IETF Logo Mail Archive

Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00

Jim Schaad <ietf@augustcellars.com> Wed, 03 October 2018 05:04 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D921E1311D3 for <saag@ietfa.amsl.com>; Tue, 2 Oct 2018 22:04:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id voTIkvipaOVO for <saag@ietfa.amsl.com>; Tue, 2 Oct 2018 22:04:46 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 612BD1311B3 for <saag@ietf.org>; Tue, 2 Oct 2018 22:04:45 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 2 Oct 2018 21:59:56 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Yoav Nir' <ynir.ietf@gmail.com>
CC: 'Paul Wouters' <paul@nohats.ca>, 'Security Area Advisory Group' <saag@ietf.org>
References: <7CB10AE4-09C1-4AC5-B255-6489EF1FAE78@akamai.com> <alpine.LRH.2.21.1810021734350.12702@bofh.nohats.ca> <BEC2489D-FE1E-4E55-A88C-05E0143F8415@gmail.com> <02a901d45aac$e83d4030$b8b7c090$@augustcellars.com> <C2A1A8A5-FE35-47D9-8B06-E4E572380FEB@gmail.com>
In-Reply-To: <C2A1A8A5-FE35-47D9-8B06-E4E572380FEB@gmail.com>
Date: Tue, 02 Oct 2018 22:04:27 -0700
Message-ID: <02cb01d45ad6$9165dc20$b4319460$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_02CC_01D45A9B.E5081590"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLckIx/QcQNJRYO+cnoM5+nZDVk+QG/ptD6AenvBcYBsoA/VwIrBeP+osBSznA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/s9ETJljy8kzaomXYpp9-iWLTSx8>
Subject: Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Oct 2018 05:04:49 -0000

 

 

From: Yoav Nir <ynir.ietf@gmail.com> 
Sent: Tuesday, October 2, 2018 9:16 PM
To: Jim Schaad <ietf@augustcellars.com>
Cc: Paul Wouters <paul@nohats.ca>; Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00

 

 

 

On 3 Oct 2018, at 3:06, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> > wrote:

 

 

 

From: saag < <mailto:saag-bounces@ietf.org> saag-bounces@ietf.org> On Behalf Of Yoav Nir
Sent: Tuesday, October 2, 2018 3:03 PM
To: Paul Wouters < <mailto:paul@nohats.ca> paul@nohats.ca>
Cc: Security Area Advisory Group < <mailto:saag@ietf.org> saag@ietf.org>
Subject: Re: [saag] Discuss at SAAG? was Re: nation state crypto profiles - draft-jenkins-cnsa-cmc-profile-00

 

 






On 3 Oct 2018, at 0:36, Paul Wouters < <mailto:paul@nohats.ca> paul@nohats.ca> wrote:

 

On Tue, 2 Oct 2018, Salz, Rich wrote:





*  (e.g. TLS ciphersuites identifiers) to use them for national-wide purposes 
*  along with "first class" algorithms. 
TLS has moved to “doc required”  Not “RFC required.”  And added a column that says whether it is “recommended” or “no comment.”  This seems like it will work out well.


Similarly, for IKE/IPsec, the IANA registries are Expert Review, not "RFC required”

 

Right. So if SAAG (or the IESG) can guide the designated experts about national crypto, that would be great.

 

Suppose (and this is just an example) the Russian government would like to use TLS 1.3 with the Kuznyechik cipher. This is assuming that it has an AEAD mode defined, so it can be used. They have several options:

1.	They can publish a document on  <http://gostperevod.com/> gostperevod.com and ask IANA to register the Kuznyechik AEAD in the TLS registries.
2.	They can publish a draft (in addition to #1) and then ask IANA to register the Kuznyechik AEAD in the TLS registry while asking the RFC editor to publish.
3.	The can publish on  <http://gostperevod.com/> gostperevod.com and tell everyone to squat on (0x13, 0x79)

One of the other issues that can arise from doing #1 and not doing #2 is that the version on #1 may not be in a widely understood language whereas the version that would get published as a draft (or RFC) would be in English.

 

They still need to ask IANA for an assignment, and IANA would refer it to the designated experts. Those designated experts (Rich, Nick, and I for TLS) can enforce that the document is available in English. In fact, without requiring this, they could slip a chapter of War and Peace by us and it would get an IANA code point. 

 

It’s not like getting a document past the ISE makes it well-reviewed. How much review did RFC 7801 get?  It’s in English and technical looking. We can enforce that.

 

And it was implemented, the test vectors checked and a rough check was done that the supplied Russian version matched the English version.  That’s more that I would normally expect from a designated expert

 

jim

 

Yoav

v2.23.0 | Report a Bug | By Email