Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759
Michael Jenkins <mjjenki@tycho.ncsc.mil> Wed, 07 March 2018 15:39 UTC
Return-Path: <mjjenki@tycho.ncsc.mil>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76DB128C0A for <spasm@ietfa.amsl.com>; Wed, 7 Mar 2018 07:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3OnMnd7pGn4 for <spasm@ietfa.amsl.com>; Wed, 7 Mar 2018 07:39:39 -0800 (PST)
Received: from USFB19PA14.eemsg.mail.mil (uphb19pa11.eemsg.mail.mil [214.24.26.85]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9E3127873 for <spasm@ietf.org>; Wed, 7 Mar 2018 07:39:37 -0800 (PST)
X-EEMSG-Attachment-filename: CNSSP_15_20161020.pdf
X-EEMSG-Attachment-filesize: 259854
Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by USFB19PA14.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 07 Mar 2018 15:39:31 +0000
X-Attachment-Exists: TRUE
X-IronPort-AV: E=Sophos; i="5.47,436,1515456000"; d="pdf'?scan'208"; a="9437922"
IronPort-PHdr: 9a23:fgdzFhempvwqL3MkB1Kv1TN/lGMj4u6mDksu8pMizoh2WeGdxcW7bR7h7PlgxGXEQZ/co6odzbaO6OawAydfvN6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCybL9uIhi6twbcutcZjYZgKqs61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSXZEUstXWSNBGIe8ZJYRAeQHM+hTso3xq0IAoBa6AAWhAv7kxD1ViX/sxaA0zvovEQ/G0gIjEdwBvnvbo9fpO6oJVOC50LPFwC/fY/5Y2zrw7pXDfBA7ofGLWLJ9ac3fyUgzGAPFlFqft4jlNC6R2OsTtWib7OtgVeS0i2U6rAxxpzqvxsUyhYnPhYIVy0vJ9Tl5wYkpJd24T1R3Ydi4H5tLqy6WLY52QsImQ2xxvisx17MIuZm+fCcQyZQnwQbSa/2ZfIiU7BLvTuGRIS13hH59ebKwnQu9/VKvyu37SMm51ktBoCldktTUq3wA2BPe5tKHR/dg5EutxzmC2x7J5u1ZJ00/iLDVJIQ7wrEqk5oeqUHDHijrl0rolKKWbUAk+vSw6+Tgf7XmuoeQN49qhQH6NaQjgtC/Dv4iMggPQmib4v6w1KHj/ELlQLVKiec6kq/Fv5DBOcsXvKu5Aw5R0oo76ha/CSmp0MgAkHUaI19IdwiLgoj0N13UPvz1Aumzj06xnDtzwvDJJLzhApHDLnjZl7fheK5w60teyAox099f4ZFUCrAaLfLvWk7+qNzYDhgjPwyy3+nnE8ly2pkbWWKOBq+VKLnSvkOQ5uIzP+mMY5cYuC7nJPg44/7il385mVgTfamn2JsYcna4E+94I0WBZ3rjns0NEWAQvgoxVObqkkGNUSZPZ3auWKIx/io7CJq8AofYQ4Cgm72B0zmnHp1YfGxGDUqMEXi7P7mDDs8FdSbaAshvnDkNU/D1U4Y80VeuswH0zrNhBvTM/CZesojsgotb/erWwDQz/jx9AsDV8WyLTGByhStcQj000aZ8oGRh21yD1u5+iOdTU9lS46UaAU8BKZfAwrkiWJjJUQXbc4LMEQ33Tw==
X-IPAS-Result: A2C1AQB+BqBa/wHyM5BdGQEBAQEBAQEBAQEBAQcBAQEBAYNQZnAog1SYH0gGgQ0ngRaUSIIBBwEnBYUGAoMKITgUAQIBAQEBAQECAWongjgkAYJHAQEBAyMiNBALGCoCAgIYPQYNCAEBF4RzDRCobYInhHKDcoISCgWFMYIugQ+CLikMgniBLoIAAQGBPgERAgECM4J0gmIEjnGLdgmEA4FviwYHgWeHVYU+RYc0iww1IWFxMxoIMDpjAQGBXoRmIjcBjAgBAQE
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 07 Mar 2018 15:39:30 +0000
Received: from rd2ul-48143y.infosec.tycho.ncsc.mil (rd2ul-48143y [192.168.26.149]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w27FdTNH021081; Wed, 7 Mar 2018 10:39:29 -0500
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: spasm@ietf.org
References: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil> <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
From: Michael Jenkins <mjjenki@tycho.ncsc.mil>
Message-ID: <19dbe3c2-dd6b-5313-7663-e85aba7c65c3@tycho.ncsc.mil>
Date: Wed, 07 Mar 2018 10:39:29 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
Content-Type: multipart/mixed; boundary="------------030354029FF7DC07ACD6C14F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/e6Lprn5oXI4bFdP4SYAUhksMIh4>
Subject: Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 15:39:43 -0000
Update on this, such as it is: As Paul says, access to CNSSP-15 without altering the local security configuration isn't in my power to fix directly. I am reliably informed that the DOD PKI is working on a solution (which might involve a new CABF guidelines compliant root). I'm also looking into having it posted somewhere authoritative but without side-effects. In the (could be ample) meantime, the best I can do is post the document to the mail-list. So, you can find it attached to this email (and, by extension, so can anyone who can access the spasm mail archive). I hope this meets the near-term need. Mike On 02/20/2018 09:48 PM, Paul Hoffman wrote: > On 31 Jan 2018, at 12:59, Michael Jenkins wrote: > >> The first draft updates RFC 5759, and addresses requirements for RFC >> 5280 compliant public-key certificates and CRLs that contain or >> reference algorithms in the CNSA suite. It is available at >> <https://www.ietf.org/internet-drafts/draft-jenkins-cnsa-cert-crl-profile-01.txt>. >> We would appreciate any comments you might have regarding the draft, >> either via the mail-list or via direct reply. > > This looks good on its face. However, I would argue that the reference > [CNSA] is a normative reference: one cannot evaluate whether the > requirements in the draft match the requirements in [CNSA] without > reading and understanding [CNSA]. > > A big issue, however, is that [CNSA] points to: > https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm > I cannot read that document on any of my browsers because the > certificate used for TLS is invalid in current browsers, and > attempting to switch to the HTTP version redirects to the insecure > HTTPS version. > > I know that this is not something that the authors can fix on their > own, but I would strongly object to the IETF moving this document > forwards as an RFC with a normative reference that no one can read > without making TLS changes in their browsers. Lots of US federal > agencies have HTTPS web sites that are readable by the general public; > this should be no different. > > --Paul Hoffman >
- [lamps] Request for review of revised RFC 5759 Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Salz, Rich
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Russ Housley
- Re: [lamps] Request for review of revised RFC 5759 Paul Hoffman
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] Request for review of revised RFC 5759 Stephen Farrell
- Re: [lamps] Request for review of revised RFC 5759 Richard Barnes
- Re: [lamps] Request for review of revised RFC 5759 Paul Hoffman
- Re: [lamps] Request for review of revised RFC 5759 Richard Barnes
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins
- Re: [lamps] [Non-DoD Source] Request for review o… Paul Hoffman
- Re: [lamps] [Non-DoD Source] Re: Request for revi… Michael Jenkins