Skip to main content

Liaison statement
Security Area Response to Liaison on Cryptographic Message Syntax

Additional information about IETF liaison relationships is available on the IETF webpage and the Internet Architecture Board liaison webpage.
State Posted
Submitted Date 2015-04-03
From Group SEC
From Contact Scott Mansfield
To Group ITU-T-SG-17
To Contacts tsbsg17@itu.int
Cc Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>
Stephen Farrell <stephen.farrell@cs.tcd.ie>
Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
The IETF Chair <chair@ietf.org>
martin.euchner@icn.siemens.de
stephen.farrell@cs.tcd.ie
Kathleen.Moriarty.ietf@gmail.com
iesg@ietf.org
Response Contact scott.mansfield@ericsson.com
Technical Contact scott.mansfield@ericsson.com
Purpose For action
Deadline 2015-07-01 Action Taken
Attachments Security Area Response to Liaison on Cryptographic Message Syntax
Liaisons referred by this one Response to liaison on Cryptographic Message Syntax
Liaisons referring to this one LS/r on Cryptographic Message Syntax (reply to IETF Security Area)
Follow-up on Cryptographic Message Syntax communications
Body
We have previously submitted a liaison [1] in reference to the Cryptographic
Message Syntax (CMS) [RFC5652] in which we recommended that if new work on CMS
is felt to be needed, the best place to do that is in the IETF.  This ensures
interaction with the active community of editors, developers, and users of that
technology.

We have very recently seen [2] sent to an IETF mailing list and which has as an
attachment, a document that significantly overlaps with and apparently
incompatibly extends RFC5652. Such a development could significantly damage
security and interoperability if it affected any implementations.

We note that the particular change proposed by [2] ("signcryption") could be
done in a backwards compatible and interoperable manner and also seems to
overlap with ISO 29150:2011 [3], though we have not analyzed whether or not
there may additionally be some conflict between the new text in [2] and that
ISO standard.

We do not have a formal view on the document that is up for consent at the next
SG17 plenary meeting in April 2015, as the document was not formally liaised.
However, we would ask that ITU-T not undertake such duplicative and damaging
work without first having a real dialog with those who implement, deploy and
depend upon CMS.

The place for such a dialog is on the IETF S/MIME mailing list [4], which
remains open and active and could be used to re-activate the S/MIME working
group, should new work in that area be required.

The normal IETF process remains available should anyone wish to extend CMS, as
has been done numerous times,(e.g. [5]) and we (as security area directors) are
happy to discuss how best to approach any such proposed work within the IETF.

Regards,
Stephen Farrell/Kathleen Moriarty
IETF Security Area Directors

References:
[RFC5652] https://tools.ietf.org/html/rfc5652
[1] https://datatracker.ietf.org/liaison/1294/
[2] https://www.ietf.org/mail-archive/web/pkix/current/msg33206.html
[3] http://www.iso.org/iso/catalogue_detail.htm?csnumber=45173
[4] https://www.ietf.org/mail-archive/web/smime/current/maillist.html
[5] https://datatracker.ietf.org/doc/rfc4073/