Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-07
Mohit Sahni <msahni@paloaltonetworks.com> Thu, 09 March 2023 19:12 UTC
Return-Path: <msahni@paloaltonetworks.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECAAEC1522AA for <ace@ietfa.amsl.com>; Thu, 9 Mar 2023 11:12:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b="XXVPoDTK"; dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b="Nt/mBx/j"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7GfEzHW0cbRS for <ace@ietfa.amsl.com>; Thu, 9 Mar 2023 11:12:52 -0800 (PST)
Received: from mx0b-00169c01.pphosted.com (mx0b-00169c01.pphosted.com [67.231.156.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5F08C151524 for <ace@ietf.org>; Thu, 9 Mar 2023 11:12:51 -0800 (PST)
Received: from pps.filterd (m0048188.ppops.net [127.0.0.1]) by mx0b-00169c01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 329IAjcF007650 for <ace@ietf.org>; Thu, 9 Mar 2023 11:12:51 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=PPS12012017; bh=46ypYEZqIsWVe4rG1CCkemM8r5KRMz+noxKyJ6rtd8o=; b=XXVPoDTKZUpH3ng1MNgfseMu8Y4Yek7tl2+u7i/AyqNSgJrl4cZZFX8OJv6vyfVxyCgw dvnXrt7ElTtIzI3Qbo/DXyVDrPSWzS2Wmf6CnWr+o8zM49rsqPnH7SJCjLC7xqJJmFtN SIGB7pIsxLXIUXxxS4Tdc/ZrkoJoWQIRbD5jCjT+Hc/OdJFT6SDGJkSAUzg1eEPwinYS wr9+8mzaj6p5sOGVArr0qazrJG20slGp61cz0S8gqgCcsc+HJ5K7zWTfhMjhdt+eo42j uCLkgd1TXrBqzyMGdE7TRGJPEyOT3SgBnYAHhcGQ3SJYCZhXB+NTLnwBjSL1VW+zHWlC dA==
Received: from mail-yw1-f200.google.com (mail-yw1-f200.google.com [209.85.128.200]) by mx0b-00169c01.pphosted.com (PPS) with ESMTPS id 3p6fe8yvvc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <ace@ietf.org>; Thu, 09 Mar 2023 11:12:50 -0800
Received: by mail-yw1-f200.google.com with SMTP id 00721157ae682-536a545bfbaso29195647b3.20 for <ace@ietf.org>; Thu, 09 Mar 2023 11:12:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; s=google.paloaltonetworks.com; t=1678389170; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=46ypYEZqIsWVe4rG1CCkemM8r5KRMz+noxKyJ6rtd8o=; b=Nt/mBx/jNH1lw6QOMLjM6xiJcgqmgi7Hzp7V8IYfU68uLBUiguB9DwStpkUhDVqUxW kLIliCMwRVXfnsIjV2VU0i3yZf7x+1ir6nNt2yYr0Ze65FClohn2WdtBeu50s+XZNlcM GSAsW5Qk7bvor8esgI7XvyKzjNtWnfV/rH9zCdKK2UsMOZZgMw6ZE5oVLT9af3z9qHFP eKypakKv+M+u9jRRQRK1f/r0iG239BOOoSlE00zO6lcFQqHE2PzBdr382OPnVUzdBrbw kUVzP5HO1DtmWBFF2zkVGUIIHgFFCk/hAvQc/vQlrfSqvKIdxNae4MupxdCdY1qgxUmb Up+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678389170; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=46ypYEZqIsWVe4rG1CCkemM8r5KRMz+noxKyJ6rtd8o=; b=ciySnTHZBS1/CWoCq2x73F+CoR/WflGGfj7KtTQp6zIVS7mch5CCBaDdFLaSKwrjJw BD2/kdc9Cf5ZC3sefnA57vH8RbR2R/Rz8Ifs1+pK9LufjSOG6QKVDHvLxODNg48Pr0Gg CAzUZ0uuSjs4DKyYyM1c0IwZ5OiQ09HN1MGaOPq54dkUGptRMtDs8g5m3+zNoq/CFg38 auOqSXPHGHSvYgenkmMIXAJ85BReb+mZwJVJRJ0QhtPfqvUZwX6WbymMeGHv0yNalxUn w+2WWceZTTX9pKhiS70HBizX3KTkBsZd7DHsuYM0LHbYLZOXBpJrfK0S8LRkwUHw7zIY xG0g==
X-Gm-Message-State: AO0yUKWK0VI1VH8OZktTdsVD2OL1NPE1in/0IuDc6aXmzV6dPKRYxQOv E2HxwSnQyiI+lUCahTvFVULt0K3lX1+DQMAiaeUY0tR7uMZk0/f2TqqeZUrDff44MPfjdtAnDZ1 j/OhDh7UBiaWYLabEKDA=
X-Received: by 2002:a81:4408:0:b0:536:7529:55ae with SMTP id r8-20020a814408000000b00536752955aemr14819449ywa.2.1678389169952; Thu, 09 Mar 2023 11:12:49 -0800 (PST)
X-Google-Smtp-Source: AK7set8eDwoUImKSvG0KTuZel8mOktHkZkRV/uT282hvfDVxteRK7S9ELL5hE7jmCbFEd5/bXr5BC+A9rGX/TZz8Tes=
X-Received: by 2002:a81:4408:0:b0:536:7529:55ae with SMTP id r8-20020a814408000000b00536752955aemr14819439ywa.2.1678389169616; Thu, 09 Mar 2023 11:12:49 -0800 (PST)
MIME-Version: 1.0
References: <CAGL5yWZEWE5LfRQ+bNn2mRLo8XPyyaVzvEWAGQLMa6QXvKwabA@mail.gmail.com> <CAMRcsGR44FDPL-KuJ68yoP=6xHEnZnrx=af2888Ow5A=XV-TFw@mail.gmail.com>
In-Reply-To: <CAMRcsGR44FDPL-KuJ68yoP=6xHEnZnrx=af2888Ow5A=XV-TFw@mail.gmail.com>
From: Mohit Sahni <msahni@paloaltonetworks.com>
Date: Thu, 09 Mar 2023 11:12:38 -0800
Message-ID: <CAMRcsGTron7s6O9GB=F3KSzkyouXoAZuw-hXPo-34ud6ePYNtg@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: draft-ietf-ace-cmpv2-coap-transport@ietf.org, ace@ietf.org
Content-Type: multipart/alternative; boundary="00000000000040150205f67c6e78"
X-Proofpoint-GUID: diI7BBjU2vyaEFJIAYHEEyCpsk6Vj53d
X-Proofpoint-ORIG-GUID: diI7BBjU2vyaEFJIAYHEEyCpsk6Vj53d
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-09_10,2023-03-09_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 priorityscore=1501 impostorscore=0 adultscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 mlxlogscore=999 phishscore=0 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2303090154
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/t7nDUqw3Dw0wcZ23RAmQlDjuy3U>
Subject: Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-07
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 19:12:56 -0000
Hi Paul, Just noticed an incomplete response for this comment, responding again to it. >The next bullet I just do not understand: > > In order to to reduce the risks imposed by DoS attacks, the > implementations SHOULD optimally use the available datagram size > i.e. avoid small datagrams containing partial CMP PKIMessage data. > >Please explain what is meant here and/or rephrase it. <M.S.>The intent here is to instruct clients to send CMP messages in as few packets as possible. Fragmentation of CMP messages may cause the server to buffer packets which will consume resources on the server. With clients instructed to send CMP messages in as few packets as possible, servers can choose to ignore fragmented CMP messages to mitigate such DOS attacks. -Mohit On Fri, Mar 3, 2023 at 1:36 PM Mohit Sahni <msahni@paloaltonetworks.com> wrote: > Hi Paul, > Many thanks for the review comments. Please see my response below: > > > A CMP client SHOULD send each CoAP requests marked as a > Confirmable message Section 2.1 of [RFC7252]. > > > >When would one not use a Confirmable message ? eg why is this a SHOULD > and not a MUST ? > > > >(also, the sentence doesn't make, did you mean to add "as per Section 2.1 > ....." ? ) > > <M.S.> Agreed. Will change that. Will fix the "section 2.1 of [RFC..]" > too. > > > If the CoAP request is successful then the server SHOULD return a > "2.05 Content" response code. > > > > What else could be sent if the SHOULD is not followed? Eg why is this is > a SHOULD and not a MUST ? > > <M.S.> based on comments from Ben I changed it to SHOULD from MUST, here > is his comment > >>Perhaps I am reading too much into the analogy between HTTP and CoAP and > >>thus to the applicability of draft-ietf-httpbis-bcp56bis (currently with > the > >>RFC Editor), but it doesn't seem terribly useful to name a specific > response > >>code here. The standard CoAP semantics apply, and we could probably just > >>say that "the paylaod of a successful response contains the DER-encoded > >>...". > > However, you raised a valid point so I will change it to: > > If the CoAP request is successful then the server MUST return a 2.XX > response code otherwise server MUST return an appropriate CoAP Client Error > 4.xx or a Server Error 5.xx response code. > > >This gets stranger even in this sentence, where it becomes very unclear: > > > > If the server supports CMP Announcements messages, then it SHOULD > > send appropriate 2.xx success response code, otherwise a 4.xx > > or 5.xx error response code. > > <M.S.> Agreed, I will change it to > If the server supports CMP Announcements messages, then it MUST > send an appropriate 2.xx success response code, otherwise it MUST > send a 4.xx > or 5.xx error response code. > > >Now "can" is very strange here for not being a SHOULD or MAY or MUST > > > > > > can try after some time to register again > > > > <M.S.> Agreed, Change it to "MAY try after some time to register again" > > >Same here. > > > > > > Alternatively, an EE MAY poll for the potential changes > > > > What is meant with "potential changes" ? > > (also the grammar of this sentence does not work) > > > > to get information about the changes. > > > >Also here, what "changes" ? > <M.S.> Agreed, I will change it to > Alternatively, an EE MAY periodically poll for the current status of the > CA via the "PKI Information Request" message [Section 6.2 RFC 4210]. If > supported, EEs may also use "Support Messages" defined in section 4.3 of > the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile] to get > information about the changes. > >Section 4: > > > > The CMP protocol depends upon various mechanisms in the protocol > > itself for making the transactions secure therefore, security > > issues of CoAP due to using UDP without cryptographic protections > > for message confidentiality and integrity, do not carry over to > > the CMP layer. The Security considerations for CoAP are mentioned > > in the [RFC7252]. > > > >This is a very vague sentence that also does not read well. And I do not > >understand the "carry over" parts. Perhaps something like: > > > > All payloads of the CMP protocol are cryptographically protected > > against malicious modifications. As such, UDP can be used without > > compromising the security of the CMP protocol. Security > Considerations > > for CoAP are defined in [RFC7252]. > > > <M.S.> Agreed. > >Similarly the second point: > > > > Although the CMP protocol does not depend upon the underlying > > transfer mechanism for protecting the messages but in cases when > > confidentiality protection is desired, CoAP over DTLS [RFC9147] > > MAY be used providing a hop-by-hop security. The use of DTLS can > > provide confidentiality protection of the CMP-level metadata, > > however it cannot obscure the fact that CMP is being used in > > the underlying layer. > > > >Perhaps instead: > > > > The CMP protocol does not provide confidentiality of the CMP > payloads. > > If confidentiality is desired, CoAP over DTLS [RFC9147] can be > used > > to provide confidentiality for the CMP payloads, although it > cannot > > conceal that the CMP protocol is used within the DTLS layer. > > > > > <M.S.> Agreed. > > > > Once a DTLS [RFC9147] association is established it SHOULD be > > used for as long as possible to avoid the frequent overhead of > > setting up a DTLS [RFC9147] association for constrained devices. > > > >I think the reference to "as long as possible" is a bit strange. How > about: > > > > DTLS associations SHOULD be kept alive and re-used where possible > > to amortise on the additional overhead of DTLS on constrained > devices. > > > <M.S.> Agreed. > > >The next bullet point just needs some grammar fixes: > > > > An EE may miss some of the Announcement messages when using CoAP > > Observe option [RFC7641] since Observe option is a "best-effort" > > approach and server can lose state about subscribers for > > announcement messages. The EEs may use alternate method described > > in section 2.6 to get time critical changes like CRL updates. > > > >How about: > > > > An EE might not witness all of the Announcement messages when > using the CoAP > > Observe option [RFC7641], since the Observe option is a > "best-effort" > > approach and the server might lose its state for subscribers to > its > > announcement messages. The EEs may use an alternate method > described > > in section 2.6 to obtain time critical changes such as CRL > updates. > > > <M.S.> Agreed. > > >The next bullet I just do not understand: > > > > In order to to reduce the risks imposed by DoS attacks, the > > implementations SHOULD optimally use the available datagram size > > i.e. avoid small datagrams containing partial CMP PKIMessage data. > > > >Please explain what is meant here and/or rephrase it. > <M.S.> > Here the intent is to warn the implementations to > > > > >Section 5: > > > > This document requires a new entry to the CoAP > > > >s/requires/adds > > > > This document also requires > > > >s/requires/adds/ > <M.S> Agreed. > > > > in the CMP protocol registry > > > >s/in/to > <M.S> Agreed. > > > > > > > Description: The path to send a Get request > > > >Should that be a "GET request" ? > > > > > > This document references the cmp, in the Well-Known URIs IANA > > registry. This document is expected to be published together > > with [I-D.ietf-lamps-cmp-updates]. Please add a reference of > > this document to the Well-Known URIs IANA registry for that entry > > > > This document also refers the path segment "p" in the Certificate > > Management Protocol (CMP) IANA registry. Please add a reference > > of this document to the Certificate Management Protocol (CMP) > > for that path segment. > > > >Please seperate the addition instruction for IANA from the RFC Editor > >instruction. Just state the additions as if the other documents were > >already published, and then add a note using [Note RFC Editor: ...] > >explaining this document should be published after the two referenced > >ones. > <M.S.> > This document references the cmp, in the Well-Known URIs IANA > registry. Please add a reference of this document to the > Well-Known URIs IANA registry for that entry > > This document also refers the path segment "p" in the Certificate > Management Protocol (CMP) IANA registry. Please add a reference > of this document to the Certificate Management Protocol (CMP) > for that path segment. > > [Note RFC Editor: This document should be published together > or after the [I-D.ietf-lamps-cmp-updates] and > [I-D.ietf-lamps-lightweight-cmp-profile] > as it references IANA entries created by those Internet drafts. > > > >[I-D.ietf-lamps-cmp-updates] and [I-D.ietf-lamps-lightweight-cmp-profile] > >are listed as informative references, but these should be normative > >references (as you point to sections in those documents for syntax) > > > <M.S.> Agreed. > > > > >NITS: > <M.S.> I will update the draft with suggested changes. > > > > > Here is the list of CMP announcement messages > > > >Do not use "here". Maybe just: The list of CMP ....... are: > > > > An EE MAY use CoAP Observe option > > > >s/use/use the/ > > > > to get any announcement messages > > > >s/any/all > > > > If for some reason server cannot add > > > >s/server/the server > > > > A client on receiving > > > >s/on receiving/that receives > > > > allows the EE to receive > > > >s/the EE/an EE > > > > Since the CMP payload is same over CoAP and HTTP transfer > mechanisms > > > >Since the CMP payload is the same wether using CoAP or HTTP transfer > mechanisms > > > > Some recommended mechanisms are as follows: > > > >delete "as follows" > > > > Since the Proxy may have access to the CMP-Level > > > >s/may have/has > > > > therefore proper role based access control should be in place. > > > >s/therefore/, proper role based access controls should be deployed > > > > Proxy can be > > > >s/Proxy/Proxies > > > > to protect them > > > >s/to protect them/for protection > > > > The proxy however may itself be vulnerable to resource-exhaustion > attacks > > > >s/The proxy itself can also be attacked by resource-exhaustion attacks > > > > Regards, > Mohit > > On Sun, Feb 26, 2023 at 5:49 PM Paul Wouters <paul.wouters@aiven.io> > wrote: > >> AD review: draft-ietf-ace-cmpv2-coap-transport-07 >> >> >> Please see below my AD review comments. I believe a revision of the >> document >> is required before sending it to the IESG. The substantial comments are >> mostly >> about SHOULD vs MUST cases, but there is also a few large pieces of text, >> mostly >> in the Security Considerations section, that need to be reformulated for >> clarity. >> I've tried to propose text where I can. >> >> I've also tried to fixup a few spelling and grammer issues. >> >> Regards, >> >> Paul >> >> >> >> >> >> A CMP client SHOULD send each CoAP requests marked as a >> Confirmable message Section 2.1 of [RFC7252]. >> >> When would one not use a Confirmable message ? eg why is this a SHOULD >> and not a MUST ? >> >> (also, the sentence doesn't make, did you mean to add "as per Section 2.1 >> ....." ? ) >> >> >> If the CoAP request is successful then the server SHOULD return a >> "2.05 Content" response code. >> >> What else could be sent if the SHOULD is not followed? Eg why is this is >> a SHOULD and not a MUST ? >> >> If the CoAP request is not successful then an appropriate CoAP >> Client Error 4.xx or a Server Error 5.xx response code MUST >> be returned. >> >> Especially seeing there is a MUST here. >> >> >> This gets stranger even in this sentence, where it becomes very unclear: >> >> If the server supports CMP Announcements messages, then it SHOULD >> send appropriate 2.xx success response code, otherwise a 4.xx >> or 5.xx error response code. >> >> eg the 'otherwise' clause is not using a SHOULD or MUST, does it inherit >> the >> one from the previous sentence? Also, why SHOULD and not MUST? >> >> it can omit the Observe option >> >> Now "can" is very strange here for not being a SHOULD or MAY or MUST >> >> >> can try after some time to register again >> >> Same here. >> >> >> Alternatively, an EE MAY poll for the potential changes >> >> What is meant with "potential changes" ? >> (also the grammar of this sentence does not work) >> >> to get information about the changes. >> >> Also here, what "changes" ? >> >> >> Section 4: >> >> The CMP protocol depends upon various mechanisms in the protocol >> itself for making the transactions secure therefore, security >> issues of CoAP due to using UDP without cryptographic protections >> for message confidentiality and integrity, do not carry over to >> the CMP layer. The Security considerations for CoAP are mentioned >> in the [RFC7252]. >> >> This is a very vague sentence that also does not read well. And I do not >> understand the "carry over" parts. Perhaps something like: >> >> All payloads of the CMP protocol are cryptographically protected >> against malicious modifications. As such, UDP can be used without >> compromising the security of the CMP protocol. Security >> Considerations >> for CoAP are defined in [RFC7252]. >> >> Similarly the second point: >> >> Although the CMP protocol does not depend upon the underlying >> transfer mechanism for protecting the messages but in cases when >> confidentiality protection is desired, CoAP over DTLS [RFC9147] >> MAY be used providing a hop-by-hop security. The use of DTLS can >> provide confidentiality protection of the CMP-level metadata, >> however it cannot obscure the fact that CMP is being used in >> the underlying layer. >> >> Perhaps instead: >> >> The CMP protocol does not provide confidentiality of the CMP >> payloads. >> If confidentiality is desired, CoAP over DTLS [RFC9147] can be >> used >> to provide confidentiality for the CMP payloads, although it >> cannot >> conceal that the CMP protocol is used within the DTLS layer. >> >> >> >> Once a DTLS [RFC9147] association is established it SHOULD be >> used for as long as possible to avoid the frequent overhead of >> setting up a DTLS [RFC9147] association for constrained devices. >> >> I think the reference to "as long as possible" is a bit strange. How >> about: >> >> DTLS associations SHOULD be kept alive and re-used where possible >> to amortise on the additional overhead of DTLS on constrained >> devices. >> >> The next bullet point just needs some grammar fixes: >> >> An EE may miss some of the Announcement messages when using CoAP >> Observe option [RFC7641] since Observe option is a "best-effort" >> approach and server can lose state about subscribers for >> announcement messages. The EEs may use alternate method described >> in section 2.6 to get time critical changes like CRL updates. >> >> How about: >> >> An EE might not witness all of the Announcement messages when >> using the CoAP >> Observe option [RFC7641], since the Observe option is a >> "best-effort" >> approach and the server might lose its state for subscribers to >> its >> announcement messages. The EEs may use an alternate method >> described >> in section 2.6 to obtain time critical changes such as CRL >> updates. >> >> The next bullet I just do not understand: >> >> In order to to reduce the risks imposed by DoS attacks, the >> implementations SHOULD optimally use the available datagram size >> i.e. avoid small datagrams containing partial CMP PKIMessage data. >> >> Please explain what is meant here and/or rephrase it. >> >> Section 5: >> >> This document requires a new entry to the CoAP >> >> s/requires/adds >> >> This document also requires >> >> s/requires/adds/ >> >> in the CMP protocol registry >> >> s/in/to >> >> >> Description: The path to send a Get request >> >> Should that be a "GET request" ? >> >> >> This document references the cmp, in the Well-Known URIs IANA >> registry. This document is expected to be published together >> with [I-D.ietf-lamps-cmp-updates]. Please add a reference of >> this document to the Well-Known URIs IANA registry for that entry >> >> This document also refers the path segment "p" in the Certificate >> Management Protocol (CMP) IANA registry. Please add a reference >> of this document to the Certificate Management Protocol (CMP) >> for that path segment. >> >> Please seperate the addition instruction for IANA from the RFC Editor >> instruction. Just state the additions as if the other documents were >> already published, and then add a note using [Note RFC Editor: ...] >> explaining this document should be published after the two referenced >> ones. >> >> >> [I-D.ietf-lamps-cmp-updates] and [I-D.ietf-lamps-lightweight-cmp-profile] >> are listed as informative references, but these should be normative >> references (as you point to sections in those documents for syntax) >> >> >> NITS: >> >> Here is the list of CMP announcement messages >> >> Do not use "here". Maybe just: The list of CMP ....... are: >> >> An EE MAY use CoAP Observe option >> >> s/use/use the/ >> >> to get any announcement messages >> >> s/any/all >> >> If for some reason server cannot add >> >> s/server/the server >> >> A client on receiving >> >> s/on receiving/that receives >> >> allows the EE to receive >> >> s/the EE/an EE >> >> Since the CMP payload is same over CoAP and HTTP transfer >> mechanisms >> >> Since the CMP payload is the same wether using CoAP or HTTP transfer >> mechanisms >> >> Some recommended mechanisms are as follows: >> >> delete "as follows" >> >> Since the Proxy may have access to the CMP-Level >> >> s/may have/has >> >> therefore proper role based access control should be in place. >> >> s/therefore/, proper role based access controls should be deployed >> >> Proxy can be >> >> s/Proxy/Proxies >> >> to protect them >> >> s/to protect them/for protection >> >> The proxy however may itself be vulnerable to resource-exhaustion >> attacks >> >> s/The proxy itself can also be attacked by resource-exhaustion attacks >> >>
- [Ace] AD review of draft-ietf-ace-cmpv2-coap-tran… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Saurabh Tripathi
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault