RE: Last Call: draft-solinas-suiteb-cert-profile (Suite B Certificate and Certificate Revocation List (CRL) Profile) to Informational RFC

"Zieglar, Lydia L." <llziegl@tycho.ncsc.mil> Fri, 12 June 2009 20:07 UTC

Return-Path: <llziegl@tycho.ncsc.mil>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07A593A681D for <ietf@core3.amsl.com>; Fri, 12 Jun 2009 13:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.701
X-Spam-Level: ****
X-Spam-Status: No, score=4.701 tagged_above=-999 required=5 tests=[AWL=-8.700, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, URIBL_SBL=20]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NOpRd03e7vuC for <ietf@core3.amsl.com>; Fri, 12 Jun 2009 13:07:39 -0700 (PDT)
Received: from msux-gh1-uea01.nsa.gov (msux-gh1-uea01.nsa.gov [63.239.67.1]) by core3.amsl.com (Postfix) with ESMTP id C777F3A6812 for <ietf@ietf.org>; Fri, 12 Jun 2009 13:07:38 -0700 (PDT)
Received: from smtp.ncsc.mil (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id n5CK7TgW008660; Fri, 12 Jun 2009 20:07:29 GMT
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: Last Call: draft-solinas-suiteb-cert-profile (Suite B Certificate and Certificate Revocation List (CRL) Profile) to Informational RFC
Date: Fri, 12 Jun 2009 16:07:40 -0400
Message-ID: <D22B261D1FA3CD48B0414DF484E43D3284EEC5@celebration.infosec.tycho.ncsc.mil>
In-Reply-To: <200906090947.33959.rob.stradling@comodo.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Last Call: draft-solinas-suiteb-cert-profile (Suite B Certificate and Certificate Revocation List (CRL) Profile) to Informational RFC
Thread-Index: Acno3v1fu/LQH5uxS160wNLRIY70swCuishg
References: <20090603172008.56D03F24008@odin.smetech.net> <200906090947.33959.rob.stradling@comodo.com>
From: "Zieglar, Lydia L." <llziegl@tycho.ncsc.mil>
To: ietf@ietf.org
X-Mailman-Approved-At: Mon, 15 Jun 2009 17:08:42 -0700
Cc: ietf-pkix@imc.org, Rob Stradling <rob.stradling@comodo.com>, "Solinas, Jerry" <jasolin@orion.ncsc.mil>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2009 20:07:40 -0000

Here's the text from the response I just sent to Rob:

Sorry for the delayed response. Some of your questions I had to forward
to other parties here at NSA for an answer. 

1) Regarding OCSP, OCSP has been identified as a topic we need to
address for Suite B. The question is whether we want to add something
quickly to the Suite B Certificate Profile, or wait to do a more
thorough treatment. I'll let you know what is decided.

2) We had this information in the .01 version of the Suite B Certificate
Profile, but decided to remove   it because such a list would be
incomplete. We have additional Suite B protocol specific RFCs under
development. Future Suite B protocol specific RFCs will most likely
contain a reference to the certificate profile, but those that are
already published don't simply because they were published before the
certificate profile was completed.  

3) Regarding the IPR issues. Apparently, we've been inconsistent in how
we have handled this in our Suite B RFCs. I'm waiting for word on what
to do for the certificate profile. I suspect a statement will be added.

4) Regarding NSA's omission of P-521, P-256 and P-384 will satisfy all
of the U.S. Government's requirements so only these are included in
Suite B. We don't have a requirement that warrants the inclusion of
P-521.

5) I am not aware of any documents that cover Suite B for Code Signing
certificates or Time Stamping certificates or plans to develop such
documents. 

Please do not hesitate to send me any additional questions you may have.


Thanks,
Lydia

 


Lydia Zieglar
301-688-1028
llziegl@tycho.ncsc.mil

-----Original Message-----
From: Rob Stradling [mailto:rob.stradling@comodo.com] 
Sent: Tuesday, June 09, 2009 4:48 AM
To: ietf@ietf.org; Zieglar, Lydia L.; Solinas, Jerry
Cc: ietf-pkix@imc.org
Subject: Re: Last Call: draft-solinas-suiteb-cert-profile (Suite B
Certificate and Certificate Revocation List (CRL) Profile) to
Informational RFC

The IESG wrote:
> >The IESG has received a request from an individual submitter to 
> >consider the following document:
> >
> >- 'Suite B Certificate and Certificate Revocation List (CRL) Profile
'
> >    <draft-solinas-suiteb-cert-profile-03.txt> as an Informational 
> >RFC
<snip>

Since this I-D is now in Last Call, I'm forwarding a message I sent to
Lydia recently, to which I've not yet received any response...

----------  Forwarded Message  ----------

Subject: Re: NSA Suite B Certificate & CRL Profile
Date: Wednesday 03 June 2009
From: Rob Stradling <rob.stradling@comodo.com>
To: llziegl@tycho.ncsc.mil

Comodo are a global CA with Trusted Root Certificates present in all the
major browsers/OSes.  We are interested in your Suite B Certificate &
CRL Profile I-D because we're seriously looking at offering ECC
certificates to our customers in the near future.  We have already added
a P-384 Root Certificate to the Microsoft and Mozilla Root Certificate
Programs.

I have some questions/comments on your I-D and some other related
matters...

1. Why does your I-D not include a profile for OCSP requests/responses?
Perhaps you could add a section that references RFC 2560 and states that
OCSP request/response signatures should follow the same rules as
signatures for Suite B certificates?

2. What's the relationship between your I-D and the various Suite B
RFCs, such as RFC 5430 "Suite B Profile for Transport Layer Security
(TLS)"?
Would it make sense for your I-D to reference any of the Suite B RFCs
and/or for them to reference your I-D?

3. Some RFCs list IPR claims and/or advise the reader to consult
http://www.ietf.org/ipr.  Would it make sense to mention any IPR issues
in your I-D?  I am of course thinking about the large number of ECC
patents held by Certicom/RIM.

4. Why did the NSA include P-256 and P-384 in Suite B, but omit P-521?
I believe that Certicom defined P-521 before Suite B was specified, and
Microsoft and Mozilla have both chosen to support P-521 as well as P-256
and P-384.

5. RFC 5280 defines various standard Extended Key Usage OIDs.  I've seen
various documents that profile Suite B for Server Authentication
certificates, Client Authentication certificates and Secure Email
certificates, but I'm not aware of any documents that cover Suite B for
Code Signing certificates or Time Stamping certificates.
Are you aware of any such documents?
If not, do you know why no such documents exist?

Thanks in advance.

--
Rob Stradling
Senior Research & Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com

Comodo CA Limited, Registered in England No. 04058690 Registered Office:
  3rd Floor, 26 Office Village, Exchange Quay,
  Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please notify the sender by
replying to the e-mail containing this attachment. Replies to this email
may be monitored by Comodo for operational or business reasons. Whilst
every endeavour is taken to ensure that e-mails are free from viruses,
no liability can be accepted and the recipient is requested to use their
own virus checking software.