Re: [lamps] Request for review of revised RFC 5759

Richard Barnes <> Tue, 06 March 2018 21:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CD405124B18 for <>; Tue, 6 Mar 2018 13:48:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Gk6MDji-j2N3 for <>; Tue, 6 Mar 2018 13:48:56 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 159F31204DA for <>; Tue, 6 Mar 2018 13:48:56 -0800 (PST)
Received: by with SMTP id n7so133852wrn.5 for <>; Tue, 06 Mar 2018 13:48:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6Kr5z5OBTPUqrGFZ60cefsAK0S1hbTTBWj/knT4+3ys=; b=MVQ6cKdb+kRdj2ADWq4dPeenqBbpkazLCgU8zSLdqcBzjLYdOSafEjjV9W+Lu12WIx 1Bt9Trgwl1G3Fvnyzqq47JeGoUqFh52FetPvNg37+kAbC2CEukefGia7Y8hMNScbg1mh HHzWQkqwmuCm1rX+LLjP844IJ3cJl9KHLIAwutbDC1z+TovINTTfEZYq1esSfj3rwJHD bpTuECcAewixxxtqJq5PxmDR0YXk/DDoq+5EAx6XaCNPH0DrhYt01bnK/7o9wGRTQ5Ij k54qTo9JM17vqB0UCIRuHmZNaoA9J1NUw8X/1N0ggQSYic7A9rXy4vYIg7+rCIPB32KV P66w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6Kr5z5OBTPUqrGFZ60cefsAK0S1hbTTBWj/knT4+3ys=; b=oqEFGmKmBzO5jW0M/jvToED9RaqszO0VP1qSuPiZppOq5EHbvw+/4PY881Zt9Myxv0 f/Vr3iVbr/0eT7xB8wJzWECeuD9JuWvV27e6JShCZPTBW5fxaKCV0Eh71P4KeITbbTJU 2m6jWsaXCkuRvddXEAsLUj+zz/tqIfbCqEb/8cgAizWJtsqc7g8U2hbF0DHxAtN+3Za5 4dtyQxlEHN+YbW9GtSHn87+orbS5mE6fsVm4Q42kg1JTR9dHAxuOuL6TELKrIWPyCx7u 1EuXLGPLn9d5irMPeEq49Pdr1gFRpnppyvEPciEJHQLmARdqsxspMzY0oz2UqKMsn42l M0GQ==
X-Gm-Message-State: APf1xPA9DZs00dRCfl7D1MSVOv/76CwxlhIAL8OtRZ1empjxeabo1Qib BigD1iculJdT1ZSs/rtBUPr/Uj0GZnJ6n53CYUaZPw==
X-Google-Smtp-Source: AG47ELsGkguyckJO/8y1iEzGhfMwSUIREfzzL4T3Y8P4XQQTDi7/CpmuxsCD+6jn2bP2rz+KrHj9Zzj3qowmPUmvNyo=
X-Received: by with SMTP id d6mr15590842wri.128.1520372934347; Tue, 06 Mar 2018 13:48:54 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 6 Mar 2018 13:48:53 -0800 (PST)
Received: by with HTTP; Tue, 6 Mar 2018 13:48:53 -0800 (PST)
In-Reply-To: <>
References: <> <>
From: Richard Barnes <>
Date: Tue, 06 Mar 2018 16:48:53 -0500
Message-ID: <>
To: Paul Hoffman <>
Cc: Michael Jenkins <>,
Content-Type: multipart/alternative; boundary="f4f5e80efdd8ada1a20566c568b7"
Archived-At: <>
Subject: Re: [lamps] Request for review of revised RFC 5759
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Mar 2018 21:48:59 -0000

On Feb 20, 2018 21:48, "Paul Hoffman" <> wrote:

On 31 Jan 2018, at 12:59, Michael Jenkins wrote:

The first draft updates RFC 5759, and addresses requirements for RFC 5280
> compliant public-key certificates and CRLs that contain or reference
> algorithms in the CNSA suite. It is available at <
> cert-crl-profile-01.txt>. We would appreciate any comments you might have
> regarding the draft, either via the mail-list or via direct reply.

This looks good on its face. However, I would argue that the reference
[CNSA] is a normative reference: one cannot evaluate whether the
requirements in the draft match the requirements in [CNSA] without reading
and understanding [CNSA].

A big issue, however, is that [CNSA] points to:
I cannot read that document on any of my browsers because the certificate
used for TLS is invalid in current browsers, and attempting to switch to
the HTTP version redirects to the insecure HTTPS version.

I know that this is not something that the authors can fix on their own,
but I would strongly object to the IETF moving this document forwards as an
RFC with a normative reference that no one can read without making TLS
changes in their browsers.

Should we also stop accepting references that are only available over
"http://" URLs?

I might not object to that, but seems silly to do one of these things and
not the other.


Lots of US federal agencies have HTTPS web sites that are readable by the
general public; this should be no different.

--Paul Hoffman

Spasm mailing list