RFC 7169 lacks a needed reference to RFC 3514. The author should have specified that if a certificate with the NSA extension set to "TRUE" is used with IPsec or TLS, the Evil Bit as specified in 3514 SHOULD also be set in any appropriate IP headers.
I would argue that this is the case even if the subject of the certificate has no explicit evil intent. That's the best way to characterize the system.
I would argue that this is the case even if the subject of the certificate has no explicit evil intent. That's the best way to characterize the system.
On Wed, Apr 2, 2014 at 6:10 AM, Leaf Yeh <leaf.yeh.sdo@xxxxxxxxx> wrote:
This extension is needed on Apr. 1st.
Leaf
-----Original Message-----
From: ietf [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Randy Bush
Sent: Wednesday, April 02, 2014 8:22 AM
To: IETF Disgust
Subject: Re: RFC 7169 on The NSA (No Secrecy Afforded) Certificate Extension
> RFC 7169
> Title: The NSA (No Secrecy Afforded)
> Certificate Extension
> URL: http://www.rfc-editor.org/rfc/rfc7169.txt
i do not understand why this extension is needed. the 5eyes have all your
keys. the flag should always be on. is the real intent that, when the
extension/flag is not on in a received certificate, then you know it is
bogus?
randy