Liaison statement
Security Area Response to Liaison on Cryptographic Message Syntax

State Posted
Posted Date 2015-04-03
From Group SEC
From Contact Scott Mansfield
To Group ITU-T-SG-17
To Contacts tsbsg17@itu.int
CcGonzalo Camarillo
Stephen Farrell
Kathleen Moriarty
The IETF Chair
martin.euchner@icn.siemens.de
stephen.farrell@cs.tcd.ie
Kathleen.Moriarty.ietf@gmail.com
iesg@ietf.org
Response Contact scott.mansfield@ericsson.com
Technical Contact scott.mansfield@ericsson.com
Purpose For action
Deadline 2015-07-01 Action Taken
Attachments Security Area Response to Liaison on Cryptographic Message Syntax
Liaisons referred by this one Response to liaison on Cryptographic Message Syntax
Liaisons referring to this one LS/r on Cryptographic Message Syntax (reply to IETF Security Area)
Follow-up on Cryptographic Message Syntax communications
Body
We have previously submitted a liaison [1] in reference to the Cryptographic
Message Syntax (CMS) [RFC5652] in which we recommended that if new work on CMS
is felt to be needed, the best place to do that is in the IETF.  This ensures
interaction with the active community of editors, developers, and users of
that technology. 

We have very recently seen [2] sent to an IETF mailing list and which has as
an attachment, a document that significantly overlaps with and apparently
incompatibly extends RFC5652. Such a development could significantly damage
security and interoperability if it affected any implementations. 

We note that the particular change proposed by [2] ("signcryption") could be
done in a backwards compatible and interoperable manner and also seems to
overlap with ISO 29150:2011 [3], though we have not analyzed whether or not
there may additionally be some conflict between the new text in [2] and that
ISO standard.

We do not have a formal view on the document that is up for consent at the
next SG17 plenary meeting in April 2015, as the document was not formally
liaised. However, we would ask that ITU-T not undertake such duplicative and
damaging work without first having a real dialog with those who implement,
deploy and depend upon CMS.

The place for such a dialog is on the IETF S/MIME mailing list [4], which
remains open and active and could be used to re-activate the S/MIME working
group, should new work in that area be required.

The normal IETF process remains available should anyone wish to extend CMS, as
has been done numerous times,(e.g. [5]) and we (as security area directors)
are happy to discuss how best to approach any such proposed work within the
IETF.

Regards,
Stephen Farrell/Kathleen Moriarty
IETF Security Area Directors

References:
[RFC5652] https://tools.ietf.org/html/rfc5652 
[1] https://datatracker.ietf.org/liaison/1294/ 
[2] https://www.ietf.org/mail-archive/web/pkix/current/msg33206.html
[3] http://www.iso.org/iso/catalogue_detail.htm?csnumber=45173  
[4] https://www.ietf.org/mail-archive/web/smime/current/maillist.html 
[5] https://datatracker.ietf.org/doc/rfc4073/