Re: [lamps] Request for review of revised RFC 5759
"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 21 February 2018 02:48 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B617127023 for <spasm@ietfa.amsl.com>; Tue, 20 Feb 2018 18:48:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nqqvTGkoQU8 for <spasm@ietfa.amsl.com>; Tue, 20 Feb 2018 18:48:07 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBD551241F3 for <spasm@ietf.org>; Tue, 20 Feb 2018 18:48:07 -0800 (PST)
Received: from [10.32.60.171] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w1L2lewD048890 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 20 Feb 2018 19:47:43 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [10.32.60.171]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Michael Jenkins <mjjenki@tycho.ncsc.mil>
Cc: spasm@ietf.org
Date: Tue, 20 Feb 2018 18:48:02 -0800
X-Mailer: MailMate (1.10r5443)
Message-ID: <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
In-Reply-To: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil>
References: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/TDE_sMjoIhKZssVijLLGuN_xJoM>
Subject: Re: [lamps] Request for review of revised RFC 5759
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 02:48:09 -0000
On 31 Jan 2018, at 12:59, Michael Jenkins wrote:
> The first draft updates RFC 5759, and addresses requirements for RFC
> 5280 compliant public-key certificates and CRLs that contain or
> reference algorithms in the CNSA suite. It is available at
> <https://www.ietf.org/internet-drafts/draft-jenkins-cnsa-cert-crl-profile-01.txt>.
> We would appreciate any comments you might have regarding the draft,
> either via the mail-list or via direct reply.
This looks good on its face. However, I would argue that the reference
[CNSA] is a normative reference: one cannot evaluate whether the
requirements in the draft match the requirements in [CNSA] without
reading and understanding [CNSA].
A big issue, however, is that [CNSA] points to:
https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
I cannot read that document on any of my browsers because the
certificate used for TLS is invalid in current browsers, and attempting
to switch to the HTTP version redirects to the insecure HTTPS version.
I know that this is not something that the authors can fix on their own,
but I would strongly object to the IETF moving this document forwards as
an RFC with a normative reference that no one can read without making
TLS changes in their browsers. Lots of US federal agencies have HTTPS
web sites that are readable by the general public; this should be no
different.
--Paul Hoffman
- [lamps] Request for review of revised RFC 5759 Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Salz, Rich
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Russ Housley
- Re: [lamps] Request for review of revised RFC 5759 Paul Hoffman
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Stephen Farrell
- Re: [lamps] Request for review of revised RFC 5759 Richard Barnes
- Re: [lamps] Request for review of revised RFC 5759 Paul Hoffman
- Re: [lamps] Request for review of revised RFC 5759 Richard Barnes
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] [Non-DoD Source] Request for review o… Paul Hoffman
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins