[Anima] Secdir last call review of draft-ietf-netconf-sztp-csr-11
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 18 November 2021 19:49 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F107E3A0A07 for <anima@ietfa.amsl.com>; Thu, 18 Nov 2021 11:49:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubh3Rf3nHQms for <anima@ietfa.amsl.com>; Thu, 18 Nov 2021 11:49:25 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B87323A0A08 for <anima@ietf.org>; Thu, 18 Nov 2021 11:49:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 497061803D for <anima@ietf.org>; Thu, 18 Nov 2021 14:51:52 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7rLyXoDTjrfV for <anima@ietf.org>; Thu, 18 Nov 2021 14:51:48 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id D173318025 for <anima@ietf.org>; Thu, 18 Nov 2021 14:51:47 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1637265107; bh=E7Raj0hh2j3M9/O1GNNhjE9ZfPwJHkgcaO3xgzyu4j0=; h=From:To:Subject:Date:From; b=hh9KgbZWD/HnBFCiacnv+27Ma81OUKpkpu0COgtpfl62inNa96WDZcwKuZ8fIxkxP QmZw9vGwA4XvdOLxsDWAo1FxaWYvvsHBpnZSUSJdVcFDm7i/faFy+JeXMcpav0SBIE clDnqXBsha4TbB4Q5gP9JmSsyJVJR1uLsQflOeQWVWoqU0iPqPzabzi8K7NanHcfBP dRa15C2iM0TQePToSQpDgTfPvyixhtikbfIggXdLmpehHKIxfvMxpj5CGDfoEJ8G5v aHYkPbj5QQIsBTN84Y9pxv/UYZqbVXbLHOFCKqE5va6yCJ1XzK9VAKYX3PAM0tiTE8 JkwsfavsWSNdQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D30C89E for <anima@ietf.org>; Thu, 18 Nov 2021 14:49:17 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 18 Nov 2021 14:49:17 -0500
Message-ID: <4457.1637264957@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/-ckNxauP19chVLP5mSwgxelHyZA>
Subject: [Anima] Secdir last call review of draft-ietf-netconf-sztp-csr-11
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2021 19:49:31 -0000
I think that it is relevant to participants here.
--- Begin Message ---Reviewer: Yaron Sheffer Review result: Has Issues This draft defines a mechanism for a device, when it first starts, to generate a CSR to get itself provisioned with one or more certificates it needs to identify itself during its normal operation. * I was confused that the document starts out describing a generic cert request mechanism. Then deep into the YANG modules, it turns out that there is guidance (only?) for very specific types of certs, namely LDevID and IDevID. And the choice is non-orthogonal: it is unclear what is the guidance for other certs when using CMC and CMP, and conversely, whether these two certs can be generated with a PKCS#10 CSR. * I suggest adding a Security Considerations section about the need for strong randomness, which is often unavailable to small embedded devices at the early stages of provisioning. I wish we were more successful with: https://datatracker.ietf.org/doc/html/draft-sheffer-dhc-initial-random-00 * Negotiation (?) of the CSR format and supported algorithms is unclear in Sec. 2.2: is it the client that provides the values it supports and the server picks one? Alternatively, is the list conveyed by the server in the error-info and so the client knows exactly what is supported? IOW, why include these values at all in error-info? * It is not clear from Sec. 2.2 how exactly the client is supposed to associate one of possibly multiple received certificates to the CSR it just sent out. Surely it is not expected to grep for the string "Newly-Generated"? * 2.3: the description of "error-info" still does not specify if the server should list all CSR format and algorithms it supports. * Is there really need to support 3 different CSR formats? * Where does the client indicate which cert is wants to receive based on this CSR, e.g. "this CSR is for a LDevID"? Is this information embedded in the CSR itself? * Is RFC 2986 (published Nov. 2000) the best reference for an AlgorithmIdentifier? Is there no IANA registry we could reference instead? * When talking about algorithm matching, I suggest changing "It is an error if..." into normative text, "The recipient MUST reject...". * "Details for how to generate a new private key and associate a new identity certificate are outside the scope of this document." - This is rather disappointing, since we just RECOMMENDED to regenerate certs periodically (and given that IOT devices often lack HSMs). -- last-call mailing list last-call@ietf.org https://www.ietf.org/mailman/listinfo/last-call--- End Message ---
-- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] Secdir last call review of draft-ietf-net… Michael Richardson