Re: [lamps] Request for review of revised RFC 5759

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 21 February 2018 02:48 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B617127023 for <spasm@ietfa.amsl.com>; Tue, 20 Feb 2018 18:48:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nqqvTGkoQU8 for <spasm@ietfa.amsl.com>; Tue, 20 Feb 2018 18:48:07 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBD551241F3 for <spasm@ietf.org>; Tue, 20 Feb 2018 18:48:07 -0800 (PST)
Received: from [10.32.60.171] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w1L2lewD048890 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 20 Feb 2018 19:47:43 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.171]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Michael Jenkins" <mjjenki@tycho.ncsc.mil>
Cc: spasm@ietf.org
Date: Tue, 20 Feb 2018 18:48:02 -0800
X-Mailer: MailMate (1.10r5443)
Message-ID: <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
In-Reply-To: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil>
References: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/TDE_sMjoIhKZssVijLLGuN_xJoM>
Subject: Re: [lamps] Request for review of revised RFC 5759
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 02:48:09 -0000

On 31 Jan 2018, at 12:59, Michael Jenkins wrote:

> The first draft updates RFC 5759, and addresses requirements for RFC 
> 5280 compliant public-key certificates and CRLs that contain or 
> reference algorithms in the CNSA suite. It is available at 
> <https://www.ietf.org/internet-drafts/draft-jenkins-cnsa-cert-crl-profile-01.txt>. 
> We would appreciate any comments you might have regarding the draft, 
> either via the mail-list or via direct reply.

This looks good on its face. However, I would argue that the reference 
[CNSA] is a normative reference: one cannot evaluate whether the 
requirements in the draft match the requirements in [CNSA] without 
reading and understanding [CNSA].

A big issue, however, is that [CNSA] points to:
    https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
I cannot read that document on any of my browsers because the 
certificate used for TLS is invalid in current browsers, and attempting 
to switch to the HTTP version redirects to the insecure HTTPS version.

I know that this is not something that the authors can fix on their own, 
but I would strongly object to the IETF moving this document forwards as 
an RFC with a normative reference that no one can read without making 
TLS changes in their browsers. Lots of US federal agencies have HTTPS 
web sites that are readable by the general public; this should be no 
different.

--Paul Hoffman