[Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-35: (with DISCUSS and COMMENT)

Benjamin Kaduk via Datatracker <noreply@ietf.org> Mon, 24 February 2020 19:25 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: anima@ietf.org
Delivered-To: anima@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 87AEE3A0B44; Mon, 24 Feb 2020 11:25:22 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, anima-chairs@ietf.org, anima@ietf.org, Toerless Eckert <tte+ietf@cs.fau.de>, tte+ietf@cs.fau.de
X-Test-IDTracker: no
X-IETF-IDTracker: 6.118.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <158257232254.24363.8909440574783537379.idtracker@ietfa.amsl.com>
Date: Mon, 24 Feb 2020 11:25:22 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/7IvX0rXn6O93-gZJDFxPgqncwKg>
Subject: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-35: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 19:25:23 -0000

Benjamin Kaduk has entered the following ballot position for
draft-ietf-anima-bootstrapping-keyinfra-35: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thanks for the updated examples using the allocated MASA URL extension OID!

Unfortunately, I think there are still some inconsistencies in the examples to resolve:

The MASA cert/key is identical to the "manufacturer key pair for IDevID
signatures" (C.1.1 and C.1.2).  (It shows the MASA Subject CN, so maybe
just the included file was typo'd?)  The example IDevID cert shows an
issuer name that doesn't match the cert given.
(Also the MASA cert doesn't have a randomized serial number but the
registrar one does.)

The registrar-to-MASA voucher request in C.2.2 seems to have a CMS
SignedData with the SignerIdentifier identifying the "Unstrung Fountain
Root" (i.e,. the root CA used for these examples) instead of the
expected "fountain-test.example.com".  Am I misreading the ASN.1 dump?
(We do seem to send both certificates.)

The voucher response from MASA to Registrar seems to be signed by the
"highway-test.example.com CA" (which would be the "manufacturer key pair
for IDevID signatures" that we don't have in the -35 since the MASA
certificate is repeated), not the MASA's cert from C.1.1.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

[trimming presumably stale comments]