ietf
[Top] [All Lists]

Re: RFC 7169 on The NSA (No Secrecy Afforded) Certificate Extension

2014-04-02 10:51:39
RFC 7169 lacks a needed reference to RFC 3514.  The author should have
specified that if a certificate with the NSA extension set to "TRUE" is
used with IPsec or TLS, the Evil Bit as specified in 3514 SHOULD also be
set in any appropriate IP headers.

I would argue that this is the case even if the subject of the certificate
has no explicit evil intent. That's the best way to characterize the
system.




On Wed, Apr 2, 2014 at 6:10 AM, Leaf Yeh 
<leaf(_dot_)yeh(_dot_)sdo(_at_)gmail(_dot_)com> wrote:

This extension is needed on Apr. 1st.

Leaf


-----Original Message-----
From: ietf [mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Randy Bush
Sent: Wednesday, April 02, 2014 8:22 AM
To: IETF Disgust
Subject: Re: RFC 7169 on The NSA (No Secrecy Afforded) Certificate
Extension

        RFC 7169
        Title:      The NSA (No Secrecy Afforded)
                    Certificate Extension
        URL:        http://www.rfc-editor.org/rfc/rfc7169.txt

i do not understand why this extension is needed.  the 5eyes have all your
keys.  the flag should always be on.  is the real intent that, when the
extension/flag is not on in a received certificate, then you know it is
bogus?

randy


<Prev in Thread] Current Thread [Next in Thread>