[Anima] Re: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT)

"Gunter van de Velde (Nokia)" <gunter.van_de_velde@nokia.com> Wed, 04 September 2024 08:01 UTC

Return-Path: <gunter.van_de_velde@nokia.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22684C16942C; Wed, 4 Sep 2024 01:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.254
X-Spam-Level:
X-Spam-Status: No, score=-7.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nokia.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wihjOx6bWAfg; Wed, 4 Sep 2024 01:01:49 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2063.outbound.protection.outlook.com [40.107.104.63]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C8BFC17A743; Wed, 4 Sep 2024 01:01:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UzhWrXjWOQe2iG7kE6I61o/G8KDnXtQfLdQf7AO0fkmEwWoGrf/vza/7/UtGehWMtjfhGb1JVW0HbCh5eYF4dHtzDbMx6uRwTNrdhxuNXe6/v4aPfOatCqDgaaaUeueY4BvQ4lU83gMWo+8AWtBKVD56M3oiqB16NJCbcsYuacpJckngIz/5SqaDk+IVzyZp8PrB1Elg3BRlSR+bhipFXH3HX4feiZQtCUEcD1IKuMxAhFs6/ySghwkAFXZ4Fk7OKizppa+d+bCr5qHwt5nGbIrchUoro593Y7Y3it5Ou4LPx58Hg6oWnq7vo7Ubt/6E5vHECk/HzxO3FIfxlsrnmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZfBrNg2CNgksPYkx1+DMARixJRSuF2kOeewL/JgiVXA=; b=HZy/Ve6Knkhz3fMSJhSSHBK5pCUpSa81oTp9J4THzOWCF+QXW6V2iHmcWQlLzZLAk3TRiHDVzj/dUMEE9ifkrthrddMAh3xp9yajIU+q4GWjYTdnFRtEcDK5g61512fSWJPpFPpv/bTysxqM6CKVJTxVR13Mwha2mWmSs6G0YXeTMrh3rqed5R0itBP2UU3ogByCRmLYbzFtk79rZun6YtjiBNLVzxi0LQdzpJhPePExBeLqA16AEcJfZoOVXGOglKDEmlujIVB7AVJHB0elH3/oOT6LRAeS4xCkLM2S9dxpLeCkSX2ha3LYvIkWja25DkgwFpRmux+uh8rycyauNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZfBrNg2CNgksPYkx1+DMARixJRSuF2kOeewL/JgiVXA=; b=hzhH0Y4qZo6ad90+9CIqPTvMeBB0O9MQPDKYwMiAE1ZMQMLVK3s67s7n0CfjusT4c8DYFdhjbdRNkK4rPNwqj18vZd8Q5TKnx/ZSzhdGXevJTPD7VUoxe9PDceBEw8a82Cel2y1PAii22Oi0N0es5N0yoaHn67J7D7eYkWcP2b6HurqAFvUwA5Ul4btLE9eUWJKdHvNr9b8OIiMC4Nkm7FZFgRsSdR8hSTDWkjdem8sy6jaHdF0jXJlEkQ52h/igeMHlBpPgs1flAdc3EL4MWvOhlPsQNY84EoQb2z8YSqkeSCtyu3dlHEs7FcokPjgDR/fJxE33L2rL8uWfrTQMQQ==
Received: from AS1PR07MB8589.eurprd07.prod.outlook.com (2603:10a6:20b:470::16) by AS8PR07MB7463.eurprd07.prod.outlook.com (2603:10a6:20b:2a5::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.25; Wed, 4 Sep 2024 08:01:45 +0000
Received: from AS1PR07MB8589.eurprd07.prod.outlook.com ([fe80::5ca6:f902:8e31:6f3e]) by AS1PR07MB8589.eurprd07.prod.outlook.com ([fe80::5ca6:f902:8e31:6f3e%7]) with mapi id 15.20.7918.024; Wed, 4 Sep 2024 08:01:45 +0000
From: "Gunter van de Velde (Nokia)" <gunter.van_de_velde@nokia.com>
To: "Fries, Steffen" <steffen.fries@siemens.com>, The IESG <iesg@ietf.org>
Thread-Topic: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT)
Thread-Index: AQHa+pWErA4IhIZSHEGCnD5/9Oq0OrJGUZCAgAD6l6A=
Date: Wed, 04 Sep 2024 08:01:45 +0000
Message-ID: <AS1PR07MB8589110EE306C3E4AF5A877FE09C2@AS1PR07MB8589.eurprd07.prod.outlook.com>
References: <172499229261.191137.10763398291588599827@dt-datatracker-68b7b78cf9-q8rsp> <DB9PR10MB635488683BCC0CA6C07984EDF3932@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB9PR10MB635488683BCC0CA6C07984EDF3932@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=385fe9f5-1c6b-498c-8e99-cdf46f5d5347;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-09-03T16:52:32Z;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS1PR07MB8589:EE_|AS8PR07MB7463:EE_
x-ms-office365-filtering-correlation-id: df9873eb-61e6-441b-291a-08dcccb7d21f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: 4EUpyfMfrMT4i3OXNYMMbaEMMd1A7FIeSV5ojujYSk8WXxBinG4oj7SX66fX+QNO/JrmyVzR6+KqkOYAOZ/ZiuH9LGLxfmdjPGeMxvDSgXzg+XDxen63Bajvvk0WjfYVKfPP2vzTkS7S/LO7G3nC33dxFg/UlcTb03W4YsFpPf5vfZ3X7fkq4mn5w6KLJDzHWhAGnSTUr01hMGVso7qSds1gvVDQSuEt0ZjDCjxkfQ0LvJfaXHxfXCIhVIyFN0C7BVH73rsrw63z1b4JEuoLoAmRAMBcHzFK9EWrGMR8M93BMfukb0N5mWc5+1DIu2Lllm6buPZ6pK4BEBz3O0+Qm4p2qPrmgOCOU5rWMBWHcjIOfBkmV/h+LmS7f+OWHHaGHTSYNlEsNUUDxw22tZVgmx3tKZz9PBsJhvN3bhob6Xur0nEfhJIYCwSeJSS3wCx1fHCLtNzew/Ju4iezykmUhtSdwaatprI/otXWzVZm+c6TlX9mI3e5+9kG7HBk0eOEIlzTuZB2wOpWlcyXRjts/EVvnmuQXQ16K2SvKSA3mNL6iuTQT1apYwuTld7dkIUZDBeIJJJqboqivUpkklEUoTiFRzTHKzMY7ErB4Hm5WUwn2YQpDYboPz960o3D/PR9NyMr+cO7DodMVNRe8EwrX/bpHTJBTx2rG+Nkl3rq2So/TtOCj/1rgSGxo2oBZwqA8TnGDHlLfm2bE6o2U/e31F+1y8FkNLZAqlDWAWwVvUnMy2snkps/hJl134jZPDKNAtumwriK2vNt0B1jxfzvxV5f3ecG5OmSqb2pGv/VDnjYFDwfuYl5e7dpOy5JaVMmjne5U2d8EP72ORQjfXN2BzzY5uf9naq56hLrM4lbl8/sbv3DK1ZbF2XnefmXKuPmtXgjdbHo1bJwWDi93dYuzMv2paouSTIKc+X5W5y27ry/IbYrC1KU5IXtofdUIWAXTgUAVY2ciXeEdRcUtRv68sYphlewP/plyd+K+nb49IpH/3sZCEZttn/WRVX8Nhl7xJlGRqTFIKJJl3oM2RWRTC15SX3SNSAAF0sOrZnE2HZAvK1zoDnEVx2YwJmzqh+tvGcbDHfLJm913wg4x2Z9JIamQdC6qjQFaKP1E6uGialYDLDDWE8+/u2Zs8P80E1T7vKj3J9opqW+m86+cbdDSYLj7A9YmSmwv5iy3r9pVsiCYa5k5sonnLlIKRMip/1AcWx2hdstDaezoKMF7GQrHpgRc12s1tIJV7+V4+rwK9FJuX9aW8GtBQXF+jSv6rK7V0zqsI6vRJbXJStOfyyOTWCBHl15FNC5P/FYaL5SXpgFEByKXRJ1nPxCz/DHebVJAQWkYCFnJ/kc1Drr4dXou5nUZVATPdz7DSMB286fU7E=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS1PR07MB8589.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Jh1xB6GvBrHCkaIH4BMmKOCreRzwvWIO1TmyxG7yBPbieh3d0MyWxr9Cucreixbar0NY0ZEPxp57ifvxiY9ISsiUHnJhT0jQ5QZRrDBQ+WE6JX3MbJmp3seiYCMwwT9LA3sNFSQ7NnJI3G7JbJs1QxnsdwjChu4M5gsTHnBjjsj48/+lT3ISZPf3v5mJr7ZbwXKUNJ+CKn0wnrPQPCX3BeM1Dd302dBlCVdspGL23Xe93bCVaDFJZMpIYVtQN6AWH12JF8qQ4Wec+5qnLiSldrBGTL12gC8N+SKoGmPgGC8tbFFOPFu692E9pLB1EwMAWXvXqgaQacEILQqeWi05Jp6RrOM//JdT1qMwgbyQulBY2qTfnry9txdG3K7RygS0k6n+JLLQcxGbJSmXAgxu4uwIxnDIyQl4xMjkV/l+w65tyvC/3Tg1Mqxjfl/ZuwBQmEjT8tO+0EsaAsBikZJUjgbrVhsa2rXG8COzcHLr7KSgyqXW9Ica5dRZiYUgb+lzmUwVzAx9tn+dpuJ+vbp+nc5tOu1jrq9WIalFpRBlsfz/9qonbL9qQQwQyIv8SwUfILISMXyo8Fv8BnG35PgJnLvfU06cLSq7FXhKkvdAvXBiA6fliUFKQmzQRbUdlAgb/gAwdgN54xEC8QIN2H+LAWYfrXmRZISdTSgY+a0Lt+RTDP+hCWrOi0qtp7Lq1c48iT8YWzwQpZltJwQMT2upsHS+60PIrrCHOV8pvFFMCxkJitS/my2btsf4si1nRpEEL03nNFjdSK5FKmTM4TaGHut6zgBqf0HrTFuRzcc97Unh1TKuxdPx5YEcgrxnvWBp05Yc58nUdjD/Y0nbxvIc/4GhxUddlGWR3FSxpFffAmuVyeCVvYk1ZZ1dvajzSliUmvYKriMofcLnuYS2cUqv0iccS8fORDMkRUJlMsY32RZ+414Yq4ObC+RcSEna+itbGEnY+vbDg7GW2+lHrhBwjGwWqCgA9B0JMgK8EVNkjMfpZPet2YVUzjccq088fJNezyKMYcGbD4JqtLFfcNgIG+CLusL9vEMcpItk9ijgjrK68lEyh2i+EJ/xLuuNMtbNMDfyaP4S8rLWcETvew795dxmegCmg+qjQcg1JrTvWwRfzZ8X6itcOjErOwBKY2GifhzDp0izKgv67GHLE91P+d5kYXzXyHSIBQ9Mw/SjyiGw92iP72GWw71qXY4BWLrECfujnniJkdyIcEjdF3UhYbqT4C2TwPQNAPx4J6WEA6RENuX5lQEa9gKBS5MfZ3PMRb0mpBd8cWBFS7AaV79JXAWf9F6mvqQ5JouEbRNeL+E2185N4jMiXVWhxv8eGjz/hrnoZRtPyo6rwjrnUmNVQcTZb3LlTBtu0fQ2W7g7CyjfS0lVtGKI7jjIc9XCBdB989TrMm6MA0jZAJ7Uepegn2zsOFxvkXXlD4+yVvZIzYjVbBSXkT+AHqVDOuEaoJeGZAsajyRsSgMY3e4FJN9yiXeT0bB4pzgeTwIgUnd+eheiTOS3vg5jzrV361Sz9Fi3xQQJYF5v4q0uXHOOhDTXa2hK4n9PiOOHsl8hBpSvH0IvvOPw2owwcg3ufXn52GQFmpwU2ijZTxGikyQ07Z5uJfbV41o7Wu/CPbeR7oaGYi4MG8rT/yw+kL1kDfLv7wm7wPsuErRraQrrK/3LelYi/A==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS1PR07MB8589.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df9873eb-61e6-441b-291a-08dcccb7d21f
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2024 08:01:45.5789 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZvvCi7vkHdS17rTQ5nKej9Y1NAFHVq2Kp736jVafVJaamJKW+oNkAusx6hZYZuZmgeIAivvaM8RmfKhr5NVjs6YRMA5D4qV2dKwDWXxvLho=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7463
Message-ID-Hash: XCBLEPFR6O53CM42H5SXD4V4W5UUJPVP
X-Message-ID-Hash: XCBLEPFR6O53CM42H5SXD4V4W5UUJPVP
X-MailFrom: gunter.van_de_velde@nokia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-anima-brski-ae@ietf.org" <draft-ietf-anima-brski-ae@ietf.org>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>, "anima@ietf.org" <anima@ietf.org>, "tte@cs.fau.de" <tte@cs.fau.de>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Anima] Re: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT)
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/U_vkwHYeFrqs3sycZcWbp2qHIXw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>

Thanks Steffen.

Be well,
G/

-----Original Message-----
From: Fries, Steffen <steffen.fries@siemens.com> 
Sent: Tuesday, September 3, 2024 7:05 PM
To: Gunter van de Velde (Nokia) <gunter.van_de_velde@nokia.com>; The IESG <iesg@ietf.org>
Cc: draft-ietf-anima-brski-ae@ietf.org; anima-chairs@ietf.org; anima@ietf.org; tte@cs.fau.de
Subject: RE: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT)

[You don't often get email from steffen.fries@siemens.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information.



Hi Gunter,

Thank you for your feedback. They certainly increase clarity of several statement in the draft.
We provided some specific reactions inline mainly to the major comment and to some of the minor comments. Most of the minor comments are straight forward and we will take the them into account to improve clarity and understanding in the next version of the document.

Best regards
Steffen.

> -----Original Message-----
> From: Gunter Van de Velde via Datatracker <noreply@ietf.org>
> Sent: Friday, August 30, 2024 6:32 AM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-anima-brski-ae@ietf.org; anima-chairs@ietf.org; 
> anima@ietf.org; tte@cs.fau.de; tte@cs.fau.de
> Subject: Gunter Van de Velde's No Objection on 
> draft-ietf-anima-brski-ae-12: (with
> COMMENT)
>
> Gunter Van de Velde has entered the following ballot position for
> draft-ietf-anima-brski-ae-12: No Objection
>
> When responding, please keep the subject line intact and reply to all 
> email addresses included in the To and CC lines. (Feel free to cut 
> this introductory paragraph, however.)
>
>
> Please refer to
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> ietf.org%2F&data=05%7C02%7Cgunter.van_de_velde%40nokia.com%7Ccbaac8746
> c09445dd47708dccc3a81dd%7C5d4717519675428d917b70f44f9630b0%7C0%7C0%7C6
> 38609798892322740%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
> V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=CvuDvH9jT%2B
> %2BXcduG48sDmD530DtmEokATFODLFn4kuc%3D&reserved=0
> %2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-
> positions%2F&data=05%7C02%7Csteffen.fries%40siemens.com%7C3751aac2dd
> be45f8167c08dcc8aca1c4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%
> 7C638605891000583633%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata
> =f%2FDuCh4ZKKn6sjH3KeLeRqjUU7i%2BroDEP2zzamCTRJk%3D&reserved=0
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdata
> tracker.i%2F&data=05%7C02%7Cgunter.van_de_velde%40nokia.com%7Ccbaac874
> 6c09445dd47708dccc3a81dd%7C5d4717519675428d917b70f44f9630b0%7C0%7C0%7C
> 638609798892335324%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjo
> iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=dltr%2F%2BI
> 1xVNqYU%2Bma0gCP2MgxkdKiLNZCxYAMZdRkzs%3D&reserved=0
> etf.org%2Fdoc%2Fdraft-ietf-anima-brski-
> ae%2F&data=05%7C02%7Csteffen.fries%40siemens.com%7C3751aac2ddbe45f81
> 67c08dcc8aca1c4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C6386
> 05891000595002%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=XrqJC
> 50D331eGQ%2FMrMOXgh3OJiKxRxaSvT7lB1okco4%3D&reserved=0
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> # Gunter Van de Velde, RTG AD, comments for 
> draft-ietf-anima-brski-ae-12
>
> #GENERIC COMMENTS
> #================
> ## The text contains many acronyms making it not easy to digest when 
> not familiar with ANIMA technology. (i am not that familiar with 
> ANIMA)
>
> ## I provided a few rewrites of text to help the structure and 
> simplify reading the content, while keeping the original message, and 
> hope it helps improve document quality
>
> #DETAILED COMMENTS
> #=================
> ##classified as [minor] and [major]
>
> 11      Abstract
> 12
> 13         This document defines an enhancement of Bootstrapping Remote Secure
> 14         Key Infrastructure (BRSKI, RFC 8995).  It supports alternative
> 15         certificate enrollment protocols, such as CMP, that use authenticated
> 16         self-contained signed objects for certification messages.
>
> [minor]
> Possibly we could make the abstract slightly higher level to describe 
> the content of the draft. What about the following proposed alternative abstract:
>
> "
> This document defines enhancements to the Bootstrapping Remote Secure 
> Key Infrastructure (BRSKI) protocol, known as BRSKI-AE (Alternative Enrollment).
> BRSKI-AE extends BRSKI to support alternative enrollment mechanisms 
> beyond those originally specified, allowing for flexibility in network 
> device onboarding scenarios. The enhancements address use cases where 
> the existing BRSKI mechanisms may not be feasible or optimal, 
> providing a framework for integrating other automated bootstrapping 
> and enrollment techniques. This document also updates the BRSKI 
> reference architecture to accommodate these alternative methods, 
> ensuring secure and scalable deployment across a range of network environments. "
[stf] the proposal reads fine from my point of view. We may add a statement that the draft also defines one specific approach leveraging the introduced flexibility using CMP.

>
> 106        This approach provides the following advantages.  The origin of
> 107        requests and responses can be authenticated independent of message
> 108        transfer.  This supports end-to-end authentication (proof of origin)
> 109        also over multiple hops, as well as asynchronous operation of
> 110        certificate enrollment.  This in turn provides architectural
> 111        flexibility where and when to ultimately authenticate and authorize
> 112        certification requests while retaining full-strength integrity and
> 113        authenticity of certification requests.
>
> [major]
> I am not sure what is the correlation between (proof of origin) and 
> "end-to-end authentication". Why is the prrof of origin between brakets?
[stf] Proposal text for clarification as replacement:
OLD
  This supports end-to-end authentication (proof of origin)

NEW
  This supports end-to-end authentication (i.e., end-to-end proof of origin)

>
> [minor]
> I found this paragraph unfortunatly strucured. What about following proposal:
>
> "
> This approach offers several distinct advantages. It allows for the 
> authentication of the origin of requests and responses independently 
> of the message transfer mechanism. This capability facilitates 
> end-to-end authentication (proof of origin) across multiple hops and 
> supports the asynchronous operation of certificate enrollment. 
> Consequently, this provides architectural flexibility in determining 
> the location and timing for the ultimate authentication and 
> authorization of certification requests, while ensuring the integrity 
> and authenticity of those requests is maintained with full cryptographic strength. "
[stf] Your proposal already includes a formulation addressing your major point above. We will take the whole paragraph into consideration when updating this part.

>
> 137        The goals of BRSKI-AE are to provide an enhancement of BRSKI for
> 138        LDevID certificate enrollment using, alternatively to EST, a protocol
> 139        that
> 140
> 141        *  supports end-to-end authentication over multiple hops
> 142
> 143        *  enables secure message exchange over any kind of transfer,
> 144           including asynchronous delivery.
> 145
> 146        Note that the BRSKI voucher exchange of the pledge with the registrar
> 147        and MASA uses authenticated self-contained objects, so the voucher
> 148        exchange already has these properties.
> 149
> 150        The well-known URI approach of BRSKI and EST messages is extended
> 151        with an additional path element indicating the enrollment protocol
> 152        being used.
> 153
> 154        Based on the definition of the overall approach and specific
> 155        endpoints, this specification enables the registrar to offer multiple
> 156        enrollment protocols, from which pledges and their developers can
> 157        then pick the most suitable one.
> 158
> 159        It may be noted that BRSKI (RFC 8995) specifies how to use HTTP over
> 160        TLS, but further variants are known, such as Constrained BRSKI
> 161        [I-D.ietf-anima-constrained-voucher] using CoAP over DTLS.  In the
> 162        sequel, 'HTTP' and 'TLS' are just references to the most common case,
> 163        where variants such as using CoAP and/or DTLS are meant to be
> 164        subsumed - the differences are not relevant here.
> 165
> 166        This specification is sufficient together with its references to
> 167        support BRSKI with the Certificate Management Protocol (CMP,
> 168        [RFC9480]) profiled in the Lightweight CMP Profile (LCMPP,
> 169        [RFC9483]).  Combining BRSKI with a protocol or profile other than
> 170        LCMPP will require additional IANA registrations based on the rules
> 171        specified in this document.  It may also require additional
> 172        specifications for details of the protocol or profile (similar to
> 173        [RFC9483]), which are outside the scope of this document.
>
> [minor]
> A possible alternate rewrite to make the text easier to read:
>
> "
> The objectives of BRSKI-AE are to enhance BRSKI by enabling LDevID 
> certificate enrollment through the use of an alternative protocol to EST, which:
>
> * Supports end-to-end authentication across multiple hops.
> * Facilitates secure message exchange over any type of transfer 
> mechanism, including asynchronous delivery.
>
> It should be noted that the BRSKI voucher exchange between the pledge, 
> registrar, and MASA involves the use of authenticated self-contained 
> objects, which inherently possess these properties.
>
> The existing well-known URI structure used for BRSKI and EST messages 
> is extended by introducing an additional path element that specifies 
> the enrollment protocol being employed.
>
> This specification allows the registrar to offer multiple enrollment 
> protocols, enabling pledges and their developers to select the most 
> appropriate one based on the defined overall approach and specific endpoints.
>
> It is important to recognize that BRSKI (RFC 8995) specifies the use 
> of HTTP over TLS, but variations such as Constrained BRSKI 
> [I-D.ietf-anima-constrained-voucher], which uses CoAP over DTLS, are 
> also recognized. In this context, 'HTTP' and 'TLS' are used as 
> references to the most common implementation, though variants using 
> CoAP and/or DTLS are implied where applicable, as the distinctions are 
> not pertinent here.
>
> This specification, together with its referenced documents, is 
> sufficient to support BRSKI with the Certificate Management Protocol 
> (CMP, [RFC9480]) as profiled in the Lightweight CMP Profile (LCMPP, 
> [RFC9483]). Integrating BRSKI with a protocol or profile other than 
> LCMPP will necessitate additional IANA registrations, as detailed in 
> this document. Furthermore, additional specifications may be required 
> for the details of the protocol or profile, which fall outside the scope of this document. "
>
> 175     1.1.  Supported Scenarios
> 176
> 177        BRSKI-AE is intended to be used in situations like the following.
> 178
> 179        *  Pledges and/or the target domain reuse an already established
> 180           certificate enrollment protocol different from EST, such as CMP.
> 181
> 182        *  The application scenario indirectly excludes the use of EST for
> 183           certificate enrollment, for reasons like these:
> 184
> 185           -  The Registration Authority (RA) is not co-located with the
> 186              registrar while it requires end-to-end authentication of
> 187              requesters.  Yet EST does not support end-to-end authentication
> 188              over multiple hops.
> 189
> 190           -  The RA or certification authority (CA) operator requires
> 191              auditable proof of origin for Certificate Signing Requests
> 192              (CSRs).  This is not possible with TLS because it provides only
> 193              transient source authentication.
> 184
> 195           -  Certificates are requested for types of keys, such as Key
> 196              Encapsulation Mechanism (KEM) keys, that do not support signing
> 197              (nor alternative forms of single-shot proof of possession like
> 198              those described in [RFC6955]).  This is not supported by EST
> 199              because it uses CSRs in PKCS #10 [RFC2986] format, which can
> 200              only use proof-of-possession methods that need just a single
> 201              message, while proof of possession for KEM keys, for instance,
> 202              requires receiving a fresh challenge value beforehand.
> 203
> 204           -  The pledge implementation uses security libraries not providing
> 205              EST support or uses a TLS library that does not support
> 206              providing the so-called tls-unique value [RFC5929], which is
> 207              needed by EST for strong binding of the source authentication.
> 208
> 209        *  No full RA functionality is available on-site in the target
> 210           domain, while connectivity to an off-site RA may be intermittent
> 211           or entirely offline.
> 212
> 213        *  Authoritative actions of a local RA at the registrar is not
> 214           sufficient for fully and reliably authorizing pledge certification
> 215           requests.  This may be due to missing data access or due to an
> 216           insufficient level of security, for instance regarding the local
> 217           storage of private keys.
> 217
> 219        Bootstrapping can be handled in various ways, depending on the
> 220        application domains.  The informative Appendix A provides
> 221        illustrative examples from various industrial control system
> 222        environments and operational setups motivating the support of
> 223        alternative enrollment protocols.
>
> [minor]
> possible rewrite for readability
>
> "
> BRSKI-AE is designed for use in scenarios such as the following:
>
> * Pledges and/or the target domain leverage an existing certificate 
> enrollment protocol other than EST, such as CMP.
>
> * The application context precludes the use of EST for certificate 
> enrollment due to factors such as:
>
>     - The Registration Authority (RA) is not co-located with the registrar and
>     requires end-to-end authentication of requesters, which EST does not
>     support over multiple hops.
>
>     - The RA or Certification Authority (CA) operator mandates auditable proof
>     of origin for Certificate Signing Requests (CSRs), which cannot be provided
>     by TLS as it only offers transient source authentication.
>
>     - Certificates are required for key types, such as Key Encapsulation
>     Mechanism (KEM) keys, that do not support signing or other single-shot
>     proof of possession methods, as described in [RFC6955]. EST, which relies
>     on CSRs in PKCS #10 [RFC2986] format, does not accommodate these 
> key types
>     because it necessitates proof-of-possession methods that operate within a
>     single message, whereas proof of possession for KEM keys requires prior
>     receipt of a fresh challenge value.
>
>     - The pledge implementation employs security libraries that do not support
>     EST or uses a TLS library lacking support for the "tls-unique" value
>     [RFC5929], which EST requires for the strong binding of source
>     authentication.
>
> * Full RA functionality is not available on-site within the target 
> domain, and connectivity to an off-site RA may be intermittent or entirely offline.
>
> * Authoritative actions by a local RA at the registrar are 
> insufficient for fully and reliably authorizing pledge certification 
> requests, potentially due to a lack of access to necessary data or 
> inadequate security measures, such as the local storage of private keys.
>
> Bootstrapping may be managed in various ways depending on the 
> application domain. Appendix A provides illustrative examples from 
> different industrial control system environments and operational 
> contexts that justify the support of alternative enrollment protocols. "
>
> 258        CSR:  Certificate Signing Request
>
> [minor]
> other entries have a RFC associated as reference, but this one has 
> not? Is that intentional?
>
> 847        BRSKI-AE provides generalizations to the addressing scheme defined in
> 848        BRSKI [RFC8995], Section 5 to accommodate alternative enrollment
> 849        protocols that use authenticated self-contained objects for
> 850        certification requests.  In existing RAs/CAs supporting such an
> 851        enrollment protocol (see also Section 5), these generalizations can
> 852        be employed without modifications.
>
> [minor]
> This seems to read odd. What about the following alternative:
>
> "
> BRSKI-AE extends the addressing scheme outlined in [RFC8995], Section 
> 5, to support alternative enrollment protocols that utilize 
> authenticated, self-contained objects for certification requests. 
> These extensions are designed to be compatible with existing 
> Registration Authorities (RAs) and Certification Authorities (CAs) 
> that already support such enrollment protocols, enabling their use without requiring any modifications. "
>
> 921     5.1.  BRSKI-CMP: BRSKI-AE instantiated with CMP
> 922
> 923        Instead of referring to CMP as specified in [RFC4210] and [RFC9480],
> 924        this document refers to the Lightweight CMP Profile (LCMPP) [RFC9483]
> 925        because the subset of CMP defined there is sufficient for the
> 926        functionality needed here.
> 927
> 928        When using CMP, adherence to the LCMPP [RFC9483] is REQUIRED.  In
> 929        particular, the following specific requirements apply (cf.
> 930        Figure 2).
> 931
> 932        *  CA Certs Request (1) and Response (2):
> 933           Requesting CA certificates is OPTIONAL.
> 934           If supported, it SHALL be implemented as specified in [RFC9483],
> 935           Section 4.3.1.
> 936
> 937        *  Attribute Request (3) and Response (4):
> 938           Requesting certification request attributes is OPTIONAL.
> 939           If supported, it SHALL be implemented as specified in [RFC9483],
> 940           Section 4.3.3.
> 941
> 942           Alternatively, the registrar MAY modify the contents of the
> 943           requested certificate contents as specified in [RFC9483],
> 944           Section 5.2.3.2.
> 945
> 946        *  Certification Request (5) and Response (6):
> 947           Certificates SHALL be requested and provided as specified in the
> 948           LCMPP [RFC9483], Section 4.1.1 (based on CRMF) or [RFC9483],
> 949           Section 4.1.4 (based on PKCS #10).
> 950
> 951           Proof of possession SHALL be provided in a way suitable for the
> 952           key type.  Proof of identity SHALL be provided by signature-based
> 953           protection of the certification request message as outlined in
> 954           [RFC9483], Section 3.2 using the IDevID secret.
> 955
> 956           When the registrar forwards a certification request by the pledge
> 957           to a backend RA/CA, the registrar is RECOMMENDED to wrap the
> 958           original certification request in a nested message signed with its
> 959           own credentials as described in [RFC9483], Section 5.2.2.1.  This
> 960           explicitly conveys the consent by the registrar to the RA while
> 961           retaining the original certification request message with its
> 962           proof of origin provided by the pledge signature.
> 963
> 964           In case additional trust anchors (besides the pinned-domain-cert)
> 965           need to be conveyed to the pledge, this SHOULD be done in the
> 966           caPubs field of the certification response rather than in a CA
> 967           Certs Response.
> 968
> 969        *  Certificate Confirm (7) and PKI/Registrar Confirm (8):
> 970           Explicit confirmation of new certificates to the RA/CA MAY be used
> 971           as specified in [RFC9483], Section 4.1.1.
> 972
> 973           Note that independently of the certificate confirmation within
> 974           CMP, enrollment status telemetry with the registrar at BRSKI level
> 975           will be performed as described in [RFC8995], Section 5.9.4.
> 976
> 977        *  If delayed delivery of CMP messages is needed (for instance, to
> 978           support enrollment over an asynchronous channel), it SHALL be
> 979           performed as specified in Section 4.4 and Section 5.1.2 of
> 980           [RFC9483].
> 981
> 982        How messages are exchanged between the registrar and backend PKI
> 983        components (i.e., RA and/or CA) is out of scope of this document.
> 984        Since CMP is independent of message transfer, the mechanism for this
> 985        exchange can be freely chosen according to the needs of the
> 986        application scenario.  For the applicable security considerations,
> 987        see Section 7.  Further guidance can be found in [RFC9483],
> 988        Section 6.
> 989
> 990        BRSKI-AE with CMP can also be combined with Constrained BRSKI
> 991        [I-D.ietf-anima-constrained-voucher], using CoAP for enrollment
> 992        message transport as described by CoAP Transport for CMP [RFC9482].
> 993        In this scenario, the EST-specific parts of
> 994        [I-D.ietf-anima-constrained-voucher] do not apply.
> 995
> 996        For BRSKI-AE scenarios where a general solution (cf.  Section 4.2.1)
> 997        for discovering registrars with CMP support is not available, the
> 998        following minimalist approach MAY be used.  Perform discovery as
> 999        defined in BRSKI [RFC8995], Appendix B but using the service name
> 1000       "brski-registrar-cmp" (defined in Section 6) instead of "brski-
> 1001       registrar" (defined in [RFC8995], Section 8.6).  Note that this
> 1002       approach does not support join proxies.
>
> [minor]
> proposed readability rewrite:
>
> "
> In this document, references to CMP follow the Lightweight CMP Profile 
> (LCMPP) [RFC9483] rather than [RFC4210] and [RFC9480], as the subset 
> of CMP defined in LCMPP sufficiently meets the required functionality.
>
> Adherence to the LCMPP [RFC9483] is REQUIRED when using CMP. The 
> following specific requirements apply (refer to Figure 2):
>
>   * CA Certificates Request (1) and Response (2): Requesting CA certificates is
>   OPTIONAL. If supported, it SHALL be implemented as specified in [RFC9483],
>   Section 4.3.1.
>
>   * Attribute Request (3) and Response (4): Requesting certification request
>   attributes is OPTIONAL. If supported, it SHALL be implemented as specified in
>   [RFC9483], Section 4.3.3.
>
>   Alternatively, the registrar MAY modify the requested certificate contents as
>   specified in [RFC9483], Section 5.2.3.2.
>
>   * Certification Request (5) and Response (6): Certificates SHALL be requested
>   and provided as specified in LCMPP [RFC9483], Section 4.1.1 (based on CRMF)
>   or Section 4.1.4 (based on PKCS #10).
>
>   Proof of possession SHALL be provided in a manner suitable for the key type.
>   Proof of identity SHALL be provided by signature-based protection of the
>   certification request message as outlined in [RFC9483], Section 3.2, using
>   the IDevID secret.
>
>   When the registrar forwards a certification request from the pledge to a
>   backend RA/CA, it is RECOMMENDED that the registrar wraps the original
>   certification request in a nested message signed with its own credentials, as
>   described in [RFC9483], Section 5.2.2.1. This approach explicitly conveys the
>   registrar's consent to the RA while retaining the original certification
>   request with the proof of origin provided by the pledge's signature.
>
>   If additional trust anchors, beyond the pinned-domain-cert, need to be
>   conveyed to the pledge, this SHOULD be done in the caPubs field of the
>   certification response rather than through a CA Certificates Response.
>
>   * Certificate Confirm (7) and PKI/Registrar Confirm (8): Explicit
>   confirmation of new certificates to the RA/CA MAY be used as specified in
>   [RFC9483], Section 4.1.1.
>
>   Note that independent of certificate confirmation within CMP, enrollment
>   status telemetry with the registrar at the BRSKI level will be performed as
>   described in [RFC8995], Section 5.9.4.
>
>   * If delayed delivery of CMP messages is required (e.g., to support
>   enrollment over an asynchronous channel), it SHALL be performed as specified
>   in Section 4.4 and Section 5.1.2 of [RFC9483].
>
> The mechanisms for exchanging messages between the registrar and 
> backend PKI components (i.e., RA and/or CA) are outside the scope of 
> this document. CMP's independence from the message transfer mechanism 
> allows for flexibility in choosing the appropriate exchange method 
> based on the application scenario. For applicable security 
> considerations, refer to Section 7. Further guidance can be found in [RFC9483], Section 6.
>
> BRSKI-AE with CMP can also be combined with Constrained BRSKI 
> [I-D.ietf-anima-constrained-voucher], using CoAP for enrollment 
> message transport as described by CoAP Transport for CMP [RFC9482]. In 
> such scenarios, the EST-specific parts of [I-D.ietf-anima-constrained-voucher] do not apply.
>
> For BRSKI-AE scenarios where a general solution for discovering 
> registrars with CMP support is not available (cf. Section 4.2.1), the 
> following minimalist approach MAY be used: perform discovery as 
> defined in BRSKI [RFC8995], Appendix B, but use the service name 
> "brski-registrar-cmp" (as defined in Section 6) instead of 
> "brski-registrar" (as defined in [RFC8995], Section 8.6). Note that 
> this approach does not support join proxies. "
>
>