Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759
Michael Jenkins <mjjenki@tycho.ncsc.mil> Wed, 21 February 2018 15:45 UTC
Return-Path: <mjjenki@tycho.ncsc.mil>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0252212D82F for <spasm@ietfa.amsl.com>; Wed, 21 Feb 2018 07:45:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxAJlYZGN-HX for <spasm@ietfa.amsl.com>; Wed, 21 Feb 2018 07:44:58 -0800 (PST)
Received: from upbd19pa08.eemsg.mail.mil (upbd19pa08.eemsg.mail.mil [214.24.27.83]) by ietfa.amsl.com (Postfix) with ESMTP id 530E012D7F5 for <spasm@ietf.org>; Wed, 21 Feb 2018 07:44:56 -0800 (PST)
Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by upbd19pa08.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 21 Feb 2018 15:44:54 +0000
X-IronPort-AV: E=Sophos;i="5.46,543,1511827200"; d="scan'208";a="9613243"
IronPort-PHdr: 9a23:rNG5fhz+dzie7zTXCy+O+j09IxM/srCxBDY+r6Qd2ukWIJqq85mqBkHD//Il1AaPAd2Araocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HdbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyaOuB+fqfAdt0EQ2RPUNtaWyhYDo6ya4YDCuwMNvtaoYbgvVsDtQawCxeiBO3vyTFGiHH50qI43Os9Hg/LxxAgEtEUvXjIsNn4OqUfXOaox6fI1zXDaPZW1C/65ojJbh8hoeuDUqx0ccHMzUcgCQXFjlaRqYzjJDOey+MAs22Z7+piS+2vjW0nqwBqrzizxsYjlonJhoUPxlDC6Sp525o6Kce9SE56Zd6pCZ1dvDyUOYtxR8MtWWBouCAix70Hp5G7YCYKxI4gxx7FZPyLa4mI7Qj+W+qLLjd4g2xldKqiiBaz6kiv0PfwVsy10FZOqCdOj9rCtmgV2hDO5cWKReFx80e81TqVyQze5f9ILVopmafdNpUv2KQ/loAJvkTGBiL2nUL2g7KIeUg84eio7vjnYq3hpp+BK494kgH+Pboqmsy4Gek4LhIBX3Ka+eShz73v51H5QbVWgf02lanVqpbaKtgApqGlGQNV14cj6xKnAzen1tQXg2UHIUpYdB+IgIXlIVHDLO3iAfuhjFmgji1ny+3eMr3kGJrNL3zDkLn7fbZ67k5R0A8zzdJd551KDLEBI/PzV1TttN3YEhA5Mwu0z/zhCNphzYMRRXiDAqqYMKPWqVOI/P4gI/GQZI8JvzbwM+Al6OTzjX89g1Mdfa6p3ZUZaHC9BPtmJV6UYWT0gtcHDWgGpA0+TPbliFeaSz5ce26yX74g5jE8EI+mFp/DSZq2gLyExyq7H4NZZnxIClyWFnfobYqECL8wb3eqK9Jl2hwDW7akQolpgQmnqQu8y71pIO/d/AUGrZTokt9v6LuAuws18GlRDs+d2myJB0N5mGAJQSR+iKV9o0F7yVarzblzg/seE9dI7LVMUwNsZs2U9PBzF92nAlGJRdyOUlvzB4z9UDw=
X-IPAS-Result: A2CSAwBsk41a/wHyM5BdGgEBAQEBAgEBAQEIAQEBAYNPZnAog2iYHUIBAQEBAQEGgTSBF5hgL4UPAoJ4WBQBAgEBAQEBAQIBaiiCOCQBgkcBBSMPAQVBEAsYAgImAgJXBg0IAQGKEg0Qqh2CJ4UAg3uCEwEBAQEBAQEDAQEBAQEBAQEbBYEPhAKCJ4EPgi8pgwWBMIIAAQGBUQEBgzWCZQWTaoZFigwJiCeNZoIgikCHZXCNGYtZNiKBUTMaCDA6gkOFFCM3AYpVgj4BAQE
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 21 Feb 2018 15:44:52 +0000
Received: from rd2ul-48143y.infosec.tycho.ncsc.mil (rd2ul-48143y [192.168.26.149]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w1LFioB4012715; Wed, 21 Feb 2018 10:44:51 -0500
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: spasm@ietf.org
References: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil> <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
From: Michael Jenkins <mjjenki@tycho.ncsc.mil>
Message-ID: <fb50f0ad-85b1-2b53-cfd1-e9fe5a7a27cb@tycho.ncsc.mil>
Date: Wed, 21 Feb 2018 10:44:50 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/RgTn5vriymQVbjF_8dLeZ7JZjWk>
Subject: Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 15:45:02 -0000
Paul, Good point. And... grr. This is a problem we stumble over infrequently but painfully. You can load the US DOD roots from <https://iase.disa.mil/pki-pke/Pages/tools.aspx> to make it work, but we realize that's not acceptable. We're working this issue and will respond in the next few days (and bump the draft with a corrected reference). Thanks for the review. On 02/20/2018 09:48 PM, Paul Hoffman wrote: > On 31 Jan 2018, at 12:59, Michael Jenkins wrote: > >> The first draft updates RFC 5759, and addresses requirements for RFC >> 5280 compliant public-key certificates and CRLs that contain or >> reference algorithms in the CNSA suite. It is available at >> <https://www.ietf.org/internet-drafts/draft-jenkins-cnsa-cert-crl-profile-01.txt>. >> We would appreciate any comments you might have regarding the draft, >> either via the mail-list or via direct reply. > > This looks good on its face. However, I would argue that the reference > [CNSA] is a normative reference: one cannot evaluate whether the > requirements in the draft match the requirements in [CNSA] without > reading and understanding [CNSA]. > > A big issue, however, is that [CNSA] points to: > https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm > I cannot read that document on any of my browsers because the > certificate used for TLS is invalid in current browsers, and > attempting to switch to the HTTP version redirects to the insecure > HTTPS version. > > I know that this is not something that the authors can fix on their > own, but I would strongly object to the IETF moving this document > forwards as an RFC with a normative reference that no one can read > without making TLS changes in their browsers. Lots of US federal > agencies have HTTPS web sites that are readable by the general public; > this should be no different. > > --Paul Hoffman >
- [lamps] Request for review of revised RFC 5759 Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Salz, Rich
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Russ Housley
- Re: [lamps] Request for review of revised RFC 5759 Paul Hoffman
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Stephen Farrell
- Re: [lamps] Request for review of revised RFC 5759 Richard Barnes
- Re: [lamps] Request for review of revised RFC 5759 Paul Hoffman
- Re: [lamps] Request for review of revised RFC 5759 Richard Barnes
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] [Non-DoD Source] Request for review o… Paul Hoffman
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins