Re: Last Call: draft-solinas-suiteb-cert-profile (Suite B Certificate and Certificate Revocation List (CRL) Profile) to Informational RFC

[Rob Stradling <rob.stradling@xxxxxxxxxx>]

The IESG wrote:
> >The IESG has received a request from an individual submitter to consider
> >the following document:
> >
> >- 'Suite B Certificate and Certificate Revocation List (CRL) Profile '
> >    <draft-solinas-suiteb-cert-profile-03.txt> as an Informational RFC
<snip>

Since this I-D is now in Last Call, I'm forwarding a message I sent to Lydia 
recently, to which I've not yet received any response...

----------  Forwarded Message  ----------

Subject: Re: NSA Suite B Certificate & CRL Profile
Date: Wednesday 03 June 2009
From: Rob Stradling <rob.stradling@xxxxxxxxxx>
To: llziegl@xxxxxxxxxxxxxx

Comodo are a global CA with Trusted Root Certificates present in all the major 
browsers/OSes.  We are interested in your Suite B Certificate & CRL Profile 
I-D because we're seriously looking at offering ECC certificates to our 
customers in the near future.  We have already added a P-384 Root Certificate 
to the Microsoft and Mozilla Root Certificate Programs.

I have some questions/comments on your I-D and some other related matters...

1. Why does your I-D not include a profile for OCSP requests/responses?
Perhaps you could add a section that references RFC 2560 and states that OCSP 
request/response signatures should follow the same rules as signatures for 
Suite B certificates?

2. What's the relationship between your I-D and the various Suite B RFCs, such 
as RFC 5430 "Suite B Profile for Transport Layer Security (TLS)"?
Would it make sense for your I-D to reference any of the Suite B RFCs and/or 
for them to reference your I-D?

3. Some RFCs list IPR claims and/or advise the reader to consult 
http://www.ietf.org/ipr.  Would it make sense to mention any IPR issues in 
your I-D?  I am of course thinking about the large number of ECC patents held 
by Certicom/RIM.

4. Why did the NSA include P-256 and P-384 in Suite B, but omit P-521?
I believe that Certicom defined P-521 before Suite B was specified, and 
Microsoft and Mozilla have both chosen to support P-521 as well as P-256 and 
P-384.

5. RFC 5280 defines various standard Extended Key Usage OIDs.  I've seen 
various documents that profile Suite B for Server Authentication 
certificates, Client Authentication certificates and Secure Email 
certificates, but I'm not aware of any documents that cover Suite B for Code 
Signing certificates or Time Stamping certificates.
Are you aware of any such documents?
If not, do you know why no such documents exist?

Thanks in advance.

-- 
Rob Stradling
Senior Research & Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com

Comodo CA Limited, Registered in England No. 04058690
Registered Office:
  3rd Floor, 26 Office Village, Exchange Quay,
  Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no liability
can be accepted and the recipient is requested to use their own virus checking
software.