Re: [Ace] AD review of draft-ietf-ace-coap-est-12

Peter van der Stok <stokcons@bbhmail.nl> Tue, 10 September 2019 08:35 UTC

Return-Path: <stokcons@bbhmail.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBB69120864; Tue, 10 Sep 2019 01:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bbhmail.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6UkzI0cOPON; Tue, 10 Sep 2019 01:35:05 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0154.hostedemail.com [216.40.44.154]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E8C7120045; Tue, 10 Sep 2019 01:35:05 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay08.hostedemail.com (Postfix) with ESMTP id 95DA5182CED34; Tue, 10 Sep 2019 08:35:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbhmail.nl; h= mime-version:content-type:date:from:to:cc:subject:reply-to :in-reply-to:references:message-id; s=key; bh=YcrOx+gImCAZi/og4u pASPsWvj4nVjGooNQKsd1Vacc=; b=otfjVoV9+xC8JhhwDVgADzvxj6fRWLHLSY 3Jq3ni4/szGN2xpeVwD/Sa7JgYyiODT6bf9mATX4xX5ZGG+GSa0yw/cXG1ccCzVy 3eHFjrroSXifbY8OOTUBqul9yg0Cz6NngeMhG7mOH46M6jq4nW7HQCgHugJyioC+ aBA1S4tyU=
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, 0, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, :::::::::, RULES_HIT:41:152:355:379:582:599:960:962:967:973:988:989:1152:1189:1221:1260:1313:1314:1345:1359:1436:1437:1516:1517:1518:1535:1543:1575:1588:1589:1592:1594:1711:1712:1730:1776:1792:2198:2199:2553:2559:2562:2911:3138:3139:3140:3141:3142:3353:3834:3865:3866:3867:3868:3870:3871:3872:3874:4118:4250:4425:4860:5007:6119:6261:6657:6659:7903:8603:9036:10004:10400:10848:11232:11657:11658:11914:12043:12109:12114:12291:12295:12438:12663:12683:12895:13139:13149:13230:14093:14096:14110:14180:14721:21060:21080:21220:21433:21451:21627:21740:30034:30041:30054:30090, 0, RBL:216.40.42.5:@bbhmail.nl:.lbl8.mailshell.net-62.8.55.100 66.201.201.201, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:fn, MSBL:0, DNSBL:neutral, Custom_rules:0:0:0, LFtime:25, LUA_SUMMARY:none
X-HE-Tag: eyes01_493951f4bb70a
X-Filterd-Recvd-Size: 7697
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf12.hostedemail.com (Postfix) with ESMTPA; Tue, 10 Sep 2019 08:35:03 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_2c38dd72f09943092f87eb7d43c56829"
Date: Tue, 10 Sep 2019 10:35:02 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: consultancy@vanderstok.org, Jim Schaad <ietf@augustcellars.com>, draft-ietf-ace-coap-est.all@ietf.org, ace@ietf.org
Reply-To: consultancy@vanderstok.org
In-Reply-To: <20190907010504.GR78802@kduck.mit.edu>
References: <20190828233639.GI84368@kduck.mit.edu> <027701d55ebf$994184b0$cbc48e10$@augustcellars.com> <edcbc2a243cc7118e35aec77b2e1599c@bbhmail.nl> <20190901204340.GG27269@kduck.mit.edu> <6b482aaed0ce510c503984dfbac7286c@bbhmail.nl> <20190907010504.GR78802@kduck.mit.edu>
User-Agent: Roundcube Webmail/1.4-rc1
Message-ID: <44539361481bde9ff463fa2d3ee24d74@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
Organization: vanderstok consultancy
X-Originating-IP: [86.203.118.81]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-7WvfYaqs_PpaAEO1MU-8Ycb1TY>
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 08:35:12 -0000

>> Hi all,
>> 
>> below are comments to a subset of not yet concluded review exchanges.
>> 
>> Peter
>> _______________________________________________________
>> 
>> The serverkeygen endpoints could perhaps have some notation to indicate
>> that the private key is always returned, in addition to the PKCS#7 vs.
>> pkix-cert question that distinguishes skg and skc. 
>> 
>> <pvds>after ".....an /skc request.", the following text is added: 
>> 
>> "In both cases a private key MUST be returned."
> 
> I was thinking we could have something in the table, though we may be too
> short on horizontal space for that to actually work.
> 
>> </pvds>
>> 
>> <pvds3>
>> The tables seem to be full, so I left them as they were
>> </pvds3>
>> 
>> Clients and servers MUST support the short resource EST-coaps URIs.
>> 
>> Are they expected to also support the long EST URIs over CoAP? 
>> 
>> <pvds> It was undecided whether we should add: 
>> 
>> "The corresponding longer URIs from <xref target="RFC7030"/> MAY be
>> supported."
> 
> I have no strong preference here, but would not be surprised if we got a
> question on it from the IESG.  (Which I guess means a weak preference for
> adding the above text.)
> 
> <pvds3>
> slightly preferred text has been added 
> </pvds3>
> 
> Hmm, I think I was not very clear about what I meant: for the given
> resources, the only defined content types for that resource are the ones
> listed in the example request.  If a server tries to advertise anything
> else, it seems like that would be out of spec (and maybe a client should
> bail on seeing it?).  But maybe I'm misinterpreting things and we should
> leave open space for future expansions to other content formats.
> 
> <pvds3>
> I added the text:
> "This approach allows future servers to incorporate currently not specified content-formats and resources."
> 
>> Section 5.2
>> 
>> While [RFC7030] permits a number of these functions to be used
>> without authentication, this specification requires that the client
>> MUST be authenticated for all functions.
>> 
>> Perhaps this divergence from 7030 should be noted more prominently,
>> perhaps in the section title or a dedicated "Differences from RFC 7030"
>> section? 
>> 
>> <pvds> 
>> 
>> Suggestion to move this phrase to section 5 just before section 5.1?
> 
> That would be a big help, thanks..
> 
>> </pvds>
>> 
>> <pvds3>
>> done
>> </pvds3>
>> 
>> </pvds>