Re: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
Dan Romascanu <dromasca@gmail.com> Wed, 16 October 2019 19:47 UTC
Return-Path: <dromasca@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC1CC1200FA; Wed, 16 Oct 2019 12:47:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5lJy--AaCSp0; Wed, 16 Oct 2019 12:47:01 -0700 (PDT)
Received: from mail-il1-x144.google.com (mail-il1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E9D120020; Wed, 16 Oct 2019 12:47:01 -0700 (PDT)
Received: by mail-il1-x144.google.com with SMTP id o16so3871574ilq.7; Wed, 16 Oct 2019 12:47:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+3YvdDGINQXZbw3/AP1V+z61W+jgUY0aNfbavWebm9Y=; b=UBrrjoH0rFGfy6GNj2KKW2vf6inUd9XalZD4aLF3nNOkKgBgvgWuUrE37SUqwT+86G tehD+D62fKCsjgln0DnndZIKXx7Cd+8+EH4dw/gG/Z/veT1uTgimhPEw0lp5trXeiv9O IoD4Kc1JBIwvoEg9nN9BOb/2Jtg/It5tioZ2jBbmiz8cItj+BuanlcBSzc0JBk0HWCE1 yLNv3H9j1SDe7KdQRgrCQ5CdhOzMd9Tj7GL4uuFGS+ZExeFzjgFgidbOaU1FPTdx98H5 WhJi57jLrVCjgnwQdy3MbqewuKbmH+NkNqtr08mbb3Nmx+dMkiX/eRdr0qZ53scEVj+5 YsJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+3YvdDGINQXZbw3/AP1V+z61W+jgUY0aNfbavWebm9Y=; b=YT6Jr4y9UtR6qy/O2eQw/jrwSAOiXOHGkfGz2h6OAnWZQpKC7DSeNczqvZOff581aL gag3UG96ZdjReXKk8zmXKME3Kh+LEQnYvizHs1h/c48l6Qlj3cwL2NFUQYHlYo0d3IQ2 qXmv96nwKuFwBDp5VEoYgG96r1BgytE1ZHMyjhCxdgwIesXD35N+NPpd5sVEgKdzUUI9 +qu2CjYfr4xL2xP8k2LT/PVdECNgsrBKI/wKxCTKv+DBkVOSj+fyrn6d4HOM+v6GAifj rr33uvcPxNMGQrWnEDbTRM9pnyE7ciL+vlvbCAuF1kaunwpXO+m/A8Um+hHVuJdNg9I4 veUQ==
X-Gm-Message-State: APjAAAVi1joULEm1q+4Qn1NDTDa2x6uhpoGsfPOwRRmTBT98UsqQdfEA bTa+4z5lrjydLgrBZzOaCXLXLCVwmZNcqoi8yUs=
X-Google-Smtp-Source: APXvYqwPUUdfdBJjqzSzzc1gU+v7BfNfieesvbhi9tu0oc3fAIsBVLiTqgwi78txoZVbIZaaqrujQdZ+tTseWR+BYwY=
X-Received: by 2002:a92:83c5:: with SMTP id p66mr14251805ilk.204.1571255220722; Wed, 16 Oct 2019 12:47:00 -0700 (PDT)
MIME-Version: 1.0
References: <157095596011.20750.2703747454081790983@ietfa.amsl.com> <07d95e86-28a5-6e7d-fb62-6915192e1c02@sandelman.ca>
In-Reply-To: <07d95e86-28a5-6e7d-fb62-6915192e1c02@sandelman.ca>
From: Dan Romascanu <dromasca@gmail.com>
Date: Wed, 16 Oct 2019 22:46:48 +0300
Message-ID: <CAFgnS4Uw8w3rQdhwUNSP_pvbxrKq6U8vzUELn4TqJiZR+QHW-w@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000048630805950c5d64"
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/QIGY2HD-E_EWEcvI4t9lbl4FkQg>
Subject: Re: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 19:47:04 -0000
Hi Michael, Sounds good. Thanks for addressing my comments. Regards, Dan On Wed, Oct 16, 2019 at 9:04 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > On 2019-10-13 4:39 a.m., Dan Romascanu via Datatracker wrote: > > Reviewer: Dan Romascanu > > Review result: Ready with Issues > > > > I am the assigned Gen-ART reviewer for this draft. The General Area > > Thank you for this. > I will the majority of your issues with a -29 that I'll post this week. > Given that most of your issues are minor, I don't think that they will > affect the views of the IESG on Thursday, so I might not post it before > Thursday's IESG call. > > Here is a diff though: https://tinyurl.com/y5l4xz3z > > > I also observe that the document has consistent Operational implications > but > > there is no OPS-DIR review so far, as well as a YANG module and several > other > > references to YANG, but there is no YANG Doctors review. I hope that > these will > > be available prior to the IESG review. > > On the topic of YANG Doctor: I think that we did ask for a review at > some point a long time ago.. Kent Watsen, one of the authors is also one > of the YANG Doctors, so I feel pretty confident that we got that part > right, but I agree, we could have asked more clearly. (Update: Tom has > done one, and I'll act on it) > > I don't know why we have no OPS-DIR review. > I see in the DT that an ARTART review is pending as well for today. > > > 1. The Pledge definition in section 1.2: > > > >> Pledge: The prospective device, which has an identity installed at > > the factory. > > > > while in the Introduction: > > > >> ... new (unconfigured) devices that are called pledges in this > > document. > > > > These two definitions seem different. The definition in 1.2 does not > include > > the fact that the device is 'new (unconfigured'. Also, arguably 'identity > > installed at the factory' may be considered a form of configuration. > > To me IDevID that is installed is not really any different than the fact > that the device has firmware loaded. If a router needs to be told in the > factory that it is a 24+4 switch, I don't consider that configuration, > and this is really no different. > There is no site-specific configuration is the point. > I've made the text between the two places a bit more consistent. > > > 2. The document lacks an Operational Considerations section, which I > believe is > > needed, taking into consideration the length and complexity of the > document. > > There are many operational issues spread across the document concerning > the > > type and resources of devices, speed of the bootstrapping process, > migration > > pass, impact on network operation. I suggest to consider adding such a > section > > pointing to the place where these issues are discussed and adding the > necessary > > information if missing. Appendix A.1 in RFC 5706 can be used as a > checklist of > > the issues to be discussed in such a section. > > I took a look through 5706, and through the Appendix A.1. > (I really like the RFC2119-non-text in 5706, and I will use it myself) > > I had already started two documents: Operational Considerations for > Manufacturer Authorized Signing Authority, and Operational > Considerations for BRSKI Registrar, but they are just skeletons. > I think that a great deal of the ANIMA ACP Operational Considerations > are covered in the ACP document. > > So while I agree that we need the content you are asking for, I'm > reluctant to add this new section at this time. Part of this is because > I'm not sure that we know enough yet: there are only two known > implementations of MASA, and we still have some interop gotchas that we > haven't had time to solve those yet. > Or to put it another way: trying to make up Operational Considerations > is probably going to get in the way of actually gaining operational > experience :-) > > > > 3. Section 5.4: > > > >> Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is > > REQUIRED. > > > > What is the reason for using 'encouraged'? Why not RECOMMENDED? > > RECOMMENDED is a synonym for SHOULD. > SHOULD is too strong at this point. There are no technical reasons why > TLS 1.2 is good enough if you implement it wisely. > We already had this discussion with SecAD, etc. > A product manager might delay shipping in order to wait for the TLS 1.3 > libraries to get through FIPS if we wrote SHOULD, etc. > > > Nits/editorial comments: > > > > 1. The Abstract includes: > > > > 'To do this a Remote Secure Key Infrastructure (BRSKI) is created' > > > > Later in the document BRSKI is identified as a protocol. It would be > good to > > clarify if BRSKI = BRSKI protocol > > I have changed the abstract to say: > > To do this a Secure Key Infrastructure is > bootstrapped. This is done using manufacturer installed > X.509 certificates, in combination with a manufacturer's > authorizing > service, both online and offline. We call this process the > Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol, > pronounced "brewski". > > > > 2. In Section 1 - Introduction, 3rd paragraph: > > > > s/it's default modes/its default modes/ > > s/it's strongest modes/its strongest modes/ > > fixed. > > > 3. Please expand non-obvious acronyms at first occurrence: EST protocol, > > Seems to be done correctly. > > > LLNs, > > fixed > > > REST interface, > updated, and added reference. > > > LDAP, > > This is used once to say that we don't support it, despite RFC5280 > describing it. We don't expand HTTP or FTP on that line though. > I feel that the RFC5280 reference is good here. > > > GRASP, CDDL, CSR > > done. > > > > 4. I would suggest alphabetic order listing of the terms in section 1.2 > > okay. Done. (everyone sing the alphabet song...) > > > > > 5. Section 1.3.1 - a reference for LDevID would be useful > > added. It's a 802.1AR term. > > > 6. Section 7: > > > > s/Use of the suggested mechanism/Use of the suggested mechanisms/ > > fixed. > I will post -29 once I have dealt with the new DISCUSS comments and YANG > Doctor comments. > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima >
- [Anima] Genart telechat review of draft-ietf-anim… Dan Romascanu via Datatracker
- Re: [Anima] Genart telechat review of draft-ietf-… Esko Dijk
- Re: [Anima] Genart telechat review of draft-ietf-… Michael Richardson
- Re: [Anima] Genart telechat review of draft-ietf-… tom petch
- Re: [Anima] [Gen-art] Genart telechat review of d… Alissa Cooper
- Re: [Anima] Genart telechat review of draft-ietf-… Michael Richardson
- Re: [Anima] Genart telechat review of draft-ietf-… Dan Romascanu
- Re: [Anima] [Gen-art] Genart telechat review of d… tom petch
- Re: [Anima] [Gen-art] Genart telechat review of d… tom petch
- Re: [Anima] [Gen-art] Genart telechat review of d… Michael Richardson
- Re: [Anima] [Gen-art] Genart telechat review of d… Michael Richardson
- Re: [Anima] [Gen-art] Genart telechat review of d… tom petch
- Re: [Anima] [Last-Call] [Gen-art] Genart telechat… tom petch