IETF Logo Mail Archive

Re: [Ace] Roman Danyliw's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Mon, 23 December 2019 04:41 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87C86120074; Sun, 22 Dec 2019 20:41:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=BI6rDV6I; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=ZPsS2RSK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TU6H3rjn_8sH; Sun, 22 Dec 2019 20:41:08 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7721B120025; Sun, 22 Dec 2019 20:41:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10896; q=dns/txt; s=iport; t=1577076068; x=1578285668; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=6UL3siiuK08M7p+UEBwwrOivNtJaXGiUX/a3sLQupv4=; b=BI6rDV6I5LaSC+5/ngTaHODtI6M2donKNJtOIdhM5r1JZYxM+dghiUYY ob56WGL+460YbWQztFQ8eokLtwTm66MM0zBDICahwgkUj04A/NtW+xUFN /h2/dCTvQ/v5R0rIc7TEkedGSOzVFbHfUtkRteAHBA8w7KlG5UeiAcIEX Q=;
X-Files: smime.p7s : 4024
IronPort-PHdr: 9a23:gWzvwx8UgUcdJf9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+8ZR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVdaGAEjjJfjjRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DVCQC1RABe/5xdJa1lHgELHINJUAVsKy0gBAsqhAiDRgOKd4JfmAiBQoEQA1QCBwEBAQkDAQEYCwoCAQGEQAKCHCQ4EwIDDQEBBAEBAQIBBQRthTcMhV4BAQEBAwEBEBEdAQEsCwELBAIBBgIOAwQBAR4NAgICJQsdCAIEAQ0FCAYUgwGBeU0DHw8BAgyQRJBkAoE4iGF1gTKCfgEBBYE1ARNBgw0YggUHAwaBNoFTiikdGoFBP4ERR4JMPoJkAQEBAgGBLAESAQkYMIJeMoIsjT0MgnGIGZZBCoI0g2GCN4EbjwGCRod7jjGBZY5SiFKSBAIEAgQFAg4BAQWBaSJnWBEIcBU7gmxQGA2NEjiDO4UUhT90AYEnjTARFwKBOl8BAQ
X-IronPort-AV: E=Sophos;i="5.69,346,1571702400"; d="p7s'?scan'208";a="388633844"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Dec 2019 04:41:07 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id xBN4f731010570 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 23 Dec 2019 04:41:07 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 22 Dec 2019 22:41:06 -0600
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 22 Dec 2019 22:41:06 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sun, 22 Dec 2019 22:41:06 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D7Yer+3ydqrHV81SUxn5TpXkYK1bREHsZiknUjaht/eNfIcVOPIaZm1hY9QoBl3s4dMdO+HQEZkP4UmxQeSKWwLXKnV3+kR+Mg9bfmPx1SGLw2vKDYwPK/v+PlxGed3FWR66gugJw+M0QvPm3FSpTVEAo7W636w4OSlWrhb+YstD9Xh6JCBZelbgXIkm+9vOIpiha9JXoxQ/pWhtsiJZ77nsPVym2uN1ZV9RlCzF6gzCHqfp7TzijPtHrjEirvtVdnWDZOZka1ZHvUTuaThilz2a4BWBf1lF2DDhLJh/cOXbMxJSUkxmfa8dA4LwSbumcwb5r+fDkgwgJjmKYLYvuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8TXq2ZjLq4tj/Dtpv5wiJOkssgNWJcYHA9PXt33iF0k=; b=mvXPR/rucTMasDmtgtJ9m+Xs/GeqPu0NCE3TPZjZ9aacQyGfXZwh+Ekp8TSwrpIQs4l6UsdH4i9YLM2cC/N3T20tOMqv39ZwrGEy5lhBVuLFiAS0b5T7vpQ7rt4w9TpXWOPmQhcICI6HXaRSzoMcnYxzGEaYv1QG3Hj1oA7ybDfJA4ezimb2VnzHZcdEpuaKohqsNO9RZ70IXHMyhCshef3unsPGIpn/nrPDE9hTgFHjn8mXwZFxGTbPiSnM2AFe1HGtis30h28NMKLMUzQF5BOdNEj5f8rgtyL7gIByCu/bF3ZjNYkjfBtqLz3J3SMal+jWa8+xAR3oH7FnrrACSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8TXq2ZjLq4tj/Dtpv5wiJOkssgNWJcYHA9PXt33iF0k=; b=ZPsS2RSKhqjkQQQjiOCm6lrjazCPk90bVvHoeQGh8hF4cifHCiLf4r+CJBVyB5kHe1VGqs0PsqN25dHgSPPRkWem+Pv8cgCcqXDMn5ybOVrstNz84WZhU0n2Kj/HIT/RhJpgzvAGOHXrc0oVVMnkO41sfjC7kDiuz+PCdQHVzaM=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.255.146) by BN7PR11MB2548.namprd11.prod.outlook.com (52.135.245.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.16; Mon, 23 Dec 2019 04:41:05 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::e03c:e55a:c03f:5f4f]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::e03c:e55a:c03f:5f4f%7]) with mapi id 15.20.2559.017; Mon, 23 Dec 2019 04:41:05 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ace-coap-est@ietf.org" <draft-ietf-ace-coap-est@ietf.org>, "ietf@augustcellars.com" <ietf@augustcellars.com>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Roman Danyliw's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)
Thread-Index: AQHVtFyGFe5/PrA9gkyvssXlx+7u4afHLUWw
Date: Mon, 23 Dec 2019 04:41:04 +0000
Message-ID: <BN7PR11MB2547AB885785209EF55E0467C92E0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <157653372668.24465.13819182999807823012.idtracker@ietfa.amsl.com>
In-Reply-To: <157653372668.24465.13819182999807823012.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:c0c4:1006::70]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 986db3a6-dc77-4284-0d65-08d78762524f
x-ms-traffictypediagnostic: BN7PR11MB2548:
x-microsoft-antispam-prvs: <BN7PR11MB2548BBF264E5C04D6956C34FC92E0@BN7PR11MB2548.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0260457E99
x-forefront-antispam-report: SFV:NSPM; SFS:(10001)(10009020)(366004)(136003)(346002)(396003)(376002)(39860400002)(199004)(189003)(13464003)(6506007)(53546011)(54906003)(52536014)(478600001)(110136005)(186003)(71200400001)(81156014)(55016002)(81166006)(86362001)(8676002)(4326008)(9686003)(66616009)(76116006)(66476007)(33656002)(64756008)(66446008)(966005)(5660300002)(8936002)(66946007)(66556008)(7696005)(2906002)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2548; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qfhWzMXJ9C/MhZAFxm4DVt1kNBpgoZdBYzuH+a8We+t6GhvASGfiQ14I2lKnNqaUVBRVBD+T0B6TuH14K3JgCloOEb4IEvU7Kvwv5YEcpJnrHznAhdJ0TfripaP/AWu9g3zHZh/zVzrtAEZsNB2NI+ZD27G5/ZK42dhOFMhl3oYYM+F8AeBUPmDvmYVBOwDWgl7zYU5KUgTrK2m6i0RrhyXjaw/0pPmdram7TjGW/QNMuXNZZaFQQ2+/vBzyuRa9jdP3dY5LgbasYen/JXKSoq2WPRV+q0AmPHZIMePd8fZ4Odwf15m96yBN0Sccz2NGnyebstI1QPVbem+INaU3NkrSIRNf67YGs1+qb5vhMP2vuZZYII09rHLtlq6qBoSHFwbLjQKTxdZVJhX5A7AxcoeEKyTMqYoYiSgAJw5ij9I4KCMWWTiMfvXtLC32K2357ppJuCXMQhzU741pMGlDntDmZJXc9PqlHAC8/d9099Irka80F4fB1oK/mOmr3iRUF7eMoo21ZJcqQq+OT1GdRbsS/7a6oAV7AGcAIslj8KXnYsn/cVWu4PUHDRllZksAZzHPjyJJaTZhcNaX4tv7802ZdV85inZ178ZebVKv0fE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0012_01D5B921.45E088E0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 986db3a6-dc77-4284-0d65-08d78762524f
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Dec 2019 04:41:05.0783 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Na9xmUrxyloOqQ5r49JiZeJkCRDT4Pj5+lm45MgR6GeCUhbEzwvuLOvVMYN9+g5SLcrl7UuxBKJdNzcfMWrZmg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2548
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Ih72ApbWZeIrSVOXLYA8w7Lon8Q>
Subject: Re: [Ace] Roman Danyliw's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2019 04:41:11 -0000

Hi Roman,

Thank you for the thorough review. 

Please check the response to your feedback in https://github.com/SanKumar2015/EST-coaps/issues/154 There we include the fixes we will make and our thoughts on a couple of your comments. 

Please let us know if you have any further objections.

Panos


-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Roman Danyliw via Datatracker
Sent: Monday, December 16, 2019 5:02 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-coap-est@ietf.org; ietf@augustcellars.com; ace-chairs@ietf.org; ace@ietf.org
Subject: [Ace] Roman Danyliw's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)

Roman Danyliw has entered the following ballot position for
draft-ietf-ace-coap-est-17: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

* Section 4.  Per “the DTLS connections SHOULD only be kept alive for EST messages that are relatively close to each other”, I think the text means that some EST messages are more likely to occur one after another.  It would be worth being clearer what these would be.

* Section 5.1. Per “These URIs are shorter than the ones in [RFC7030]”, does Table 1 imply that when using EST-coaps the “longer names” from RFC7030 wouldn’t be valid?

* Section 5.2  Per “The latter ones are deemed to expensive …”, was difficult to parse as the sentence prior has three things (instead of two).  Is this sentence referring to the “not specified functions” only?

* Section 5.3, Per “30% smaller payload for DER-encoded ASN.1”, if you can cite this metric, please do.

* Section 5.8.  Per “In summary, the symmetrically encrypted key is included in the encryptedKey attribute in a KEKRecipientInfo structure”, if this is done in a server-side key generation scenario, where is the client getting the key to decrypt the server computed key material?  Should the DecryptKeyIdentifier/ AsymmetricDecryptKeyIdentifier attributes be populated in the CSR per Sections
4.4.1.1/4.4.1.2 of RFC7030?

* Section 10.1.  Per “When server-side key generation is used, the constrained device depends on the server to generate the private key randomly, but it still needs locally generated random numbers for use in security protocols, as explained in Section 12 of [RFC7925].”, is the “security protocols” referenced here anything beyond DTLS?

* Section 10.1.  Per “In such occasions, checking the certificate revocation status or authorizing the client using another method is important for the server to ensure that the client is to be trusted.”

-- does this text suggest that expired+revoked certificates should not be used?

-- to word-smith:
s/for the server to ensure that the client is to be trusted/for the server to raise its confidence that the client can be trusted/

* Section 10.1.  Per “More information about recommendations of TLS and DTLS
are included in   [BCP195]”, thanks for referencing BCP195.  Could you please
clarify with normative language if these recommendations SHOULD/MUST be followed?

* Editorial
- Section 4.  Per “Authenticating and negotiating DTLS keys requires resources on low- end endpoints and consumes valuable bandwidth”, I’m not sure this sentence is needed.  Technically, “authenticating and negotiating DTLS keys requires resources” on any endpoint.

- Section 4.
OLD: Given that after a successful enrollment, it is more likely that a new EST transaction will take place after a significant amount of time, NEW: Given that after a successful enrollment, it is more likely that a new EST transaction will not take place for a significant amount of time,

- Section 5.5. Typo.  s/successfull/successful/

- Section 5.8.  s/Such scenarios could be when it is …/Such scenarios apply when it is …/

- Section 5.8.  s/ client, or when the resources/client, when the resources/

- Section 5.8. s/Then the private key/The private key/


_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email