IETF Logo Mail Archive

Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

"Alexey Melnikov" <aamelnikov@fastmail.fm> Thu, 18 July 2019 16:02 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E159A1207EE; Thu, 18 Jul 2019 09:02:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=q+Gh02Ow; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=oWBNJIwG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnT90ATtk3Kf; Thu, 18 Jul 2019 09:02:43 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D63B91207BD; Thu, 18 Jul 2019 09:02:43 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id CB66A42B; Thu, 18 Jul 2019 12:02:42 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute7.internal (MEProxy); Thu, 18 Jul 2019 12:02:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=sSwuYLZdAoHA+sFeG0WfrLbNYe5BEC6 GDrTdpCuCm18=; b=q+Gh02Ows336cDFbgKvzaq2MWewTZBackqQgrRgK6OldzsF /Ngo0wE0IuX1Pr0+hm2xdi96QVw2jdRS/DInzqTUEJlcQQ16QEUdAdplf4KkTFMK swMCpOL2LqiyXItowjbpV4/1F0C68qrKIVT64rDC8A10rif/7cuMjdRNMwMpOPtJ o0uZBK9r2L8ImzojnpvDEBC5sVON1NirtxGo890YfvoB+uc1Q5YUfb+GRxV5JC2x aGO7c/2mhJZns4Uqd/AJjiGqqTnxQ/V7A7X3Dk0+1S+lfPP7a5QFoxTKMH/QBHPG uP44yEdvxSzOvV6TG0RY0mKPjpoJyKF/98cCzLg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=sSwuYL ZdAoHA+sFeG0WfrLbNYe5BEC6GDrTdpCuCm18=; b=oWBNJIwGNy6UAu16smi0aK mQLOJYocVZS/qt64tDSHd0+DB/0A1e8M7bXZ+SZtKRnaHMLzIgw+tc7CJgxKCbjE xD1g7v+56TJ4CxFBWM4wC61XddlBWPIYqaUoXZVVWbzmZy+w57XR9GzhIyY9AZj6 SGJd3g9JRVVFctFb1Bg7Z618eMwiu8UFVFP7nhBaonpIeoFvR1GhZStY5iGzXaIv MITNBBqFLiTZCmRtL6W0bHlXs4yb338Ooir4n5Ab7xWwcFyyAOm6O200kzoV7c+Q F4YJ7mIKQPECdGZJYuQFeY6zkZwffwlu6lJOYcw6fCwMnzeQTYY0d+P1yAto5m3g ==
X-ME-Sender: <xms:IZgwXXso9qMoShJZ2iwhzHkphIsvEqh8AOfkRmm33Y_VcgTHA4gmAw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrieehgdelkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderreejnecuhfhrohhmpedftehlvgig vgihucfovghlnhhikhhovhdfuceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfh hmqeenucffohhmrghinhepihgrnhgrrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhm pegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrdhfmhenucevlhhushhtvghrufhiii gvpedt
X-ME-Proxy: <xmx:IZgwXWtEClb-FUFhENOuqaBJ-8qxl-buce19a-btmjXXQE4ulMy3Xg> <xmx:IZgwXUGHya9xPqTQfjr0pmfon57X3GJLCqT6g1KJ9YbsNREinie8dw> <xmx:IZgwXZPPI-0xFl6BG3dWmGJieOtHaZ3tZSPMr77UZuCvRtE2xN-QnQ> <xmx:IpgwXXwCJ8oabqgbCHCQobx6rWaNG0Yj4NgfKHcoXfLv_at_-KOyYQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id CA39CC200A4; Thu, 18 Jul 2019 12:02:41 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-736-gdfb8e44-fmstable-20190718v2
Mime-Version: 1.0
Message-Id: <d9374cbb-5462-4736-b895-287b8e18450c@www.fastmail.com>
In-Reply-To: <29770.1563061936@dooku.sandelman.ca>
References: <156285123896.32459.15810474411321920381.idtracker@ietfa.amsl.com> <29770.1563061936@dooku.sandelman.ca>
Date: Thu, 18 Jul 2019 17:02:11 +0100
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: The IESG <iesg@ietf.org>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, tte+ietf@cs.fau.de, anima@ietf.org, anima-chairs@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/QgXJ05Mz1K30LBTYwoubBOuX8PA>
Subject: Re: [Anima] Alexey Melnikov's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2019 16:02:46 -0000

Hi Michael,

On Sun, Jul 14, 2019, at 12:52 AM, Michael Richardson wrote:
> Alexey Melnikov via Datatracker <noreply@ietf.org> wrote:
>     > 5) In 8.1:
> 
>     >    This document extends the definitions of "est" (so far defined via
>     > RFC7030) in the "https://www.iana.org/assignments/well-known-uris/
>     > well-known-uris.xhtml" registry as follows:
> 
>     >    o add /.well-known/est/requestvoucher (see Section 5.5 )
> 
>     >    o add /.well-known/est/requestauditlog (see Section 5.7)
> 
>     > The .well-known URIs IANA registry doesn't list anything below the
>     > first level (i.e. "est" in your case). So I think you really want to
>     > have 2 IANA actions here:
> 
>     > a) Add the reference to this document as another reference for "est".
> 
>     > b) create a new registry of "est" URIs and add your 2 URIs above to it
>     > and also populate other entries from the original EST RFC.
> 
> The advice we got from the .well-known expert was that we should have this
> document Updates: RFC7030, and that the /est entry in the registry
> should say "RFC7030, RFCXXXX".  Will this be enough rather than create
> a new registry?  We think that no other /.well-known has a registry.
> 
> Tell us which way to go.

I think the answer depends on whether you want to have an easy way of finding second level URI path components under "est". I personally prefer a new registry, but I understand that it might be a bit more work in the document.

>     > 2.7.  Cloud Registrar
> 
>     >    If the pledge uses a well known URI for contacting a cloud registrar
>     > an Implicit Trust Anchor database (see [RFC7030]) MUST be used to
>     > authenticate service as described in [RFC6125].
> 
>     > Just referencing RFC 6125 is not clear enough, as there are lots of
>     > parameters that need to be specified:
> 
>     >  a) which of CN-ID/DNS-ID/URI-ID/SRV-ID are allowed b) are wildcards
>     > allowed in any of these?
> 
> We think it's up to the manufacturer to define a policy here.
> This section is an out for manufacturers that wish to provide some call-home
> mitigation for when the device is deployed where no ACP can be found.
> Maybe saying "well known URI" is causing a mis-understanding?

On a re-read, the current text looks Ok as is.

Best Regards,
Alexey

v2.23.0 | Report a Bug | By Email