Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759

Michael Jenkins <mjjenki@tycho.ncsc.mil> Wed, 07 March 2018 15:39 UTC

Return-Path: <mjjenki@tycho.ncsc.mil>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76DB128C0A for <spasm@ietfa.amsl.com>; Wed, 7 Mar 2018 07:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3OnMnd7pGn4 for <spasm@ietfa.amsl.com>; Wed, 7 Mar 2018 07:39:39 -0800 (PST)
Received: from USFB19PA14.eemsg.mail.mil (uphb19pa11.eemsg.mail.mil [214.24.26.85]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9E3127873 for <spasm@ietf.org>; Wed, 7 Mar 2018 07:39:37 -0800 (PST)
X-EEMSG-Attachment-filename: CNSSP_15_20161020.pdf
X-EEMSG-Attachment-filesize: 259854
Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by USFB19PA14.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 07 Mar 2018 15:39:31 +0000
X-Attachment-Exists: TRUE
X-IronPort-AV: E=Sophos; i="5.47,436,1515456000"; d="pdf'?scan'208"; a="9437922"
IronPort-PHdr: =?us-ascii?q?9a23=3AfgdzFhempvwqL3MkB1Kv1TN/lGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxcW7bR7h7PlgxGXEQZ/co6odzbaO6OawAydfvN6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?= =?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCybL9uIhi6twbcutcZjYZgKqs61wfErGZPd+?= =?us-ascii?q?lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLe?= =?us-ascii?q?TQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgz?= =?us-ascii?q?ocOjUn7G/YlNB/jKNDoBKguRN/xZLUYJqIP/Z6Z6/RYM8WSXZEUstXWSNBGIe8?= =?us-ascii?q?ZJYRAeQHM+hTso3xq0IAoBa6AAWhAv7kxD1ViX/sxaA0zvovEQ/G0gIjEdwBvn?= =?us-ascii?q?vbo9fpO6oJVOC50LPFwC/fY/5Y2zrw7pXDfBA7ofGLWLJ9ac3fyUgzGAPFlFqf?= =?us-ascii?q?t4jlNC6R2OsTtWib7OtgVeS0i2U6rAxxpzqvxsUyhYnPhYIVy0vJ9Tl5wYkpJd?= =?us-ascii?q?24T1R3Ydi4H5tLqy6WLY52QsImQ2xxvisx17MIuZm+fCcQyZQnwQbSa/2ZfIiU?= =?us-ascii?q?7BLvTuGRIS13hH59ebKwnQu9/VKvyu37SMm51ktBoCldktTUq3wA2BPe5tKHR/?= =?us-ascii?q?dg5EutxzmC2x7J5u1ZJ00/iLDVJIQ7wrEqk5oeqUHDHijrl0rolKKWbUAk+vSw?= =?us-ascii?q?6+Tgf7XmuoeQN49qhQH6NaQjgtC/Dv4iMggPQmib4v6w1KHj/ELlQLVKiec6kq?= =?us-ascii?q?/Fv5DBOcsXvKu5Aw5R0oo76ha/CSmp0MgAkHUaI19IdwiLgoj0N13UPvz1Aumz?= =?us-ascii?q?j06xnDtzwvDJJLzhApHDLnjZl7fheK5w60teyAox099f4ZFUCrAaLfLvWk7+qN?= =?us-ascii?q?zYDhgjPwyy3+nnE8ly2pkbWWKOBq+VKLnSvkOQ5uIzP+mMY5cYuC7nJPg44/7i?= =?us-ascii?q?l385mVgTfamn2JsYcna4E+94I0WBZ3rjns0NEWAQvgoxVObqkkGNUSZPZ3auWK?= =?us-ascii?q?Ix/io7CJq8AofYQ4Cgm72B0zmnHp1YfGxGDUqMEXi7P7mDDs8FdSbaAshvnDkN?= =?us-ascii?q?U/D1U4Y80VeuswH0zrNhBvTM/CZesojsgotb/erWwDQz/jx9AsDV8WyLTGByhS?= =?us-ascii?q?tcQj000aZ8oGRh21yD1u5+iOdTU9lS46UaAU8BKZfAwrkiWJjJUQXbc4LMEQ33?= =?us-ascii?q?Tw=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2C1AQB+BqBa/wHyM5BdGQEBAQEBAQEBAQEBAQcBAQEBAYN?= =?us-ascii?q?QZnAog1SYH0gGgQ0ngRaUSIIBBwEnBYUGAoMKITgUAQIBAQEBAQECAWongjgkA?= =?us-ascii?q?YJHAQEBAyMiNBALGCoCAgIYPQYNCAEBF4RzDRCobYInhHKDcoISCgWFMYIugQ+?= =?us-ascii?q?CLikMgniBLoIAAQGBPgERAgECM4J0gmIEjnGLdgmEA4FviwYHgWeHVYU+RYc0i?= =?us-ascii?q?ww1IWFxMxoIMDpjAQGBXoRmIjcBjAgBAQE?=
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 07 Mar 2018 15:39:30 +0000
Received: from rd2ul-48143y.infosec.tycho.ncsc.mil (rd2ul-48143y [192.168.26.149]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w27FdTNH021081; Wed, 7 Mar 2018 10:39:29 -0500
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: spasm@ietf.org
References: <863b6e71-c179-3856-9edf-28e8306031e4@tycho.ncsc.mil> <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
From: Michael Jenkins <mjjenki@tycho.ncsc.mil>
Message-ID: <19dbe3c2-dd6b-5313-7663-e85aba7c65c3@tycho.ncsc.mil>
Date: Wed, 7 Mar 2018 10:39:29 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <ABF94A28-87F1-40D3-942C-1CE2C5EEFF92@vpnc.org>
Content-Type: multipart/mixed; boundary="------------030354029FF7DC07ACD6C14F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/e6Lprn5oXI4bFdP4SYAUhksMIh4>
Subject: Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 15:39:43 -0000

Update on this, such as it is:

As Paul says, access to CNSSP-15 without altering the local security 
configuration isn't in my power to fix directly. I am reliably informed 
that the DOD PKI is working on a solution (which might involve a new 
CABF guidelines compliant root). I'm also looking into having it posted 
somewhere authoritative but without side-effects.

In the (could be ample) meantime, the best I can do is post the document 
to the mail-list. So, you can find it attached to this email (and, by 
extension, so can anyone who can access the spasm mail archive).

I hope this meets the near-term need.

Mike

On 02/20/2018 09:48 PM, Paul Hoffman wrote:
> On 31 Jan 2018, at 12:59, Michael Jenkins wrote:
>
>> The first draft updates RFC 5759, and addresses requirements for RFC 
>> 5280 compliant public-key certificates and CRLs that contain or 
>> reference algorithms in the CNSA suite. It is available at 
>> <https://www.ietf.org/internet-drafts/draft-jenkins-cnsa-cert-crl-profile-01.txt>. 
>> We would appreciate any comments you might have regarding the draft, 
>> either via the mail-list or via direct reply.
>
> This looks good on its face. However, I would argue that the reference 
> [CNSA] is a normative reference: one cannot evaluate whether the 
> requirements in the draft match the requirements in [CNSA] without 
> reading and understanding [CNSA].
>
> A big issue, however, is that [CNSA] points to:
>    https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
> I cannot read that document on any of my browsers because the 
> certificate used for TLS is invalid in current browsers, and 
> attempting to switch to the HTTP version redirects to the insecure 
> HTTPS version.
>
> I know that this is not something that the authors can fix on their 
> own, but I would strongly object to the IETF moving this document 
> forwards as an RFC with a normative reference that no one can read 
> without making TLS changes in their browsers. Lots of US federal 
> agencies have HTTPS web sites that are readable by the general public; 
> this should be no different.
>
> --Paul Hoffman
>