idnits 2.17.1 draft-housley-suite-b-to-historic-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 02, 2018) is 2299 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 4869 (Obsoleted by RFC 6379) -- Obsolete informational reference (is this intentional?): RFC 5008 (Obsoleted by RFC 6318) -- Obsolete informational reference (is this intentional?): RFC 5430 (Obsoleted by RFC 6460) -- Obsolete informational reference (is this intentional?): RFC 7321 (Obsoleted by RFC 8221) -- Obsolete informational reference (is this intentional?): RFC 7525 (Obsoleted by RFC 9325) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Housley 3 Internet-Draft Vigil Security 4 Intended status: Informational L. Zieglar 5 Expires: July 6, 2018 National Security Agency 6 January 02, 2018 8 Reclassification of Suite B Documents to Historic Status 9 draft-housley-suite-b-to-historic-00 11 Abstract 13 This document reclassifies the RFCs related to Suite B as Historic, 14 and it discusses the reasons for doing so. This document moves RFC 15 5759, RFC 6239, RFC 6318, RFC 6379, RFC 6380, RFC 6403, and RFC 6460 16 to Historic Status. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on July 6, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. The RFCs Related to Suite B . . . . . . . . . . . . . . . . . 2 55 4. Documents that Reference the Suite-B-related RFCs . . . . . . 3 56 4.1. Documents that Reference RFC 4869 . . . . . . . . . . . . 3 57 4.2. Documents that Reference RFC 5759 . . . . . . . . . . . . 4 58 4.3. Documents that Reference RFC 6379 . . . . . . . . . . . . 4 59 4.4. Documents that Reference RFC 6403 . . . . . . . . . . . . 4 60 4.5. Documents that Reference RFC 6460 . . . . . . . . . . . . 4 61 5. Impact of Reclassifying the Suite-B-related RFCs to Historic 5 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 63 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 66 8.2. Informative References . . . . . . . . . . . . . . . . . 6 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 69 1. Introduction 71 Several RFCs profile security protocols for use with National 72 Security Agency (NSA) Suite B Cryptography. Suite B is no longer 73 supported by NSA, and the web pages that specify the cryptographic 74 algorithms are no longer available. 76 In July 2015, NSA published the Committee for National Security 77 Systems Advisory Memorandum 02-15 as the first step in replacing 78 Suite B with NSA's Commercial National Security Algorithm (CNSA) 79 Suite. Information about the CNSA Suite can be found in [CNSA]. 81 2. Rationale 83 As indicated in [CNSA], NSA is transitioning from Suite B to the CNSA 84 Suite. As a result, the profiles of the security protocols for the 85 Suite B algorithms are now only of historic interest. 87 3. The RFCs Related to Suite B 89 Between 2007 and 2012, several Suite-B-related RFCs were published to 90 profile security protocols for use with the Suite B algorithms. They 91 are: 93 o [RFC4869], "Suite B Cryptographic Suites for IPsec" (Obsoleted by 94 RFC 6379) 96 o [RFC5008], "Suite B in Secure/Multipurpose Internet Mail 97 Extensions (S/MIME)" (Obsoleted by RFC 6318) 99 o [RFC5430], "Suite B Profile for Transport Layer Security (TLS)" 100 (Obsoleted by RFC 6460) 102 o [RFC5759], "Suite B Certificate and Certificate Revocation List 103 (CRL) Profile" 105 o [RFC6239], "Suite B Cryptographic Suites for Secure Shell (SSH)" 107 o [RFC6318], "Suite B in Secure/Multipurpose Internet Mail 108 Extensions (S/MIME)" 110 o [RFC6379], "Suite B Cryptographic Suites for IPsec" 112 o [RFC6380], "Suite B Profile for Internet Protocol Security 113 (IPsec)" 115 o [RFC6403], "Suite B Profile of Certificate Management over CMS" 117 o [RFC6460], "Suite B Profile for Transport Layer Security (TLS)" 119 4. Documents that Reference the Suite-B-related RFCs 121 There are several references among these RFCs. These cross- 122 references are not examined further. 124 Other RFC make reference to these Suite-B-related RFCs; these 125 references are discussed in the following subsections. 127 4.1. Documents that Reference RFC 4869 129 One other RFC makes reference to RFC 4869 [RFC4869]. 131 RFC 6071, "IP Security (IPsec) and Internet Key Exchange (IKE) 132 Document Roadmap" [RFC6071], points out that RFC 4869 adds four pre- 133 defined suites based upon Suite B specifications. They are: 135 o IKE/ESP suite "Suite-B-GCM-128" 137 o IKE/ESP suite "Suite-B-GCM-256" 139 o IKE/AH suite "Suite-B-GMAC-128" 141 o IKE/AH suite "Suite-B-GMAC-256" 143 In each case, these suite definitions make use of algorithms that are 144 defined in other RFCs. No interoperability or security concerns are 145 raised if implementations continue to make use of these suite names. 147 4.2. Documents that Reference RFC 5759 149 One other RFC makes reference to RFC 5759 [RFC5759]. 151 RFC 6187, "X.509v3 Certificates for Secure Shell Authentication" 152 [RFC6187], points out that RFC 5759 provides additional guidance for 153 Elliptic Curve Digital Signature Algorithm (ECDSA) keys when used 154 with Suite B. 156 4.3. Documents that Reference RFC 6379 158 One other RFC makes reference to RFC 6379 [RFC6379]. 160 RFC 7321, "Cryptographic Algorithm Implementation Requirements and 161 Usage Guidance for Encapsulating Security Payload (ESP) and 162 Authentication Header (AH) [RFC7321], points out that the AES-GCM 163 algorithm is used by Suite B, and it has emerged as the preferred 164 authenticated encryption method in IPsec. 166 4.4. Documents that Reference RFC 6403 168 Two other RFCs make reference to RFC 6403 [RFC6403]. 170 RFC 6402, "Certificate Management over CMS (CMC) Updates" [RFC6402], 171 says that development of the profile for Suite B was the activity 172 that demonstrated the need for these updates. 174 RFC 7030, "Enrollment over Secure Transport" [RFC7030], points out 175 that the scenarios in the two documents are very similar. 177 4.5. Documents that Reference RFC 6460 179 Three other RFCs make reference to RFC 6460 [RFC6460]. 181 RFC 6605, "Elliptic Curve Digital Signature Algorithm (DSA) for 182 DNSSEC" [RFC6605], states that material was copied liberally from RFC 183 6460. 185 RFC 7525, "Recommendations for Secure Use of Transport Layer Security 186 (TLS) and Datagram Transport Layer Security (DTLS)" [RFC7525], 187 observes that the Suite B profile of TLS 1.2 uses different cipher 188 suites. 190 RFC 8253, "PCEPS: Usage of TLS to Provide a Secure Transport for the 191 Path Computation Element Communication Protocol (PCEP)" [RFC8253], 192 points RFC 6460 for the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and 193 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suites. Both of these 194 ciphersuites are defined in [RFC5289], which would have been a better 195 reference. 197 5. Impact of Reclassifying the Suite-B-related RFCs to Historic 199 No interoperability or security concerns are raised by reclassifing 200 the Suite-B-related RFCs to Historic Status. 202 6. IANA Considerations 204 No changes are requested to any IANA registries. 206 7. Security Considerations 208 The CNSA Suite includes algorithms using the larger key sizes than 209 are included in Suite B. There are no interoperability or security 210 concerns raised by reclassifying the Suite-B-related RFCs to Historic 211 Status. 213 8. References 215 8.1. Normative References 217 [RFC5759] Solinas, J. and L. Zieglar, "Suite B Certificate and 218 Certificate Revocation List (CRL) Profile", RFC 5759, 219 DOI 10.17487/RFC5759, January 2010, 220 . 222 [RFC6239] Igoe, K., "Suite B Cryptographic Suites for Secure Shell 223 (SSH)", RFC 6239, DOI 10.17487/RFC6239, May 2011, 224 . 226 [RFC6318] Housley, R. and J. Solinas, "Suite B in Secure/ 227 Multipurpose Internet Mail Extensions (S/MIME)", RFC 6318, 228 DOI 10.17487/RFC6318, June 2011, 229 . 231 [RFC6379] Law, L. and J. Solinas, "Suite B Cryptographic Suites for 232 IPsec", RFC 6379, DOI 10.17487/RFC6379, October 2011, 233 . 235 [RFC6380] Burgin, K. and M. Peck, "Suite B Profile for Internet 236 Protocol Security (IPsec)", RFC 6380, 237 DOI 10.17487/RFC6380, October 2011, 238 . 240 [RFC6403] Zieglar, L., Turner, S., and M. Peck, "Suite B Profile of 241 Certificate Management over CMS", RFC 6403, 242 DOI 10.17487/RFC6403, November 2011, 243 . 245 [RFC6460] Salter, M. and R. Housley, "Suite B Profile for Transport 246 Layer Security (TLS)", RFC 6460, DOI 10.17487/RFC6460, 247 January 2012, . 249 8.2. Informative References 251 [CNSA] National Security Agency, "Commercial National Security 252 Algorithm (CNSA) Suite", 2015, 253 . 256 [RFC4869] Law, L. and J. Solinas, "Suite B Cryptographic Suites for 257 IPsec", RFC 4869, DOI 10.17487/RFC4869, May 2007, 258 . 260 [RFC5008] Housley, R. and J. Solinas, "Suite B in Secure/ 261 Multipurpose Internet Mail Extensions (S/MIME)", RFC 5008, 262 DOI 10.17487/RFC5008, September 2007, 263 . 265 [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 266 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, 267 DOI 10.17487/RFC5289, August 2008, 268 . 270 [RFC5430] Salter, M., Rescorla, E., and R. Housley, "Suite B Profile 271 for Transport Layer Security (TLS)", RFC 5430, 272 DOI 10.17487/RFC5430, March 2009, 273 . 275 [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and 276 Internet Key Exchange (IKE) Document Roadmap", RFC 6071, 277 DOI 10.17487/RFC6071, February 2011, 278 . 280 [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure 281 Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, 282 March 2011, . 284 [RFC6402] Schaad, J., "Certificate Management over CMS (CMC) 285 Updates", RFC 6402, DOI 10.17487/RFC6402, November 2011, 286 . 288 [RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital 289 Signature Algorithm (DSA) for DNSSEC", RFC 6605, 290 DOI 10.17487/RFC6605, April 2012, 291 . 293 [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., 294 "Enrollment over Secure Transport", RFC 7030, 295 DOI 10.17487/RFC7030, October 2013, 296 . 298 [RFC7321] McGrew, D. and P. Hoffman, "Cryptographic Algorithm 299 Implementation Requirements and Usage Guidance for 300 Encapsulating Security Payload (ESP) and Authentication 301 Header (AH)", RFC 7321, DOI 10.17487/RFC7321, August 2014, 302 . 304 [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, 305 "Recommendations for Secure Use of Transport Layer 306 Security (TLS) and Datagram Transport Layer Security 307 (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 308 2015, . 310 [RFC8253] Lopez, D., Gonzalez de Dios, O., Wu, Q., and D. Dhody, 311 "PCEPS: Usage of TLS to Provide a Secure Transport for the 312 Path Computation Element Communication Protocol (PCEP)", 313 RFC 8253, DOI 10.17487/RFC8253, October 2017, 314 . 316 Authors' Addresses 318 Russ Housley 319 Vigil Security 320 918 Spring Knoll Drive 321 Herndon, VA 20170 322 US 324 Email: housley@vigilsec.com 326 Lydia Zieglar 327 National Security Agency 328 9800 Savage Road 329 Ft. George G. Meade, MD 20755-6940 330 US 332 Email: llziegl@nsa.gov