On Tue, 2 Oct 2018, Carl Wallace wrote:

> What's the difference between a nation state profile and a similar or same
> profile that has been marshaled through a commercial entity?
> What's the difference between a nation state profile and a profile from a
> very large company? Is a market cap limit next?
> Would elimination of all affiliation flatten the space in a good way or is
> the current truth in packaging preferred?

These are good questions for a SAAG discussion.

If we have an industry wide recommendation, I think that could qualify
for an IETF reviewed and published document. And I feel external entities
dictating algorithms or bypassing IETF review via the Independent Stream
Editor, should not be published by the IETF/ISE.

Some of this work for recommending algorithms is already done by the IETF,
for example see RFCa4307/ 8247 and RFC 7321/8221 and I think these kind
of usage documents are within the scope of the IETF. And I believe
recommendations by the relevant WGs such as IPsecME or TLS is where this
kind of work needs to happen, if the end result is the publication of an
RFC.

Paul

> On 10/2/18, 10:57 AM, "saag on behalf of Paul Wouters"
> <saag-bounces@ietf.org on behalf of paul@nohats.ca> wrote:
>
>>
>> I think this group is a better discussion place for this item.
>>
>> Can we add this to the agenda for Bangkok to discuss?
>>
>> Paul
>>
>> ---------- Forwarded message ----------
>> Date: Fri, 28 Sep 2018 15:40:46
>> From: Paul Wouters <paul@nohats.ca>
>> Cc: IETF <ietf@ietf.org>
>> To: Russ Housley <housley@vigilsec.com>
>> Subject: Re: nation state crypto profiles -
>> draft-jenkins-cnsa-cmc-profile-00
>>
>> On Fri, 28 Sep 2018, Russ Housley wrote:
>>
>>> That thread came to the conclusion that the IETF should not process
>>> profiles
>>> for any nations states.   In my opinion, there is value in making it
>>> easy for
>>> implementers to find such profiles.  So, if the Independent Stream
>>> Editor is
>>> willing to process such profiles, they can be published as RFCs, which
>>> would
>>> not consume any resources from the IETF leadership.
>>
>> I do not agree the thread came to that conclusion. I see people
>> disagreed and stop the discussion, because everyone agreed the
>> draft in question to make Suite B historic was not disputed.
>>
>> People outside the IETF do not understand the subtleties of different
>> IETF streams, and having an RFC is seen as a stamp of approval of
>> the international community. Therefore, I do indeed believe we should
>> not make the same mistake again.
>>
>> The USG seems to be doing a fine job making FIPS publications available
>> without these being enshrined in RFCs.
>>
>> I am against the IETF publishing CNSA or any other nation state
>> cryptography profiles.
>>
>> Paul
>>
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>
>

v2.23.0 | Report a Bug | By Email