Re: [Ace] Alissa Cooper's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)
"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Fri, 20 December 2019 04:50 UTC
Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBC1F12012A; Thu, 19 Dec 2019 20:50:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=B/n52XOm; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=X+nmdQqp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5bW3hWF58L0; Thu, 19 Dec 2019 20:50:16 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64A461200D6; Thu, 19 Dec 2019 20:50:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2866; q=dns/txt; s=iport; t=1576817416; x=1578027016; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=zVOegjdJ1VRdrz1MadJGoenQ2rsnHJH52QCr4AMtv+s=; b=B/n52XOmfZeC9oqWPUQsXn+hFR0LjJWbv/ccqA3gUyTsMxmAzrZzOC1i rfCyfk9DeIWLUeo3vbmVc4oKJ8t38kkKRT0dQq/o6B4ttJeMxyaeGb6ws hLGjSp9vb2g9kB7mAtDdEqt3+gELwKQapk9fH4QNYr1mIVBzwvMmcIliK g=;
IronPort-PHdr: 9a23:bBQg+h9QBCiCI/9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+8ZR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVdaGAEjjJfjjRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CUBQCRUvxd/4sNJK1lHAEBAQEBBwEBEQEEBAEBgXyBTSQsBWxYIAQLKodNA4p0gl+YCIFCgRADVAkBAQEMAQEYCwoCAQGEQAKCHCQ4EwIDDQEBBAEBAQIBBQRthTcMhV4BAQEBAwEBECgGAQEsCwELBAIBCBEEAQEeARAnCx0IAgQBDQUIGoMBgkYDLgECDKAMAoE4iGGCJ4J+AQEFgUlBgxMYggwDBoE2jBkagUE/gRFHgkw+gmQBAQECAYEsARIBCRgwgxCCLI0iJKFJCoI0hzKPAYJDh3mQFY5RiFKRfwIEAgQFAg4BAQWBaSJEI1gRCHAVO4JsUBgNjRI4gzuFFIU/dAGBJ41lgjIBAQ
X-IronPort-AV: E=Sophos;i="5.69,334,1571702400"; d="scan'208";a="688388418"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Dec 2019 04:50:15 +0000
Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id xBK4oFpS023097 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 20 Dec 2019 04:50:15 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Dec 2019 22:50:14 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Dec 2019 22:50:14 -0600
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 19 Dec 2019 23:50:14 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aWaqppXkIJ9lDgdCxgfuyrL6hkTY924rSpgJFjnVzI5WztaM3OiJzAvMX7TJO0oozrDZRoYMfn8GRywalFJO6xstZ7ElHEBav9FhXOVXhJW2PfbWyzWgxUxxaIG1LLYCWQYHQ7l/t8VFjbSzhDkYiuJCzu4wL8Ap1Ajob0PgArA0ZEkgKeOQHLfFm1rDaeAEWBQX5p4z2LkXt+XU7fUc8UTYlHj1XmGm6c9xghdlQt9n5y4sPK8+HDYma5CEV5kIAXq6d1iM1rjTI1w/lKK67CnwW+skNLAn/cHz8t1QeMdcWBtYjutWnsM+Grpokxx+e6KxNbVxKXGjHMUvXlscRQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/1DbhiZsfLhaqU9ITCZiu4jp14BfCi1k8m9Y1SsZH+Q=; b=icj9TsHQwyubMHbmVPKfYpJXdTdrE08Kmkp9uZ32XstK6kwgz4hhSuEv5ta98eFdHo2/SM+h+LPJH4YOdXpLjf0BLmMQ5MRif6R3SudNp7ku7R/NBpqjFMcilO2mEerelTuKtyZDBvXZqSTkHKynNYlAKN0RZHM8WF3ihdbsx9BQ1+QGKqeceyJsbRYgOSgY/mQ8DjcNRD377x82w+iVJ4rK6H9krRTfD3ahzFS1NhVxnt7IsvWVdsF7ILFOr0FuzHA9P3tvjYsX35l8LdU8c1fnuTYAMyzcipnuSswExQX3AGqhpcKLNy/LuTULKFSsTSLbpR8v78/Sj3lRhmwQRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/1DbhiZsfLhaqU9ITCZiu4jp14BfCi1k8m9Y1SsZH+Q=; b=X+nmdQqppACzpi949gusOfHZXmaeVvHZDz8H3G5gzH5QPqsN3FyP7BHn1L+rQjj71ZxZp9Vt5VfGti0dUHFh/7C9Navw6uiF+LsaKOmHnNnA83SCApybCtkJ2EDy5LZ2HwcGom1nfT3eZP3gaN71O5gEz2Zk/ybpStUg1uSC/eA=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.255.146) by BN7PR11MB2707.namprd11.prod.outlook.com (52.135.254.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.17; Fri, 20 Dec 2019 04:50:13 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::e03c:e55a:c03f:5f4f]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::e03c:e55a:c03f:5f4f%7]) with mapi id 15.20.2559.016; Fri, 20 Dec 2019 04:50:13 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ace-coap-est@ietf.org" <draft-ietf-ace-coap-est@ietf.org>, "ietf@augustcellars.com" <ietf@augustcellars.com>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Alissa Cooper's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)
Thread-Index: AQHVtREze2mzYAiIIU2GJp/gU3IOXqfCdYQQ
Date: Fri, 20 Dec 2019 04:50:12 +0000
Message-ID: <BN7PR11MB25474B6EDA654C54D95F0D44C92D0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <157661132422.26387.11388034337323397614.idtracker@ietfa.amsl.com>
In-Reply-To: <157661132422.26387.11388034337323397614.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:c0c4:1006::1c3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ff1401c8-e772-46fb-82c5-08d785081982
x-ms-traffictypediagnostic: BN7PR11MB2707:
x-microsoft-antispam-prvs: <BN7PR11MB2707CB7F8DF98D4AA87E02D1C92D0@BN7PR11MB2707.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 025796F161
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(366004)(376002)(136003)(346002)(13464003)(189003)(199004)(55016002)(9686003)(64756008)(81166006)(71200400001)(81156014)(86362001)(8936002)(8676002)(52536014)(5660300002)(966005)(4326008)(478600001)(7696005)(316002)(54906003)(110136005)(33656002)(2906002)(66946007)(66446008)(66476007)(186003)(76116006)(66556008)(6506007)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2707; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EKUv0ipKVG4NBQBPQRdTA3SoJe8ghLT/+UBaqoj0zIwELQVmg4sPyrILF/sGVPq5bWevW38AUpeX5stC6tFFUVyFFn2Uk8jfkWjdwn5abzJYGq+GALtWANI4LnbPaCA5VsRe8qcCffShXSAD+ye8edauaEj/Nx62wFJtk1D2MykY/0fb1COp75kMiVGZeALJZr6w1lpbJ6IWojqltzdUxJjYsWFDogRqYvdv3k4NVIl9SzyUhStbAs90J+Gu79l9jPiLNuPkTrbeRmvIC6UcQFULUE/075rtCj9x1nbaC7w/WE3M07aF3eNmCHv2N6AVhXxkvqwEo0Cj7DQ1Ebp7JUHFzYYRGNzyvXO3e1d30laZZIR+PIQRmThy0w4f4Hr5TpxP5Kvl/7I9gUgydGwpKSMpV+SrIcqbOWmd/BCoA92ZfMFiCQtqq9ED7/XUMdxoeOICn7XLKIivQFWeTsy0SYfJ7X/3rmXrOEb7EjRy0za2zLpY96IS3BWiO6NcdVd/UFsMfR/38vnUdbKjlUXH4Gx4hjVoW/gmeLTj5sd/VGc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ff1401c8-e772-46fb-82c5-08d785081982
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2019 04:50:12.7992 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PgDkGa24qg9FDODNso2kVLZlgNySuSkOeK1cuix6GJNM84SBV0xiLTemAQss+MXq/b9OCYSgVohP0Ogy15739A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2707
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.18, xch-aln-008.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/g9DYfMQVR9HRNXIoOGpfxCehI8g>
Subject: Re: [Ace] Alissa Cooper's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 04:50:19 -0000
Hi Alissa,
Thank you for the feedback.
> "It is also RECOMMENDED that the Implicit Trust Anchor database used
> for EST server authentication is carefully managed to reduce the
> chance of a third-party CA with poor certification practices
> jeopardizing authentication."
>
> This strikes me as a slightly odd use of normative language (what are the exception cases when the trust anchor database should not be carefully managed?).
>
The blurb is directly from RFC7030. We reiterate it here to point it out as a best practice and then we present a potential deviation from it for constrained environments.
To avoid this confusion we can rephrase it as
As discussed in Section 6 of [RFC7030], it is
"RECOMMENDED that the Implicit Trust Anchor database used
for EST server authentication is carefully managed to reduce the
chance of a third-party CA with poor certification practices
jeopardizing authentication. Disabling the Implicit Trust Anchor
database after successfully receiving the Distribution of CA
certificates response (Section 4.1.3 of [RFC7030]) limits any risk to
the first DTLS exchange." [...]
Rgs,
Panos
-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Alissa Cooper via Datatracker
Sent: Tuesday, December 17, 2019 2:35 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-coap-est@ietf.org; ietf@augustcellars.com; ace-chairs@ietf.org; ace@ietf.org
Subject: [Ace] Alissa Cooper's No Objection on draft-ietf-ace-coap-est-17: (with COMMENT)
Alissa Cooper has entered the following ballot position for
draft-ietf-ace-coap-est-17: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
Section 10.1:
"It is also RECOMMENDED that the Implicit Trust Anchor database used
for EST server authentication is carefully managed to reduce the
chance of a third-party CA with poor certification practices
jeopardizing authentication."
This strikes me as a slightly odd use of normative language (what are the exception cases when the trust anchor database should not be carefully managed?).
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
- [Ace] Alissa Cooper's No Objection on draft-ietf-… Alissa Cooper via Datatracker
- Re: [Ace] Alissa Cooper's No Objection on draft-i… Panos Kampanakis (pkampana)
- Re: [Ace] Alissa Cooper's No Objection on draft-i… Panos Kampanakis (pkampana)