Return-Path: X-Original-To: anima@ietfa.amsl.com Delivered-To: anima@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16174C14CF18; Tue, 10 Sep 2024 14:39:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.005 X-Spam-Level: X-Spam-Status: No, score=-7.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54D161tFBy6C; Tue, 10 Sep 2024 14:39:41 -0700 (PDT) Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D50A6C14F6EA; Tue, 10 Sep 2024 14:39:41 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-2d877e9054eso4052927a91.3; Tue, 10 Sep 2024 14:39:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726004381; x=1726609181; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=pF/EySUzjAlUaNx0Umey1AHmUWOY9Y0splW6WjTvpLU=; b=N1JRPWfcYEeOXnyPZruaxCBw5LjcZzNYRo75en1X1V7HB2/KuzVU5o1Uq+QmMG3IKK ba+X+CLEZKna1Eg5MU67/rmyCx3kCjLe6sekxyRYswgnocBNBEkI1zIQZpH7U6xVTqOF AOjByo0Co1hhfkR7aaH6obBu58LvgPg5wRAWCN9QX3jClmKdOUPyHsktp0+WgLyEJAN8 X3b+im0iH5sUe9LSDurNSYei68McPFOOmCRee0C5JIUQKJUtjwhMENDtO81EcO2kd41F /XgQ9fCD+y+ETXpxmRUkQxGH/k7k1MVECfZCSeF4q9y9r8iTPFrccvOxcduyIpGeBa40 pKhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726004381; x=1726609181; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pF/EySUzjAlUaNx0Umey1AHmUWOY9Y0splW6WjTvpLU=; b=Fo5bdy6nzUjrU1Q4OtJjZyOXp4Ke21N7NNFacT+cD4Ke7GTXVKEtgDSPD7NLM5feEJ 1S21A/Z3/UJmzmo8aMM76SA8rA+lYe0YamPrvZnlrn82oJuP/4PQ3zkum8oev+GMCkkK 5qzCwrHFOwUTLJIsCR9ucpBK//YCbMsRTIVkCbouh3J9rWA+bLaQiHg6GLYqOnK83/G8 AU9mQ9NqFkZT4RxwyD6TEcwy1HhICz6YR7rR9qatQsKqdh6Um7thnwA1762xHTVdLf5g Z0H/bzPQsJxWRCOTaTJgkkTlDqkNMLYZ2mwjyu20xkFwv2tE3nsGas0oGBxzcCIXXyxs +dIA== X-Forwarded-Encrypted: i=1; AJvYcCU4SJ7h1CzgEsqmNyPtzx7WOpq7KN8ZvtReyYuFe2MF/vUgk/gSkG5CO2D5YAL4Mi8DMoVAHlQ=@ietf.org, AJvYcCUeDW/1E1NPmDeqF57SSyBcrnOZIoqDU4JfeR8ngF05BYiPQJ5GgziFTbdSF4/vbqOsBp5KGSdqyadR9Po=@ietf.org X-Gm-Message-State: AOJu0YyIjVRyF2ttC+xwv1AEFvtYA8E71WO1GL/bodehmx1FqaaFnljD Oo5QoWkY3akHyu+Y46Ug8UZuNfspBxqprcdUf7C1uhg1p9WfjF48rPVpVlnA X-Google-Smtp-Source: AGHT+IG4XlZyi3DHy6WEVoJQ68WhcQQURR9ZuhjQg/c//d4F35TYmX64rQiy0u0+F/FD6Mo3+eT3HQ== X-Received: by 2002:a17:90b:894:b0:2da:da85:b705 with SMTP id 98e67ed59e1d1-2daffa7ee49mr13865231a91.14.1726004380742; Tue, 10 Sep 2024 14:39:40 -0700 (PDT) Received: from smtpclient.apple ([70.234.233.187]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2db04136b9fsm6955419a91.9.2024.09.10.14.39.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Sep 2024 14:39:40 -0700 (PDT) From: Mahesh Jethanandani Message-Id: <8F88B625-1B40-401D-A3A9-FBBF85269AEA@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_E2D9FA08-2B91-45EB-83A0-CB9A8ED6DE78" Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\)) Date: Tue, 10 Sep 2024 14:39:35 -0700 In-Reply-To: To: "Werner, Thomas" References: <8D26525D-BEE5-427C-ABA4-5F4B5A1021D1@gmail.com> X-Mailer: Apple Mail (2.3654.120.0.1.15) Message-ID-Hash: 5CNFI6Q7XTKBM36DPLXS6ZCOILT5VE5V X-Message-ID-Hash: 5CNFI6Q7XTKBM36DPLXS6ZCOILT5VE5V X-MailFrom: mjethanandani@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "draft-ietf-anima-jws-voucher@ietf.org" , "anima-chairs@ietf.org" , "anima@ietf.org" X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BAnima=5D_Re=3A_I-D_Action=3A_draft-ietf-anima-jws-voucher-11=2C?= =?utf-8?q?_WAS_AW=3A_AD_review_of_draft-ietf-anima-jws-voucher-10?= List-Id: Autonomic Networking Integrated Model and Approach Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --Apple-Mail=_E2D9FA08-2B91-45EB-83A0-CB9A8ED6DE78 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Thomas, Thanks for addressing most of the comments. Here are just a couple more. Pledge Voucher Request (PVR) vs Pledge-Voucher-Request (PVR)? Did you run idnits on the document, or look for the result of idnits = during submission. You would have noticed that = [I-D.draft-ietf-anima-constrained-voucher] does not resolve. It should = be [I-D.ietf-anima-constrained-voucher] (no need to have the word = draft). Thanks. > On Sep 10, 2024, at 8:52 AM, Werner, Thomas = wrote: >=20 > Hello Mahesh, all, > =20 > FYI =E2=80=A6 just uploaded new version [Anima] I-D Action: = draft-ietf-anima-jws-voucher-11 > Including the feedback provided by AD review. > =20 > Thanks and regards > Thomas > =20 > Von: internet-drafts@ietf.org = internet-drafts@ietf.org > Datum: Dienstag, 10. September 2024 um 17:37 > An: i-d-announce@ietf.org = i-d-announce@ietf.org > Cc: anima@ietf.org anima@ietf.org = > Betreff: [Anima] I-D Action: draft-ietf-anima-jws-voucher-11.txt >=20 > Internet-Draft draft-ietf-anima-jws-voucher-11.txt is now available. = It is a > work item of the Autonomic Networking Integrated Model and Approach = (ANIMA) WG > of the IETF. >=20 > Title: JWS signed Voucher Artifacts for Bootstrapping Protocols > Authors: Thomas Werner > Michael Richardson > Name: draft-ietf-anima-jws-voucher-11.txt > Pages: 16 > Dates: 2024-09-10 >=20 > Abstract: >=20 > I-D.draft-ietf-anima-rfc8366bis defines a digital artifact called > voucher as a YANG-defined JSON document that is signed using a > Cryptographic Message Syntax (CMS) structure. This document > introduces a variant of the voucher artifact in which CMS is = replaced > by the JSON Object Signing and Encryption (JOSE) mechanism = described > in RFC7515 to support deployments in which JOSE is preferred over > CMS. >=20 > In addition to explaining how the format is created, the > "application/voucher-jws+json" media type is registered and = examples > are provided. >=20 > The IETF datatracker status page for this Internet-Draft is: > = https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatr= acker.ietf.org%2Fdoc%2Fdraft-ietf-anima-jws-voucher%2F&data=3D05%7C02%7Cth= omas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd1ae8844%7C38ae3bcd957= 94fd4addab42e1495d55a%7C1%7C0%7C638615794761412298%7CUnknown%7CTWFpbGZsb3d= 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C= %7C%7C&sdata=3D%2FpAL7JxZq3yD9YH6NDlDrDF7msBCsKURh9i635aA1j4%3D&reserved=3D= 0 >=20 > There is also an HTML version available at: > = https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ie= tf.org%2Farchive%2Fid%2Fdraft-ietf-anima-jws-voucher-11.html&data=3D05%7C0= 2%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd1ae8844%7C38ae3= bcd95794fd4addab42e1495d55a%7C1%7C0%7C638615794761421749%7CUnknown%7CTWFpb= GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%= 7C0%7C%7C%7C&sdata=3D6Ho84ccv29TGVCzFa%2Foo3o7e4%2BhhXT95lrl9OpFJRN8%3D&re= served=3D0 = >=20 > A diff from the previous version is available at: > = https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fauthor= -tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-anima-jws-voucher-11&data=3D0= 5%7C02%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd1ae8844%7C= 38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638615794761428407%7CUnknown%7C= TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn= 0%3D%7C0%7C%7C%7C&sdata=3Dc3ZNIWKrpycHQKrVTjSsyCsZS8HeeXkfL%2B13hCpUoL8%3D= &reserved=3D0 = >=20 > Internet-Drafts are also available by rsync at: > rsync.ietf.org ::internet-drafts >=20 >=20 > _______________________________________________ > Anima mailing list -- anima@ietf.org > To unsubscribe send an email to anima-leave@ietf.org = > =20 > =20 > =20 > =20 > =20 > Von: Mahesh Jethanandani > > Datum: Mittwoch, 28. August 2024 um 00:46 > An: draft-ietf-anima-jws-voucher@ietf.org = = > > Cc: anima-chairs@ietf.org = >, anima@ietf.org = > > Betreff: AD review of draft-ietf-anima-jws-voucher-10 >=20 > Back in February I had provided comments as an individual contributor. = Thanks for addressing them. > =20 > This is my AD comments that are divided between COMMENTs and NITs. I = hope to see responses to the COMMENTs. while NITs are there FYI.=20 > =20 > =20 > = --------------------------------------------------------------------------= ----- > COMMENT > = =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2= =80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80= =94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94= =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2= =80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 > =20 > This document updates RFC8366, but does not seem to include = explanatory text > about this in the abstract. > =20 > "Abstract", paragraph 0 > > [I-D.draft-ietf-anima-rfc8366bis] defines a digital artifact = called > > voucher as a YANG-defined JSON document that is signed using a > > Cryptographic Message Syntax (CMS) structure. This document > > introduces a variant of the voucher artifact in which CMS is = replaced > > by the JSON Object Signing and Encryption (JOSE) mechanism = described > > in RFC7515 to support deployments in which JOSE is preferred over > > CMS. > =20 > An Abstract cannot have a reference. Please change the reference to = I-D.draft-ietf-anima-rfc8366bis to plain text. > =20 > Section 2, paragraph 5 > > Voucher: A short form for voucher artifact and refers to the = signed > > statement from the MASA service that indicates to a pledge the > > cryptographic identity of the domain it should trust, per > > [I-D.draft-ietf-anima-rfc8366bis]. > =20 > Please add definition and expansion on first use of terms such as = MASA. Also you need to define Pledge (with a capital P), or point to a = definition in another document. Avoid mixing capitalization between = Pledge and pledge. > =20 > Section 3, paragraph 6 > > A "JWS JSON Serialization Overview" is given in Section 3.2 of > > [RFC7515] and more details on the JWS serializations in Section 7 = of > > [RFC7515]. This document makes use of the "General JWS JSON > > Serialization Syntax" of [RFC7515] to support multiple = signatures, as > > already supported by [RFC8366] for CMS-signed vouchers. > =20 > Since the document mentions two forms of serialization, it would help = to understand the choice. Was the choice of "General JWS JSON = Serialization Syntax" to support multiple signatures? Why was the "JWS = Compact Serialization" not chosen? > =20 > Section 4, paragraph 2 > > This request occurs via HTTP-over-TLS, however, for the = Pledge-to- > > Registrar TLS connection, the Pledge is provisionally accepting = the > > Registrar server certificate. Hence it is subject to disclosure = by a > > Dolev-Yao attacker (a "malicious messenger") [ON-PATH], as = explained > > in Section 10.2 of [BRSKI]. > =20 > The first sentence does not parse for me. Can it be reworded? > =20 > Found terminology that should be reviewed for inclusivity; see > https://www.rfc-editor.org/part2/#inclusive_language = for background = and more > guidance: > =20 > * Term "he"; alternatives might be "they", "them", "their" > =20 > = --------------------------------------------------------------------------= ----- > NIT > = --------------------------------------------------------------------------= ----- > =20 > All comments below are about very minor potential issues that you may = choose to > address in some way - or ignore - as you see fit. Some were flagged by > automated tools (via https://github.com/larseggert/ietf-reviewtool = ), so there > will likely be some false positives. There is no need to let me know = what you > did with these suggestions. > =20 > Section 1, paragraph 2 > > This document provides cryptographic signing of the JSON voucher = data > > in form of JSON Web Signature (JWS) [RFC7515] and the media type > > "application/voucher-jws+json". The encoding specified in this > > document is used by [I-D.ietf-anima-brski-prm] and may be more = handy > > for use cases already using Javascript Object Signing and = Encryption > > (JOSE). This document should be considered as enhancement of > > [I-D.draft-ietf-anima-rfc8366bis], > > as it provides a new voucher form with media type "application/ > > voucher-jws+json" and the related serialization. It does not = extend > > the YANG definition of [I-D.draft-ietf-anima-rfc8366bis]. > =20 > I continue to see inconsistent use of capitalization for terms defined = or used in this document. E.g. JSON voucher data, and JSON Voucher Data. > =20 > Section 3.2, paragraph 0 > > The JSON Voucher Data is an unsigned JSON document [RFC8259] that > > conforms with the data model described by the ietf-voucher YANG > > module [RFC7950] defined in Section 5.3 of > > [I-D.draft-ietf-anima-rfc8366bis] and is encoded using the rules > > defined in [RFC7951]. The following figure provides an example = of > > JSON Voucher Data: > =20 > Please correct the reference to the Section number in = I-D.draft-ietf-anima-rfc8366bis. It should be 7.3. > =20 > Section 3.3, paragraph 3 > > To validate voucher signatures all certificates of the = certificate > > chain are required up to the trust anchor, Note, to establish = trust > > the trust anchor SHOULD be provided out-of-band upfront. This is > > consistent with Section 5.5.2 of [BRSKI]. > =20 > s/to the trust anchor, Note,/to the trust anchor. Note,/ > =20 > Document references draft-ietf-anima-rfc8366bis-11, but -12 is the = latest > available revision. > =20 > Document references draft-ietf-anima-brski-prm-12, but -15 is the = latest > available revision. > =20 > Document references draft-ietf-anima-constrained-voucher-24, but -25 = is the > latest available revision. > =20 > Paragraph 4 > > type is registered and examples are provided. Status of This Memo = This Inte > > ^^^^^^^^^^^^ > You have used the passive voice repeatedly in nearby sentences. To = make your > writing clearer and easier to read, consider using active voice. > =20 > Section 2, paragraph 3 > > on first use of terms such as MASA. Also you need to define Pledge = (with a c > > ^^^^ > A comma may be missing after the conjunctive/linking adverb "Also". > =20 > Section 3.1, paragraph 6 > > JSON [RFC8259] optionally allows to escape these with backslashes = ('\'). Hen > > ^^^^^^^^^ > Did you mean "escaping"? Or maybe you should add a pronoun? In active = voice, > "allow" + "to" takes an object, usually a pronoun. > =20 > Section 3.3, paragraph 3 > > the Registrar server certificate. Hence it is subject to disclosure = by a Do > > ^^^^^ > A comma may be missing after the conjunctive/linking adverb "Hence". >=20 > Mahesh Jethanandani > mjethanandani@gmail.com Mahesh Jethanandani mjethanandani@gmail.com --Apple-Mail=_E2D9FA08-2B91-45EB-83A0-CB9A8ED6DE78 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Thomas,

Thanks for = addressing most of the comments. Here are just a couple more.

Pledge Voucher Request = (PVR) vs Pledge-Voucher-Request (PVR)?

Did you run idnits on the document, or = look for the result of idnits during submission. You would have noticed = that [I-D.draft-ietf-anima-constrained-voucher] does not resolve. It = should be [I-D.ietf-anima-constrained-voucher] (no need to have the word = draft).

Thanks.

On Sep 10, 2024, at 8:52 AM, = Werner, Thomas <thomas-werner@siemens.com> wrote:

Hello Mahesh, all,
 
FYI =E2=80=A6 just uploaded new version  [Anima] I-D Action: = draft-ietf-anima-jws-voucher-11
Including the = feedback provided by AD review.
 
Thanks and regards
Thomas
 

Von: internet-drafts@ietf.org internet-drafts@ietf.org
Datum: Dienstag, 10. September 2024 um 17:37
An: i-d-announce@ietf.org i-d-announce@ietf.org
Cc: anima@ietf.org anima@ietf.org
Betreff: [Anima] I-D Action: = draft-ietf-anima-jws-voucher-11.txt

Internet-Draft draft-ietf-anima-jws-voucher-11.txt is now = available. It is a
work item of the Autonomic Networking = Integrated Model and Approach (ANIMA) WG
of the IETF.

   Title:   JWS signed = Voucher Artifacts for Bootstrapping Protocols
   = Authors: Thomas Werner
          &nb= sp; Michael Richardson
   = Name:    draft-ietf-anima-jws-voucher-11.txt
   Pages:   16
   = Dates:   2024-09-10

Abstract:

   I-D.draft-ietf-anima-rfc8366bis = defines a digital artifact called
   voucher as = a YANG-defined JSON document that is signed using a
   Cryptographic Message Syntax (CMS) = structure.  This document
   introduces a = variant of the voucher artifact in which CMS is replaced
   by the JSON Object Signing and Encryption (JOSE) = mechanism described
   in RFC7515 to support = deployments in which JOSE is preferred over
   = CMS.

   In addition to explaining = how the format is created, the
   = "application/voucher-jws+json" media type is registered and examples
   are provided.

The = IETF datatracker status page for this Internet-Draft is:
https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%= 2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-anima-jws-voucher%2F&data= =3D05%7C02%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd1ae884= 4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638615794761412298%7CUnknow= n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC= I6Mn0%3D%7C0%7C%7C%7C&sdata=3D%2FpAL7JxZq3yD9YH6NDlDrDF7msBCsKURh9i635= aA1j4%3D&reserved=3D0

There = is also an HTML version available at:
https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%= 2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-anima-jws-voucher-11.html&am= p;data=3D05%7C02%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a08dcd= 1ae8844%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C638615794761421749%7C= Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwi= LCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3D6Ho84ccv29TGVCzFa%2Foo3o7e4%2BhhXT= 95lrl9OpFJRN8%3D&reserved=3D0

A = diff from the previous version is available at:
https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%= 2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-anima-jws-voucher-= 11&data=3D05%7C02%7Cthomas-werner%40siemens.com%7C2342b573a20b436d0f1a= 08dcd1ae8844%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C6386157947614284= 07%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1= haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3Dc3ZNIWKrpycHQKrVTjSsyCsZS8Hee= XkfL%2B13hCpUoL8%3D&reserved=3D0

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


_______________________________________________
Anima mailing list -- anima@ietf.org
To = unsubscribe send an email to anima-leave@ietf.org
 
 
 
 
 

Von: Mahesh Jethanandani <mjethanandani@gmail.com>Datum: Mittwoch, 28. August = 2024 um 00:46
An: draft-ietf-anima-jws-voucher@ietf.org <draft-ietf-anima-jws-voucher@ietf.org>
Cc: anima-chairs@ietf.org <anima-chairs@ietf.org>, anima@ietf.org <anima@ietf.org>
Betreff: AD review of = draft-ietf-anima-jws-voucher-10

Back in February I had = provided comments as an individual contributor. Thanks for addressing = them.
 
This is my AD comments that = are divided between COMMENTs and NITs. I hope to see responses to the = COMMENTs. while NITs are there FYI. 
 
 
---------------------------------------------------------------= ----------------
COMMENT
=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94= =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2= =80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80= =94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94= =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94
 
This = document updates RFC8366, but does not seem to include = explanatory text
about this in the abstract.
 
"Abstract", paragraph 0
>   =  [I-D.draft-ietf-anima-rfc8366bis] defines a digital artifact = called
>    voucher as a YANG-defined JSON document = that is signed using a
>    Cryptographic Message = Syntax (CMS) structure.  This document
>   =  introduces a variant of the voucher artifact in which CMS is = replaced
>    by the JSON Object Signing and Encryption = (JOSE) mechanism described
>    in RFC7515 to support = deployments in which JOSE is preferred over
>   =  CMS.
 
An Abstract cannot have a reference. Please change the = reference to I-D.draft-ietf-anima-rfc8366bis to plain text.
 
Section = 2, paragraph 5
>    Voucher:  A short form for voucher = artifact and refers to the signed
>       statement from = the MASA service that indicates to a pledge the
>   =     cryptographic identity of the domain it should trust, = per
> =       [I-D.draft-ietf-anima-rfc8366bis].
 
Please = add definition and expansion on first use of terms such as MASA. Also = you need to define Pledge (with a capital P), or point to a definition = in another document. Avoid mixing capitalization between Pledge and = pledge.
 
Section 3, paragraph 6
>    A "JWS JSON = Serialization Overview" is given in Section 3.2 of
>   =  [RFC7515] and more details on the JWS serializations in Section 7 = of
> =    [RFC7515].  This document makes use of the "General = JWS JSON
>    Serialization Syntax" of [RFC7515] to = support multiple signatures, as
>    already supported by = [RFC8366] for CMS-signed vouchers.
 
Since = the document mentions two forms of serialization, it would help to = understand the choice. Was the choice of "General JWS JSON Serialization = Syntax" to support multiple signatures? Why was the "JWS Compact = Serialization" not chosen?
 
Section = 4, paragraph 2
>    This request occurs via HTTP-over-TLS, = however, for the Pledge-to-
>    Registrar TLS = connection, the Pledge is provisionally accepting the
>   =  Registrar server certificate.  Hence it is subject to = disclosure by a
>    Dolev-Yao attacker (a "malicious = messenger") [ON-PATH], as explained
>    in Section 10.2 of = [BRSKI].
 
The first sentence does not parse for me. Can it be = reworded?
 
Found terminology that should be reviewed for inclusivity; = see
https://www.rfc-editor.org/part2/#inclusive_language for background and more
guidance:
 
 * = Term "he"; alternatives might be "they", "them", "their"
 
---------------------------------------------------------------= ----------------
NIT
---------------------------------------------------------------= ----------------
 
All comments below are about very minor potential issues that = you may choose to
address in some way - or ignore - as you see fit. Some were = flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so = there
will likely be some false positives. There is no need to let = me know what you
did with these suggestions.
 
Section = 1, paragraph 2
>    This document provides cryptographic = signing of the JSON voucher data
>    in form of JSON Web = Signature (JWS) [RFC7515] and the media type
>   =  "application/voucher-jws+json".  The encoding specified in = this
>    document is used by = [I-D.ietf-anima-brski-prm] and may be more handy
>   =  for use cases already using Javascript Object Signing and = Encryption
>    (JOSE).  This document should be = considered as enhancement of
>   =  [I-D.draft-ietf-anima-rfc8366bis],
>   =  as it provides a new voucher form with media type = "application/
>    voucher-jws+json" and the related = serialization.  It does not extend
>   =  the YANG definition of [I-D.draft-ietf-anima-rfc8366bis].
 
I = continue to see inconsistent use of capitalization for terms defined or = used in this document. E.g. JSON voucher data, and JSON Voucher = Data.
 
Section 3.2, paragraph 0
>    The JSON Voucher Data = is an unsigned JSON document [RFC8259] that
>   =  conforms with the data model described by the ietf-voucher = YANG
>    module [RFC7950] defined in Section 5.3 = of
> =    [I-D.draft-ietf-anima-rfc8366bis] and is encoded using the = rules
>    defined in [RFC7951].  The following = figure provides an example of
>    JSON Voucher Data:
 
Please = correct the reference to the Section number in = I-D.draft-ietf-anima-rfc8366bis. It should be 7.3.
 
Section = 3.3, paragraph 3
>    To validate voucher signatures all = certificates of the certificate
>    chain are required up = to the trust anchor, Note, to establish trust
>   =  the trust anchor SHOULD be provided out-of-band upfront. =  This is
>    consistent with Section 5.5.2 of = [BRSKI].
 
s/to the trust anchor, Note,/to the trust anchor. Note,/
 
Document= references draft-ietf-anima-rfc8366bis-11, but -12 is the latest
available = revision.
 
Document references draft-ietf-anima-brski-prm-12, but -15 is = the latest
available revision.
 
Document= references draft-ietf-anima-constrained-voucher-24, but -25 is the
latest = available revision.
 
Paragraph 4
>  type is registered and = examples are provided. Status of This Memo This Inte
>   =                     =            ^^^^^^^^^^^^
You have = used the passive voice repeatedly in nearby sentences. To make your
writing = clearer and easier to read, consider using active voice.
 
Section = 2, paragraph 3
> on first use of terms such as MASA. Also you need to = define Pledge (with a c
>           =                     =       ^^^^
A comma may be missing after the = conjunctive/linking adverb "Also".
 
Section = 3.1, paragraph 6
>  JSON [RFC8259] optionally allows to escape these = with backslashes ('\'). Hen
>           =                     =     ^^^^^^^^^
Did you mean "escaping"? Or maybe you = should add a pronoun? In active voice,
"allow" + = "to" takes an object, usually a pronoun.
 
Section = 3.3, paragraph 3
>  the Registrar server certificate. Hence it is = subject to disclosure by a Do
>           =                     =      ^^^^^
A comma may be missing after the = conjunctive/linking adverb "Hence".

Mahesh = Jethanandani


Mahesh = Jethanandani
mjethanandani@gmail.com






= --Apple-Mail=_E2D9FA08-2B91-45EB-83A0-CB9A8ED6DE78--