Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759

Michael Jenkins <> Fri, 09 March 2018 14:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 102F612778E for <>; Fri, 9 Mar 2018 06:33:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rTYojTuq9yUq for <>; Fri, 9 Mar 2018 06:33:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 43D0412D7E8 for <>; Fri, 9 Mar 2018 06:33:21 -0800 (PST)
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 09 Mar 2018 14:33:20 +0000
X-IronPort-AV: E=Sophos;i="5.47,445,1515456000"; d="scan'208";a="10371504"
IronPort-PHdr: 9a23:G1W+DRcp8LU31VmyvMDyJNVnlGMj4u6mDksu8pMizoh2WeGdxc26YRWN2/xhgRfzUJnB7Loc0qyK6/umATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfb1/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNwUX2pBWttaWTJHDI2ycoADC/MNMOlcooX4oVYFsBmwChS2BO731zFGmHH206053eovHw7J0w4vEM4BvnnPsNX4Nr0fXfypwKTGzzjOae5d1zfn6IjPdxAsufaCXbNsfsrR00YgCQfFhUiUp4P7OTOV1eUNs26A7+F9Uu+vjmwnqwNvrTipxccsi5LEhp4Vy1/Y9SV5x5w5JdukR05gfdGoCp5QtyCeN4ZvRM4pXm9muCE/yrIcuJ67ejAHyJU5yB7DZfyLaY+I4gjsVOuXPDx2h2pldaqiixu9/kWs0O3xWtSu3FpUoSdJjMPAum0L2hfO8MaIUOF98V2k2TuX0gDT7fxLLl4smKrALp4h3qYwlp0OsUTfBiP2mFv5jKuRdkg85uin8f7nYrT7pp+HLYN0lgH/Pbgumsy4G+g4NBQBX3OH9uim0b3j/En5TK1Ljv0wjKbZrIjXKdkUq6O2GQNY0psv5wyhAzqpztgUh2QLIEpAeB2djojpP1/OIOr/Dfe6m1mslTVrx/LYMb3nAZXNL2POkKvhfLlh605czxA/zdZD6JJPFr4NOvfzWk71tNDAFB82LxS0w/r7CNV6zo4eQn6PDbGBMKPSr1CI4PgjI+eWa48PojbyNfwl5/r1gHAlgl8RZ7Wp0ocKZ3yiH/RpPV2TYWDwjdcZDWcKog0+QfTxiF2aSzFTfHOyUrk95j4lFIKmA53PRoe3gLyOxC27BIFZZnhaClCQFnflb4GEW/MNaSKTPMBhnTgEWKOnS486zx6irgD6y715LuDM4C0XqYrj1MRp5+3UjRwy8CZ4D8aD3GGLTGF0n2UIRyQs0K1xoEFwxVWO3bR5jvBfG91T4OlJUgQhOJ7Tyux1EdHyWgbbctiVT1amR4buPTZkdc48298DZQ5TEs+4gxTHl36xH7INl7GNQpI96LjR23zZLN07133Kkqgs2R1uWdNGLmiOh6Nj+U7UHYGavV+ekvOPdK8c1SPJvEWOy2mPuloQBAtyU6jDXnE3elrdrdO/4EjZRPmrCLBxYVgJ8tKLNqYfMo6htl5BXvq2fY2CMm8=
Received: from ([]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 09 Mar 2018 14:33:19 +0000
Received: from (rd2ul-48143y []) by (8.14.4/8.14.4) with ESMTP id w29EXGaV006210; Fri, 9 Mar 2018 09:33:16 -0500
To: Stephen Farrell <>,
Cc: "Zieglar, Lydia Q" <>,
References: <> <>
From: Michael Jenkins <>
Message-ID: <>
Date: Fri, 09 Mar 2018 09:33:16 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [lamps] [Non-DoD Source] Re: Request for review of revised RFC 5759
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Mar 2018 14:33:25 -0000

Hi Stephen,

> I'd encourage the authors to consider if they need an RFC that is not under IETF change control for this content. 

Thanks for taking the time to look at the draft and comment. I wanted to 
respond that we certainly are considering the benefits and costs of 
publishing this information, and which mechanisms for publication might 
be more or less appropriate. Your input (and Martin's, Paul W's, and 
Paul H's) plays a significant role in that discussion.


On 03/06/2018 04:41 PM, Stephen Farrell wrote:
> Hiya,
> I commented on making the suite-b profiles historic on the IETF
> discuss list. (Probably better to keep that discussion on that
> list and not here - thread is at [1], but briefly I suggested we
> not do another suite-b-like exercise within the IETF.)
> Russ asked me to take a peek at this draft as part of some
> offlist discussion about that.
> Generally the content of the draft seems reasonable. If it is the
> case that the choices in this profile are widely implemented (and
> I'm guessing they are), then I would support a profile with such
> content being processed as a BCP (and hence coming under IETF change
> control).
> If there is a real need to retain change control and keep this as
> a national profile, then see my opinion on [1], I'm not supportive
> of that. (But in this case, as the content seems to not involve
> any "innovative" or odd choices, and if done via the ISE, I'm only
> very very mildly opposed - almost neutral:-)
> I'd encourage the authors to consider if they need an RFC that is
> not under IETF change control for this content. I can't see how
> that'd be beneficial tbh but maybe I'm missing something. And if
> the content had IETF consensus, then I'd guess that'd help in terms
> of getting implementations that match the profile more quickly.
> If there are other documents to come, that do make "innovative"
> choices (e.g. algs or params that are not widely implemented),
> then I think even a national profile for that published via the
> ISE is a bad idea, (but again, discussion of that via [1] is
> better).
> Cheers,
> S
> [1]
> On 31/01/18 20:59, Michael Jenkins wrote:
>> The US National Security Agency (NSA) has begun the process of updating
>> the "Suite B for..." RFCs to define requirements for implementing and
>> configuring IETF protocols in compliance with the 2016 revision of
>> CNSSP-15 (the Commercial National Security Algorithm, or CNSA, suite).
>> These RFCs are intended for use by commercial product vendors who wish
>> their products to be used in US National Security Systems, over which
>> NSA has oversight.
>> As part of this process, the older RFCs will be moved to Historical
>> status, and we plan to publish new RFCs via the ISE. We are seeking
>> review and comment of the drafts prior to publication, and so will be
>> announcing the drafts on appropriate mail-lists as we produce them.
>> The first draft updates RFC 5759, and addresses requirements for RFC
>> 5280 compliant public-key certificates and CRLs that contain or
>> reference algorithms in the CNSA suite. It is available at
>> <>.
>> We would appreciate any comments you might have regarding the draft,
>> either via the mail-list or via direct reply.
>> Mike Jenkins <>
>> Lydia Zieglar <>
>> NSA
>> _______________________________________________
>> Spasm mailing list