[Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-35: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Mon, 24 February 2020 19:25 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: anima@ietf.org
Delivered-To: anima@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 87AEE3A0B44; Mon, 24 Feb 2020 11:25:22 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, anima-chairs@ietf.org, anima@ietf.org, Toerless Eckert <tte+ietf@cs.fau.de>, tte+ietf@cs.fau.de
X-Test-IDTracker: no
X-IETF-IDTracker: 6.118.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <158257232254.24363.8909440574783537379.idtracker@ietfa.amsl.com>
Date: Mon, 24 Feb 2020 11:25:22 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/7IvX0rXn6O93-gZJDFxPgqncwKg>
Subject: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-bootstrapping-keyinfra-35: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 19:25:23 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-anima-bootstrapping-keyinfra-35: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-anima-bootstrapping-keyinfra/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for the updated examples using the allocated MASA URL extension OID! Unfortunately, I think there are still some inconsistencies in the examples to resolve: The MASA cert/key is identical to the "manufacturer key pair for IDevID signatures" (C.1.1 and C.1.2). (It shows the MASA Subject CN, so maybe just the included file was typo'd?) The example IDevID cert shows an issuer name that doesn't match the cert given. (Also the MASA cert doesn't have a randomized serial number but the registrar one does.) The registrar-to-MASA voucher request in C.2.2 seems to have a CMS SignedData with the SignerIdentifier identifying the "Unstrung Fountain Root" (i.e,. the root CA used for these examples) instead of the expected "fountain-test.example.com". Am I misreading the ASN.1 dump? (We do seem to send both certificates.) The voucher response from MASA to Registrar seems to be signed by the "highway-test.example.com CA" (which would be the "manufacturer key pair for IDevID signatures" that we don't have in the -35 since the MASA certificate is repeated), not the MASA's cert from C.1.1. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- [trimming presumably stale comments]
- [Anima] Benjamin Kaduk's Discuss on draft-ietf-an… Benjamin Kaduk via Datatracker