[Anima] Re: I-D Action: draft-ietf-anima-jws-voucher-11, WAS AW: AD review of draft-ietf-anima-jws-voucher-10
Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 10 September 2024 21:39 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16174C14CF18; Tue, 10 Sep 2024 14:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.005
X-Spam-Level:
X-Spam-Status: No, score=-7.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54D161tFBy6C; Tue, 10 Sep 2024 14:39:41 -0700 (PDT)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D50A6C14F6EA; Tue, 10 Sep 2024 14:39:41 -0700 (PDT)
Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-2d877e9054eso4052927a91.3; Tue, 10 Sep 2024 14:39:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726004381; x=1726609181; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=pF/EySUzjAlUaNx0Umey1AHmUWOY9Y0splW6WjTvpLU=; b=N1JRPWfcYEeOXnyPZruaxCBw5LjcZzNYRo75en1X1V7HB2/KuzVU5o1Uq+QmMG3IKK ba+X+CLEZKna1Eg5MU67/rmyCx3kCjLe6sekxyRYswgnocBNBEkI1zIQZpH7U6xVTqOF AOjByo0Co1hhfkR7aaH6obBu58LvgPg5wRAWCN9QX3jClmKdOUPyHsktp0+WgLyEJAN8 X3b+im0iH5sUe9LSDurNSYei68McPFOOmCRee0C5JIUQKJUtjwhMENDtO81EcO2kd41F /XgQ9fCD+y+ETXpxmRUkQxGH/k7k1MVECfZCSeF4q9y9r8iTPFrccvOxcduyIpGeBa40 pKhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726004381; x=1726609181; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pF/EySUzjAlUaNx0Umey1AHmUWOY9Y0splW6WjTvpLU=; b=Fo5bdy6nzUjrU1Q4OtJjZyOXp4Ke21N7NNFacT+cD4Ke7GTXVKEtgDSPD7NLM5feEJ 1S21A/Z3/UJmzmo8aMM76SA8rA+lYe0YamPrvZnlrn82oJuP/4PQ3zkum8oev+GMCkkK 5qzCwrHFOwUTLJIsCR9ucpBK//YCbMsRTIVkCbouh3J9rWA+bLaQiHg6GLYqOnK83/G8 AU9mQ9NqFkZT4RxwyD6TEcwy1HhICz6YR7rR9qatQsKqdh6Um7thnwA1762xHTVdLf5g Z0H/bzPQsJxWRCOTaTJgkkTlDqkNMLYZ2mwjyu20xkFwv2tE3nsGas0oGBxzcCIXXyxs +dIA==
X-Forwarded-Encrypted: i=1; AJvYcCU4SJ7h1CzgEsqmNyPtzx7WOpq7KN8ZvtReyYuFe2MF/vUgk/gSkG5CO2D5YAL4Mi8DMoVAHlQ=@ietf.org, AJvYcCUeDW/1E1NPmDeqF57SSyBcrnOZIoqDU4JfeR8ngF05BYiPQJ5GgziFTbdSF4/vbqOsBp5KGSdqyadR9Po=@ietf.org
X-Gm-Message-State: AOJu0YyIjVRyF2ttC+xwv1AEFvtYA8E71WO1GL/bodehmx1FqaaFnljD Oo5QoWkY3akHyu+Y46Ug8UZuNfspBxqprcdUf7C1uhg1p9WfjF48rPVpVlnA
X-Google-Smtp-Source: AGHT+IG4XlZyi3DHy6WEVoJQ68WhcQQURR9ZuhjQg/c//d4F35TYmX64rQiy0u0+F/FD6Mo3+eT3HQ==
X-Received: by 2002:a17:90b:894:b0:2da:da85:b705 with SMTP id 98e67ed59e1d1-2daffa7ee49mr13865231a91.14.1726004380742; Tue, 10 Sep 2024 14:39:40 -0700 (PDT)
Received: from smtpclient.apple ([70.234.233.187]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2db04136b9fsm6955419a91.9.2024.09.10.14.39.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Sep 2024 14:39:40 -0700 (PDT)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <8F88B625-1B40-401D-A3A9-FBBF85269AEA@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E2D9FA08-2B91-45EB-83A0-CB9A8ED6DE78"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
Date: Tue, 10 Sep 2024 14:39:35 -0700
In-Reply-To: <DB9PR10MB5355C1EF037EFFEFB7CD9F72E79A2@DB9PR10MB5355.EURPRD10.PROD.OUTLOOK.COM>
To: "Werner, Thomas" <thomas-werner@siemens.com>
References: <8D26525D-BEE5-427C-ABA4-5F4B5A1021D1@gmail.com> <DB9PR10MB5355C1EF037EFFEFB7CD9F72E79A2@DB9PR10MB5355.EURPRD10.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Message-ID-Hash: 5CNFI6Q7XTKBM36DPLXS6ZCOILT5VE5V
X-Message-ID-Hash: 5CNFI6Q7XTKBM36DPLXS6ZCOILT5VE5V
X-MailFrom: mjethanandani@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-anima-jws-voucher@ietf.org" <draft-ietf-anima-jws-voucher@ietf.org>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>, "anima@ietf.org" <anima@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Anima] Re: I-D Action: draft-ietf-anima-jws-voucher-11, WAS AW: AD review of draft-ietf-anima-jws-voucher-10
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Dz2h5tGvwSUdC5n9D-cJZhUGhhQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>
Hi Thomas, Thanks for addressing most of the comments. Here are just a couple more. Pledge Voucher Request (PVR) vs Pledge-Voucher-Request (PVR)? Did you run idnits on the document, or look for the result of idnits during submission. You would have noticed that [I-D.draft-ietf-anima-constrained-voucher] does not resolve. It should be [I-D.ietf-anima-constrained-voucher] (no need to have the word draft). Thanks. > On Sep 10, 2024, at 8:52 AM, Werner, Thomas <thomas-werner@siemens.com> wrote: > > Hello Mahesh, all, > > FYI … just uploaded new version [Anima] I-D Action: draft-ietf-anima-jws-voucher-11 > Including the feedback provided by AD review. > > Thanks and regards > Thomas > > Von: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > Datum: Dienstag, 10. September 2024 um 17:37 > An: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org> i-d-announce@ietf.org <mailto:i-d-announce@ietf.org> > Cc: anima@ietf.org <mailto:anima@ietf.org> anima@ietf.org <mailto:anima@ietf.org> > Betreff: [Anima] I-D Action: draft-ietf-anima-jws-voucher-11.txt > > Internet-Draft draft-ietf-anima-jws-voucher-11.txt is now available. It is a > work item of the Autonomic Networking Integrated Model and Approach (ANIMA) WG > of the IETF. > > Title: JWS signed Voucher Artifacts for Bootstrapping Protocols > Authors: Thomas Werner > Michael Richardson > Name: draft-ietf-anima-jws-voucher-11.txt > Pages: 16 > Dates: 2024-09-10 > > Abstract: > > I-D.draft-ietf-anima-rfc8366bis defines a digital artifact called > voucher as a YANG-defined JSON document that is signed using a > Cryptographic Message Syntax (CMS) structure. This document > introduces a variant of the voucher artifact in which CMS is replaced > by the JSON Object Signing and Encryption (JOSE) mechanism described > in RFC7515 to support deployments in which JOSE is preferred over > CMS. > > In addition to explaining how the format is created, the > "application/voucher-jws+json" media type is registered and examples > are provided. > > The IETF datatracker status page for this Internet-Draft is: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-anima-jws-voucher%2F&data=05%7C02%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd1ae8844%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638615794761412298%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2FpAL7JxZq3yD9YH6NDlDrDF7msBCsKURh9i635aA1j4%3D&reserved=0 <https://datatracker.ietf.org/doc/draft-ietf-anima-jws-voucher/> > > There is also an HTML version available at: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-anima-jws-voucher-11.html&data=05%7C02%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd1ae8844%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638615794761421749%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=6Ho84ccv29TGVCzFa%2Foo3o7e4%2BhhXT95lrl9OpFJRN8%3D&reserved=0 <https://www.ietf.org/archive/id/draft-ietf-anima-jws-voucher-11.html> > > A diff from the previous version is available at: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-anima-jws-voucher-11&data=05%7C02%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd1ae8844%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638615794761428407%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=c3ZNIWKrpycHQKrVTjSsyCsZS8HeeXkfL%2B13hCpUoL8%3D&reserved=0 <https://author-tools.ietf.org/iddiff?url2=draft-ietf-anima-jws-voucher-11> > > Internet-Drafts are also available by rsync at: > rsync.ietf.org <http://rsync.ietf.org/>::internet-drafts > > > _______________________________________________ > Anima mailing list -- anima@ietf.org <mailto:anima@ietf.org> > To unsubscribe send an email to anima-leave@ietf.org <mailto:anima-leave@ietf.org> > > > > > > Von: Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> > Datum: Mittwoch, 28. August 2024 um 00:46 > An: draft-ietf-anima-jws-voucher@ietf.org <mailto:draft-ietf-anima-jws-voucher@ietf.org> <draft-ietf-anima-jws-voucher@ietf.org <mailto:draft-ietf-anima-jws-voucher@ietf.org>> > Cc: anima-chairs@ietf.org <mailto:anima-chairs@ietf.org> <anima-chairs@ietf.org <mailto:anima-chairs@ietf.org>>, anima@ietf.org <mailto:anima@ietf.org> <anima@ietf.org <mailto:anima@ietf.org>> > Betreff: AD review of draft-ietf-anima-jws-voucher-10 > > Back in February I had provided comments as an individual contributor. Thanks for addressing them. > > This is my AD comments that are divided between COMMENTs and NITs. I hope to see responses to the COMMENTs. while NITs are there FYI. > > > ------------------------------------------------------------------------------- > COMMENT > ——————————————————————————————————————— > > This document updates RFC8366, but does not seem to include explanatory text > about this in the abstract. > > "Abstract", paragraph 0 > > [I-D.draft-ietf-anima-rfc8366bis] defines a digital artifact called > > voucher as a YANG-defined JSON document that is signed using a > > Cryptographic Message Syntax (CMS) structure. This document > > introduces a variant of the voucher artifact in which CMS is replaced > > by the JSON Object Signing and Encryption (JOSE) mechanism described > > in RFC7515 to support deployments in which JOSE is preferred over > > CMS. > > An Abstract cannot have a reference. Please change the reference to I-D.draft-ietf-anima-rfc8366bis to plain text. > > Section 2, paragraph 5 > > Voucher: A short form for voucher artifact and refers to the signed > > statement from the MASA service that indicates to a pledge the > > cryptographic identity of the domain it should trust, per > > [I-D.draft-ietf-anima-rfc8366bis]. > > Please add definition and expansion on first use of terms such as MASA. Also you need to define Pledge (with a capital P), or point to a definition in another document. Avoid mixing capitalization between Pledge and pledge. > > Section 3, paragraph 6 > > A "JWS JSON Serialization Overview" is given in Section 3.2 of > > [RFC7515] and more details on the JWS serializations in Section 7 of > > [RFC7515]. This document makes use of the "General JWS JSON > > Serialization Syntax" of [RFC7515] to support multiple signatures, as > > already supported by [RFC8366] for CMS-signed vouchers. > > Since the document mentions two forms of serialization, it would help to understand the choice. Was the choice of "General JWS JSON Serialization Syntax" to support multiple signatures? Why was the "JWS Compact Serialization" not chosen? > > Section 4, paragraph 2 > > This request occurs via HTTP-over-TLS, however, for the Pledge-to- > > Registrar TLS connection, the Pledge is provisionally accepting the > > Registrar server certificate. Hence it is subject to disclosure by a > > Dolev-Yao attacker (a "malicious messenger") [ON-PATH], as explained > > in Section 10.2 of [BRSKI]. > > The first sentence does not parse for me. Can it be reworded? > > Found terminology that should be reviewed for inclusivity; see > https://www.rfc-editor.org/part2/#inclusive_language <https://www.rfc-editor.org/part2/#inclusive_language> for background and more > guidance: > > * Term "he"; alternatives might be "they", "them", "their" > > ------------------------------------------------------------------------------- > NIT > ------------------------------------------------------------------------------- > > All comments below are about very minor potential issues that you may choose to > address in some way - or ignore - as you see fit. Some were flagged by > automated tools (via https://github.com/larseggert/ietf-reviewtool <https://github.com/larseggert/ietf-reviewtool>), so there > will likely be some false positives. There is no need to let me know what you > did with these suggestions. > > Section 1, paragraph 2 > > This document provides cryptographic signing of the JSON voucher data > > in form of JSON Web Signature (JWS) [RFC7515] and the media type > > "application/voucher-jws+json". The encoding specified in this > > document is used by [I-D.ietf-anima-brski-prm] and may be more handy > > for use cases already using Javascript Object Signing and Encryption > > (JOSE). This document should be considered as enhancement of > > [I-D.draft-ietf-anima-rfc8366bis], > > as it provides a new voucher form with media type "application/ > > voucher-jws+json" and the related serialization. It does not extend > > the YANG definition of [I-D.draft-ietf-anima-rfc8366bis]. > > I continue to see inconsistent use of capitalization for terms defined or used in this document. E.g. JSON voucher data, and JSON Voucher Data. > > Section 3.2, paragraph 0 > > The JSON Voucher Data is an unsigned JSON document [RFC8259] that > > conforms with the data model described by the ietf-voucher YANG > > module [RFC7950] defined in Section 5.3 of > > [I-D.draft-ietf-anima-rfc8366bis] and is encoded using the rules > > defined in [RFC7951]. The following figure provides an example of > > JSON Voucher Data: > > Please correct the reference to the Section number in I-D.draft-ietf-anima-rfc8366bis. It should be 7.3. > > Section 3.3, paragraph 3 > > To validate voucher signatures all certificates of the certificate > > chain are required up to the trust anchor, Note, to establish trust > > the trust anchor SHOULD be provided out-of-band upfront. This is > > consistent with Section 5.5.2 of [BRSKI]. > > s/to the trust anchor, Note,/to the trust anchor. Note,/ > > Document references draft-ietf-anima-rfc8366bis-11, but -12 is the latest > available revision. > > Document references draft-ietf-anima-brski-prm-12, but -15 is the latest > available revision. > > Document references draft-ietf-anima-constrained-voucher-24, but -25 is the > latest available revision. > > Paragraph 4 > > type is registered and examples are provided. Status of This Memo This Inte > > ^^^^^^^^^^^^ > You have used the passive voice repeatedly in nearby sentences. To make your > writing clearer and easier to read, consider using active voice. > > Section 2, paragraph 3 > > on first use of terms such as MASA. Also you need to define Pledge (with a c > > ^^^^ > A comma may be missing after the conjunctive/linking adverb "Also". > > Section 3.1, paragraph 6 > > JSON [RFC8259] optionally allows to escape these with backslashes ('\'). Hen > > ^^^^^^^^^ > Did you mean "escaping"? Or maybe you should add a pronoun? In active voice, > "allow" + "to" takes an object, usually a pronoun. > > Section 3.3, paragraph 3 > > the Registrar server certificate. Hence it is subject to disclosure by a Do > > ^^^^^ > A comma may be missing after the conjunctive/linking adverb "Hence". > > Mahesh Jethanandani > mjethanandani@gmail.com <mailto:mjethanandani@gmail.com> Mahesh Jethanandani mjethanandani@gmail.com
- [Anima] AD review of draft-ietf-anima-jws-voucher… Mahesh Jethanandani
- [Anima] I-D Action: draft-ietf-anima-jws-voucher-… Werner, Thomas
- [Anima] Re: I-D Action: draft-ietf-anima-jws-vouc… Mahesh Jethanandani
- [Anima] draft-ietf-anima-jws-voucher-12, AW: I-D … Werner, Thomas