Here's the text from the response I just sent to Rob: Sorry for the delayed response. Some of your questions I had to forward to other parties here at NSA for an answer. 1) Regarding OCSP, OCSP has been identified as a topic we need to address for Suite B. The question is whether we want to add something quickly to the Suite B Certificate Profile, or wait to do a more thorough treatment. I'll let you know what is decided. 2) We had this information in the .01 version of the Suite B Certificate Profile, but decided to remove it because such a list would be incomplete. We have additional Suite B protocol specific RFCs under development. Future Suite B protocol specific RFCs will most likely contain a reference to the certificate profile, but those that are already published don't simply because they were published before the certificate profile was completed. 3) Regarding the IPR issues. Apparently, we've been inconsistent in how we have handled this in our Suite B RFCs. I'm waiting for word on what to do for the certificate profile. I suspect a statement will be added. 4) Regarding NSA's omission of P-521, P-256 and P-384 will satisfy all of the U.S. Government's requirements so only these are included in Suite B. We don't have a requirement that warrants the inclusion of P-521. 5) I am not aware of any documents that cover Suite B for Code Signing certificates or Time Stamping certificates or plans to develop such documents. Please do not hesitate to send me any additional questions you may have. Thanks, Lydia Lydia Zieglar 301-688-1028 llziegl@xxxxxxxxxxxxxx -----Original Message----- From: Rob Stradling [mailto:rob.stradling@xxxxxxxxxx] Sent: Tuesday, June 09, 2009 4:48 AM To: ietf@xxxxxxxx; Zieglar, Lydia L.; Solinas, Jerry Cc: ietf-pkix@xxxxxxx Subject: Re: Last Call: draft-solinas-suiteb-cert-profile (Suite B Certificate and Certificate Revocation List (CRL) Profile) to Informational RFC The IESG wrote: > >The IESG has received a request from an individual submitter to > >consider the following document: > > > >- 'Suite B Certificate and Certificate Revocation List (CRL) Profile ' > > <draft-solinas-suiteb-cert-profile-03.txt> as an Informational > >RFC <snip> Since this I-D is now in Last Call, I'm forwarding a message I sent to Lydia recently, to which I've not yet received any response... ---------- Forwarded Message ---------- Subject: Re: NSA Suite B Certificate & CRL Profile Date: Wednesday 03 June 2009 From: Rob Stradling <rob.stradling@xxxxxxxxxx> To: llziegl@xxxxxxxxxxxxxx Comodo are a global CA with Trusted Root Certificates present in all the major browsers/OSes. We are interested in your Suite B Certificate & CRL Profile I-D because we're seriously looking at offering ECC certificates to our customers in the near future. We have already added a P-384 Root Certificate to the Microsoft and Mozilla Root Certificate Programs. I have some questions/comments on your I-D and some other related matters... 1. Why does your I-D not include a profile for OCSP requests/responses? Perhaps you could add a section that references RFC 2560 and states that OCSP request/response signatures should follow the same rules as signatures for Suite B certificates? 2. What's the relationship between your I-D and the various Suite B RFCs, such as RFC 5430 "Suite B Profile for Transport Layer Security (TLS)"? Would it make sense for your I-D to reference any of the Suite B RFCs and/or for them to reference your I-D? 3. Some RFCs list IPR claims and/or advise the reader to consult http://www.ietf.org/ipr. Would it make sense to mention any IPR issues in your I-D? I am of course thinking about the large number of ECC patents held by Certicom/RIM. 4. Why did the NSA include P-256 and P-384 in Suite B, but omit P-521? I believe that Certicom defined P-521 before Suite B was specified, and Microsoft and Mozilla have both chosen to support P-521 as well as P-256 and P-384. 5. RFC 5280 defines various standard Extended Key Usage OIDs. I've seen various documents that profile Suite B for Server Authentication certificates, Client Authentication certificates and Secure Email certificates, but I'm not aware of any documents that cover Suite B for Code Signing certificates or Time Stamping certificates. Are you aware of any such documents? If not, do you know why no such documents exist? Thanks in advance. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf