IETF Logo Mail Archive

Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00

Yoav Nir <ynir.ietf@gmail.com> Wed, 03 October 2018 04:16 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02B051311F3 for <saag@ietfa.amsl.com>; Tue, 2 Oct 2018 21:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0l9SzzocjK3 for <saag@ietfa.amsl.com>; Tue, 2 Oct 2018 21:16:31 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 466C9131197 for <saag@ietf.org>; Tue, 2 Oct 2018 21:16:31 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id 61-v6so3731580wrb.6 for <saag@ietf.org>; Tue, 02 Oct 2018 21:16:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=6iCXk8Dgx/RFqUGIuwpHIcVHEFQeZarYXmqU3cahhdY=; b=D13LV/ZvpLF1LaWns4ihPDA/RmagIu5cX0vl79g2jzV6/uoFEKEQcuNW2B1PBorZtK niC0JjhJddTNJPN/HqlFSizsiVfycTSfHYA+Fa/WP6VfU4pySCOlk5eBGiP94o60YxOH YS3lrHVnpTsjT1AIginOOhi51IW+TKbRv6FmknHv7kU0GLXjdgR5B2kb/ow094AaiKDx unsD4wQdcErIyH/yFiLWKGjwjzQkh0smADEmOlGISdNS0ISmbSl2S8lZTlR2xrD6QFkq 7xkEcT6ab0J8OUTWwZR9hkpDuvBN0rXq64S2XMGYNv/Ed0hdF+U++/8FokhvuQ3Fnkpi OTlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=6iCXk8Dgx/RFqUGIuwpHIcVHEFQeZarYXmqU3cahhdY=; b=K/KEpbPPLdZItPJOdEyEaKIyVQyovwLQnzv+LgqN/Rf4uj69SzLFWuZkUgCnuLX7N1 aCkXUzwyLt3AZoLLievHL0A00aDfabwqijsTx5uly+6+97woRZpR0PcBoRc3MOj6zy+o bhUAosYfMLwFQdNDk4IKPRks95iePdVT1ahOwExRJwUyctUxlro4m4eJDJ7LTi+ERZcS bSqCXi7loNNdTgqAnOJEWqLeg2k6Su0rqexGb791m3xgEcrghxBH3kgpYHthTPYPXkm7 oKSi0knJCcDi9xInLESc0F9O0SFqkhIasR2Kg8wf1vtfaJaOfNq+7Iu5l55O0BsNqRNQ yaNg==
X-Gm-Message-State: ABuFfojd+M/5L63wRbgmt8NbWpJRkX4BKbSgb8e2Citzv8DsqbrvIYHO 1jiOGxFT2M7Tiqiic7VUBry42+1m
X-Google-Smtp-Source: ACcGV61eB+XrHkugRvE4A+6J5fLMj4RGgQeQrhUnvj7CR8kJ9A0DUyy+KtOrbouH0x2OpYNWjI7lZw==
X-Received: by 2002:a5d:4e0a:: with SMTP id p10-v6mr13122442wrt.320.1538540189550; Tue, 02 Oct 2018 21:16:29 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id q200-v6sm15734197wmd.2.2018.10.02.21.16.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Oct 2018 21:16:28 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <C2A1A8A5-FE35-47D9-8B06-E4E572380FEB@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2D98CF63-1B4C-4B89-BF6B-EDC2B826E4EF"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Wed, 03 Oct 2018 07:16:26 +0300
In-Reply-To: <02a901d45aac$e83d4030$b8b7c090$@augustcellars.com>
Cc: Paul Wouters <paul@nohats.ca>, Security Area Advisory Group <saag@ietf.org>
To: Jim Schaad <ietf@augustcellars.com>
References: <7CB10AE4-09C1-4AC5-B255-6489EF1FAE78@akamai.com> <alpine.LRH.2.21.1810021734350.12702@bofh.nohats.ca> <BEC2489D-FE1E-4E55-A88C-05E0143F8415@gmail.com> <02a901d45aac$e83d4030$b8b7c090$@augustcellars.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/hkhNTjJPwckjkQCnw15_rxNgoMk>
Subject: Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Oct 2018 04:16:34 -0000


On 3 Oct 2018, at 3:06, Jim Schaad <ietf@augustcellars.com> wrote:

 
 
From: saag <saag-bounces@ietf.org <mailto:saag-bounces@ietf.org>> On Behalf Of Yoav Nir
Sent: Tuesday, October 2, 2018 3:03 PM
To: Paul Wouters <paul@nohats.ca <mailto:paul@nohats.ca>>
Cc: Security Area Advisory Group <saag@ietf.org <mailto:saag@ietf.org>>
Subject: Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00
 
 


> On 3 Oct 2018, at 0:36, Paul Wouters <paul@nohats.ca <mailto:paul@nohats.ca>> wrote:
>  
> On Tue, 2 Oct 2018, Salz, Rich wrote:
> 
> 
>> *  (e.g. TLS ciphersuites identifiers) to use them for national-wide purposes 
>> *  along with "first class" algorithms. 
>> TLS has moved to “doc required”  Not “RFC required.”  And added a column that says whether it is “recommended” or “no comment.”  This seems like it will work out well.
> 
> Similarly, for IKE/IPsec, the IANA registries are Expert Review, not "RFC required”

 
Right. So if SAAG (or the IESG) can guide the designated experts about national crypto, that would be great.
 
Suppose (and this is just an example) the Russian government would like to use TLS 1.3 with the Kuznyechik cipher. This is assuming that it has an AEAD mode defined, so it can be used. They have several options:
They can publish a document on gostperevod.com <http://gostperevod.com/> and ask IANA to register the Kuznyechik AEAD in the TLS registries.
They can publish a draft (in addition to #1) and then ask IANA to register the Kuznyechik AEAD in the TLS registry while asking the RFC editor to publish.
The can publish on gostperevod.com <http://gostperevod.com/> and tell everyone to squat on (0x13, 0x79)
One of the other issues that can arise from doing #1 and not doing #2 is that the version on #1 may not be in a widely understood language whereas the version that would get published as a draft (or RFC) would be in English.

They still need to ask IANA for an assignment, and IANA would refer it to the designated experts. Those designated experts (Rich, Nick, and I for TLS) can enforce that the document is available in English. In fact, without requiring this, they could slip a chapter of War and Peace by us and it would get an IANA code point. 

It’s not like getting a document past the ISE makes it well-reviewed. How much review did RFC 7801 get?  It’s in English and technical looking. We can enforce that.

Yoav

v2.23.0 | Report a Bug | By Email