Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759

Michael Jenkins <mjjenki@tycho.ncsc.mil> Wed, 21 February 2018 15:45 UTC

Return-Path: <mjjenki@tycho.ncsc.mil>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0252212D82F for <spasm@ietfa.amsl.com>; Wed, 21 Feb 2018 07:45:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxAJlYZGN-HX for <spasm@ietfa.amsl.com>; Wed, 21 Feb 2018 07:44:58 -0800 (PST)
Received: from upbd19pa08.eemsg.mail.mil (upbd19pa08.eemsg.mail.mil [214.24.27.83]) by ietfa.amsl.com (Postfix) with ESMTP id 530E012D7F5 for <spasm@ietf.org>; Wed, 21 Feb 2018 07:44:56 -0800 (PST)
Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by upbd19pa08.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 21 Feb 2018 15:44:54 +0000
X-IronPort-AV: E=Sophos;i="5.46,543,1511827200"; d="scan'208";a="9613243"
IronPort-PHdr: =?us-ascii?q?9a23=3ArNG5fhz+dzie7zTXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?2ukWIJqq85mqBkHD//Il1AaPAd2Araocw8Pt8InYEVQa5piAtH1QOLdtbDQizf?= =?us-ascii?q?ssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1?= =?us-ascii?q?JuPoEYLOksi7ze+/94HdbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeu?= =?us-ascii?q?BWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbO?= =?us-ascii?q?SxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiS?= =?us-ascii?q?cIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyaOuB+fqfAdt0EQ2RPUNtaWyhYDo6y?= =?us-ascii?q?a4YDCuwMNvtaoYbgvVsDtQawCxeiBO3vyTFGiHH50qI43Os9Hg/LxxAgEtEUvX?= =?us-ascii?q?jIsNn4OqUfXOaox6fI1zXDaPZW1C/65ojJbh8hoeuDUqx0ccHMzUcgCQXFjlaR?= =?us-ascii?q?qYzjJDOey+MAs22Z7+piS+2vjW0nqwBqrzizxsYjlonJhoUPxlDC6Sp525o6Kc?= =?us-ascii?q?e9SE56Zd6pCZ1dvDyUOYtxR8MtWWBouCAix70Hp5G7YCYKxI4gxx7FZPyLa4mI?= =?us-ascii?q?7Qj+W+qLLjd4g2xldKqiiBaz6kiv0PfwVsy10FZOqCdOj9rCtmgV2hDO5cWKRe?= =?us-ascii?q?Fx80e81TqVyQze5f9ILVopmafdNpUv2KQ/loAJvkTGBiL2nUL2g7KIeUg84eio?= =?us-ascii?q?7vjnYq3hpp+BK494kgH+Pboqmsy4Gek4LhIBX3Ka+eShz73v51H5QbVWgf02la?= =?us-ascii?q?nVqpbaKtgApqGlGQNV14cj6xKnAzen1tQXg2UHIUpYdB+IgIXlIVHDLO3iAfuh?= =?us-ascii?q?jFmgji1ny+3eMr3kGJrNL3zDkLn7fbZ67k5R0A8zzdJd551KDLEBI/PzV1TttN?= =?us-ascii?q?3YEhA5Mwu0z/zhCNphzYMRRXiDAqqYMKPWqVOI/P4gI/GQZI8JvzbwM+Al6OTz?= =?us-ascii?q?jX89g1Mdfa6p3ZUZaHC9BPtmJV6UYWT0gtcHDWgGpA0+TPbliFeaSz5ce26yX7?= =?us-ascii?q?4g5jE8EI+mFp/DSZq2gLyExyq7H4NZZnxIClyWFnfobYqECL8wb3eqK9Jl2hwD?= =?us-ascii?q?W7akQolpgQmnqQu8y71pIO/d/AUGrZTokt9v6LuAuws18GlRDs+d2myJB0N5mG?= =?us-ascii?q?AJQSR+iKV9o0F7yVarzblzg/seE9dI7LVMUwNsZs2U9PBzF92nAlGJRdyOUlvz?= =?us-ascii?q?B4z9UDw=3D?=
X-IPAS-Result: =?us-ascii?q?A2CSAwBsk41a/wHyM5BdGgEBAQEBAgEBAQEIAQEBAYNPZnA?= =?us-ascii?q?og2iYHUIBAQEBAQEGgTSBF5hgL4UPAoJ4WBQBAgEBAQEBAQIBaiiCOCQBgkcBB?= =?us-ascii?q?SMPAQVBEAsYAgImAgJXBg0IAQGKEg0Qqh2CJ4UAg3uCEwEBAQEBAQEDAQEBAQE?= =?us-ascii?q?BAQEbBYEPhAKCJ4EPgi8pgwWBMIIAAQGBUQEBgzWCZQWTaoZFigwJiCeNZoIgi?= =?us-ascii?q?kCHZXCNGYtZNiKBUTMaCDA6gkOFFCM3AYpVgj4BAQE?=
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 21 Feb 2018 15:44:52 +0000
Received: from rd2ul-48143y.infosec.tycho.ncsc.mil (rd2ul-48143y [192.168.26.149]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w1LFioB4012715; Wed, 21 Feb 2018 10:44:51 -0500
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: spasm@ietf.org
References: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil> <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
From: Michael Jenkins <mjjenki@tycho.ncsc.mil>
Message-ID: <fb50f0ad-85b1-2b53-cfd1-e9fe5a7a27cb@tycho.ncsc.mil>
Date: Wed, 21 Feb 2018 10:44:50 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/RgTn5vriymQVbjF_8dLeZ7JZjWk>
Subject: Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 15:45:02 -0000

Paul,

Good point. And... grr. This is a problem we stumble over infrequently 
but painfully. You can load the US DOD roots from 
<https://iase.disa.mil/pki-pke/Pages/tools.aspx> to make it work, but we 
realize that's not acceptable.

We're working this issue and will respond in the next few days (and bump 
the draft with a corrected reference).

Thanks for the review.

On 02/20/2018 09:48 PM, Paul Hoffman wrote:
> On 31 Jan 2018, at 12:59, Michael Jenkins wrote:
>
>> The first draft updates RFC 5759, and addresses requirements for RFC 
>> 5280 compliant public-key certificates and CRLs that contain or 
>> reference algorithms in the CNSA suite. It is available at 
>> <https://www.ietf.org/internet-drafts/draft-jenkins-cnsa-cert-crl-profile-01.txt>. 
>> We would appreciate any comments you might have regarding the draft, 
>> either via the mail-list or via direct reply.
>
> This looks good on its face. However, I would argue that the reference 
> [CNSA] is a normative reference: one cannot evaluate whether the 
> requirements in the draft match the requirements in [CNSA] without 
> reading and understanding [CNSA].
>
> A big issue, however, is that [CNSA] points to:
>    https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
> I cannot read that document on any of my browsers because the 
> certificate used for TLS is invalid in current browsers, and 
> attempting to switch to the HTTP version redirects to the insecure 
> HTTPS version.
>
> I know that this is not something that the authors can fix on their 
> own, but I would strongly object to the IETF moving this document 
> forwards as an RFC with a normative reference that no one can read 
> without making TLS changes in their browsers. Lots of US federal 
> agencies have HTTPS web sites that are readable by the general public; 
> this should be no different.
>
> --Paul Hoffman
>