[Anima] Re: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT)
"Gunter van de Velde (Nokia)" <gunter.van_de_velde@nokia.com> Wed, 04 September 2024 08:01 UTC
Return-Path: <gunter.van_de_velde@nokia.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22684C16942C; Wed, 4 Sep 2024 01:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.254
X-Spam-Level:
X-Spam-Status: No, score=-7.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nokia.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wihjOx6bWAfg; Wed, 4 Sep 2024 01:01:49 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2063.outbound.protection.outlook.com [40.107.104.63]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C8BFC17A743; Wed, 4 Sep 2024 01:01:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UzhWrXjWOQe2iG7kE6I61o/G8KDnXtQfLdQf7AO0fkmEwWoGrf/vza/7/UtGehWMtjfhGb1JVW0HbCh5eYF4dHtzDbMx6uRwTNrdhxuNXe6/v4aPfOatCqDgaaaUeueY4BvQ4lU83gMWo+8AWtBKVD56M3oiqB16NJCbcsYuacpJckngIz/5SqaDk+IVzyZp8PrB1Elg3BRlSR+bhipFXH3HX4feiZQtCUEcD1IKuMxAhFs6/ySghwkAFXZ4Fk7OKizppa+d+bCr5qHwt5nGbIrchUoro593Y7Y3it5Ou4LPx58Hg6oWnq7vo7Ubt/6E5vHECk/HzxO3FIfxlsrnmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZfBrNg2CNgksPYkx1+DMARixJRSuF2kOeewL/JgiVXA=; b=HZy/Ve6Knkhz3fMSJhSSHBK5pCUpSa81oTp9J4THzOWCF+QXW6V2iHmcWQlLzZLAk3TRiHDVzj/dUMEE9ifkrthrddMAh3xp9yajIU+q4GWjYTdnFRtEcDK5g61512fSWJPpFPpv/bTysxqM6CKVJTxVR13Mwha2mWmSs6G0YXeTMrh3rqed5R0itBP2UU3ogByCRmLYbzFtk79rZun6YtjiBNLVzxi0LQdzpJhPePExBeLqA16AEcJfZoOVXGOglKDEmlujIVB7AVJHB0elH3/oOT6LRAeS4xCkLM2S9dxpLeCkSX2ha3LYvIkWja25DkgwFpRmux+uh8rycyauNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZfBrNg2CNgksPYkx1+DMARixJRSuF2kOeewL/JgiVXA=; b=hzhH0Y4qZo6ad90+9CIqPTvMeBB0O9MQPDKYwMiAE1ZMQMLVK3s67s7n0CfjusT4c8DYFdhjbdRNkK4rPNwqj18vZd8Q5TKnx/ZSzhdGXevJTPD7VUoxe9PDceBEw8a82Cel2y1PAii22Oi0N0es5N0yoaHn67J7D7eYkWcP2b6HurqAFvUwA5Ul4btLE9eUWJKdHvNr9b8OIiMC4Nkm7FZFgRsSdR8hSTDWkjdem8sy6jaHdF0jXJlEkQ52h/igeMHlBpPgs1flAdc3EL4MWvOhlPsQNY84EoQb2z8YSqkeSCtyu3dlHEs7FcokPjgDR/fJxE33L2rL8uWfrTQMQQ==
Received: from AS1PR07MB8589.eurprd07.prod.outlook.com (2603:10a6:20b:470::16) by AS8PR07MB7463.eurprd07.prod.outlook.com (2603:10a6:20b:2a5::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.25; Wed, 4 Sep 2024 08:01:45 +0000
Received: from AS1PR07MB8589.eurprd07.prod.outlook.com ([fe80::5ca6:f902:8e31:6f3e]) by AS1PR07MB8589.eurprd07.prod.outlook.com ([fe80::5ca6:f902:8e31:6f3e%7]) with mapi id 15.20.7918.024; Wed, 4 Sep 2024 08:01:45 +0000
From: "Gunter van de Velde (Nokia)" <gunter.van_de_velde@nokia.com>
To: "Fries, Steffen" <steffen.fries@siemens.com>, The IESG <iesg@ietf.org>
Thread-Topic: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT)
Thread-Index: AQHa+pWErA4IhIZSHEGCnD5/9Oq0OrJGUZCAgAD6l6A=
Date: Wed, 04 Sep 2024 08:01:45 +0000
Message-ID: <AS1PR07MB8589110EE306C3E4AF5A877FE09C2@AS1PR07MB8589.eurprd07.prod.outlook.com>
References: <172499229261.191137.10763398291588599827@dt-datatracker-68b7b78cf9-q8rsp> <DB9PR10MB635488683BCC0CA6C07984EDF3932@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB9PR10MB635488683BCC0CA6C07984EDF3932@DB9PR10MB6354.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=385fe9f5-1c6b-498c-8e99-cdf46f5d5347;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-09-03T16:52:32Z;MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS1PR07MB8589:EE_|AS8PR07MB7463:EE_
x-ms-office365-filtering-correlation-id: df9873eb-61e6-441b-291a-08dcccb7d21f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: 4EUpyfMfrMT4i3OXNYMMbaEMMd1A7FIeSV5ojujYSk8WXxBinG4oj7SX66fX+QNO/JrmyVzR6+KqkOYAOZ/ZiuH9LGLxfmdjPGeMxvDSgXzg+XDxen63Bajvvk0WjfYVKfPP2vzTkS7S/LO7G3nC33dxFg/UlcTb03W4YsFpPf5vfZ3X7fkq4mn5w6KLJDzHWhAGnSTUr01hMGVso7qSds1gvVDQSuEt0ZjDCjxkfQ0LvJfaXHxfXCIhVIyFN0C7BVH73rsrw63z1b4JEuoLoAmRAMBcHzFK9EWrGMR8M93BMfukb0N5mWc5+1DIu2Lllm6buPZ6pK4BEBz3O0+Qm4p2qPrmgOCOU5rWMBWHcjIOfBkmV/h+LmS7f+OWHHaGHTSYNlEsNUUDxw22tZVgmx3tKZz9PBsJhvN3bhob6Xur0nEfhJIYCwSeJSS3wCx1fHCLtNzew/Ju4iezykmUhtSdwaatprI/otXWzVZm+c6TlX9mI3e5+9kG7HBk0eOEIlzTuZB2wOpWlcyXRjts/EVvnmuQXQ16K2SvKSA3mNL6iuTQT1apYwuTld7dkIUZDBeIJJJqboqivUpkklEUoTiFRzTHKzMY7ErB4Hm5WUwn2YQpDYboPz960o3D/PR9NyMr+cO7DodMVNRe8EwrX/bpHTJBTx2rG+Nkl3rq2So/TtOCj/1rgSGxo2oBZwqA8TnGDHlLfm2bE6o2U/e31F+1y8FkNLZAqlDWAWwVvUnMy2snkps/hJl134jZPDKNAtumwriK2vNt0B1jxfzvxV5f3ecG5OmSqb2pGv/VDnjYFDwfuYl5e7dpOy5JaVMmjne5U2d8EP72ORQjfXN2BzzY5uf9naq56hLrM4lbl8/sbv3DK1ZbF2XnefmXKuPmtXgjdbHo1bJwWDi93dYuzMv2paouSTIKc+X5W5y27ry/IbYrC1KU5IXtofdUIWAXTgUAVY2ciXeEdRcUtRv68sYphlewP/plyd+K+nb49IpH/3sZCEZttn/WRVX8Nhl7xJlGRqTFIKJJl3oM2RWRTC15SX3SNSAAF0sOrZnE2HZAvK1zoDnEVx2YwJmzqh+tvGcbDHfLJm913wg4x2Z9JIamQdC6qjQFaKP1E6uGialYDLDDWE8+/u2Zs8P80E1T7vKj3J9opqW+m86+cbdDSYLj7A9YmSmwv5iy3r9pVsiCYa5k5sonnLlIKRMip/1AcWx2hdstDaezoKMF7GQrHpgRc12s1tIJV7+V4+rwK9FJuX9aW8GtBQXF+jSv6rK7V0zqsI6vRJbXJStOfyyOTWCBHl15FNC5P/FYaL5SXpgFEByKXRJ1nPxCz/DHebVJAQWkYCFnJ/kc1Drr4dXou5nUZVATPdz7DSMB286fU7E=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS1PR07MB8589.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Jh1xB6GvBrHCkaIH4BMmKOCreRzwvWIO1TmyxG7yBPbieh3d0MyWxr9Cucreixbar0NY0ZEPxp57ifvxiY9ISsiUHnJhT0jQ5QZRrDBQ+WE6JX3MbJmp3seiYCMwwT9LA3sNFSQ7NnJI3G7JbJs1QxnsdwjChu4M5gsTHnBjjsj48/+lT3ISZPf3v5mJr7ZbwXKUNJ+CKn0wnrPQPCX3BeM1Dd302dBlCVdspGL23Xe93bCVaDFJZMpIYVtQN6AWH12JF8qQ4Wec+5qnLiSldrBGTL12gC8N+SKoGmPgGC8tbFFOPFu692E9pLB1EwMAWXvXqgaQacEILQqeWi05Jp6RrOM//JdT1qMwgbyQulBY2qTfnry9txdG3K7RygS0k6n+JLLQcxGbJSmXAgxu4uwIxnDIyQl4xMjkV/l+w65tyvC/3Tg1Mqxjfl/ZuwBQmEjT8tO+0EsaAsBikZJUjgbrVhsa2rXG8COzcHLr7KSgyqXW9Ica5dRZiYUgb+lzmUwVzAx9tn+dpuJ+vbp+nc5tOu1jrq9WIalFpRBlsfz/9qonbL9qQQwQyIv8SwUfILISMXyo8Fv8BnG35PgJnLvfU06cLSq7FXhKkvdAvXBiA6fliUFKQmzQRbUdlAgb/gAwdgN54xEC8QIN2H+LAWYfrXmRZISdTSgY+a0Lt+RTDP+hCWrOi0qtp7Lq1c48iT8YWzwQpZltJwQMT2upsHS+60PIrrCHOV8pvFFMCxkJitS/my2btsf4si1nRpEEL03nNFjdSK5FKmTM4TaGHut6zgBqf0HrTFuRzcc97Unh1TKuxdPx5YEcgrxnvWBp05Yc58nUdjD/Y0nbxvIc/4GhxUddlGWR3FSxpFffAmuVyeCVvYk1ZZ1dvajzSliUmvYKriMofcLnuYS2cUqv0iccS8fORDMkRUJlMsY32RZ+414Yq4ObC+RcSEna+itbGEnY+vbDg7GW2+lHrhBwjGwWqCgA9B0JMgK8EVNkjMfpZPet2YVUzjccq088fJNezyKMYcGbD4JqtLFfcNgIG+CLusL9vEMcpItk9ijgjrK68lEyh2i+EJ/xLuuNMtbNMDfyaP4S8rLWcETvew795dxmegCmg+qjQcg1JrTvWwRfzZ8X6itcOjErOwBKY2GifhzDp0izKgv67GHLE91P+d5kYXzXyHSIBQ9Mw/SjyiGw92iP72GWw71qXY4BWLrECfujnniJkdyIcEjdF3UhYbqT4C2TwPQNAPx4J6WEA6RENuX5lQEa9gKBS5MfZ3PMRb0mpBd8cWBFS7AaV79JXAWf9F6mvqQ5JouEbRNeL+E2185N4jMiXVWhxv8eGjz/hrnoZRtPyo6rwjrnUmNVQcTZb3LlTBtu0fQ2W7g7CyjfS0lVtGKI7jjIc9XCBdB989TrMm6MA0jZAJ7Uepegn2zsOFxvkXXlD4+yVvZIzYjVbBSXkT+AHqVDOuEaoJeGZAsajyRsSgMY3e4FJN9yiXeT0bB4pzgeTwIgUnd+eheiTOS3vg5jzrV361Sz9Fi3xQQJYF5v4q0uXHOOhDTXa2hK4n9PiOOHsl8hBpSvH0IvvOPw2owwcg3ufXn52GQFmpwU2ijZTxGikyQ07Z5uJfbV41o7Wu/CPbeR7oaGYi4MG8rT/yw+kL1kDfLv7wm7wPsuErRraQrrK/3LelYi/A==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS1PR07MB8589.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df9873eb-61e6-441b-291a-08dcccb7d21f
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2024 08:01:45.5789 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZvvCi7vkHdS17rTQ5nKej9Y1NAFHVq2Kp736jVafVJaamJKW+oNkAusx6hZYZuZmgeIAivvaM8RmfKhr5NVjs6YRMA5D4qV2dKwDWXxvLho=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7463
Message-ID-Hash: XCBLEPFR6O53CM42H5SXD4V4W5UUJPVP
X-Message-ID-Hash: XCBLEPFR6O53CM42H5SXD4V4W5UUJPVP
X-MailFrom: gunter.van_de_velde@nokia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-anima-brski-ae@ietf.org" <draft-ietf-anima-brski-ae@ietf.org>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>, "anima@ietf.org" <anima@ietf.org>, "tte@cs.fau.de" <tte@cs.fau.de>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Anima] Re: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT)
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/U_vkwHYeFrqs3sycZcWbp2qHIXw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>
Thanks Steffen. Be well, G/ -----Original Message----- From: Fries, Steffen <steffen.fries@siemens.com> Sent: Tuesday, September 3, 2024 7:05 PM To: Gunter van de Velde (Nokia) <gunter.van_de_velde@nokia.com>; The IESG <iesg@ietf.org> Cc: draft-ietf-anima-brski-ae@ietf.org; anima-chairs@ietf.org; anima@ietf.org; tte@cs.fau.de Subject: RE: Gunter Van de Velde's No Objection on draft-ietf-anima-brski-ae-12: (with COMMENT) [You don't often get email from steffen.fries@siemens.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information. Hi Gunter, Thank you for your feedback. They certainly increase clarity of several statement in the draft. We provided some specific reactions inline mainly to the major comment and to some of the minor comments. Most of the minor comments are straight forward and we will take the them into account to improve clarity and understanding in the next version of the document. Best regards Steffen. > -----Original Message----- > From: Gunter Van de Velde via Datatracker <noreply@ietf.org> > Sent: Friday, August 30, 2024 6:32 AM > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-anima-brski-ae@ietf.org; anima-chairs@ietf.org; > anima@ietf.org; tte@cs.fau.de; tte@cs.fau.de > Subject: Gunter Van de Velde's No Objection on > draft-ietf-anima-brski-ae-12: (with > COMMENT) > > Gunter Van de Velde has entered the following ballot position for > draft-ietf-anima-brski-ae-12: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this introductory paragraph, however.) > > > Please refer to > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > ietf.org%2F&data=05%7C02%7Cgunter.van_de_velde%40nokia.com%7Ccbaac8746 > c09445dd47708dccc3a81dd%7C5d4717519675428d917b70f44f9630b0%7C0%7C0%7C6 > 38609798892322740%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi > V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=CvuDvH9jT%2B > %2BXcduG48sDmD530DtmEokATFODLFn4kuc%3D&reserved=0 > %2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot- > positions%2F&data=05%7C02%7Csteffen.fries%40siemens.com%7C3751aac2dd > be45f8167c08dcc8aca1c4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0% > 7C638605891000583633%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD > AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata > =f%2FDuCh4ZKKn6sjH3KeLeRqjUU7i%2BroDEP2zzamCTRJk%3D&reserved=0 > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdata > tracker.i%2F&data=05%7C02%7Cgunter.van_de_velde%40nokia.com%7Ccbaac874 > 6c09445dd47708dccc3a81dd%7C5d4717519675428d917b70f44f9630b0%7C0%7C0%7C > 638609798892335324%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjo > iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=dltr%2F%2BI > 1xVNqYU%2Bma0gCP2MgxkdKiLNZCxYAMZdRkzs%3D&reserved=0 > etf.org%2Fdoc%2Fdraft-ietf-anima-brski- > ae%2F&data=05%7C02%7Csteffen.fries%40siemens.com%7C3751aac2ddbe45f81 > 67c08dcc8aca1c4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C6386 > 05891000595002%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj > oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=XrqJC > 50D331eGQ%2FMrMOXgh3OJiKxRxaSvT7lB1okco4%3D&reserved=0 > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > # Gunter Van de Velde, RTG AD, comments for > draft-ietf-anima-brski-ae-12 > > #GENERIC COMMENTS > #================ > ## The text contains many acronyms making it not easy to digest when > not familiar with ANIMA technology. (i am not that familiar with > ANIMA) > > ## I provided a few rewrites of text to help the structure and > simplify reading the content, while keeping the original message, and > hope it helps improve document quality > > #DETAILED COMMENTS > #================= > ##classified as [minor] and [major] > > 11 Abstract > 12 > 13 This document defines an enhancement of Bootstrapping Remote Secure > 14 Key Infrastructure (BRSKI, RFC 8995). It supports alternative > 15 certificate enrollment protocols, such as CMP, that use authenticated > 16 self-contained signed objects for certification messages. > > [minor] > Possibly we could make the abstract slightly higher level to describe > the content of the draft. What about the following proposed alternative abstract: > > " > This document defines enhancements to the Bootstrapping Remote Secure > Key Infrastructure (BRSKI) protocol, known as BRSKI-AE (Alternative Enrollment). > BRSKI-AE extends BRSKI to support alternative enrollment mechanisms > beyond those originally specified, allowing for flexibility in network > device onboarding scenarios. The enhancements address use cases where > the existing BRSKI mechanisms may not be feasible or optimal, > providing a framework for integrating other automated bootstrapping > and enrollment techniques. This document also updates the BRSKI > reference architecture to accommodate these alternative methods, > ensuring secure and scalable deployment across a range of network environments. " [stf] the proposal reads fine from my point of view. We may add a statement that the draft also defines one specific approach leveraging the introduced flexibility using CMP. > > 106 This approach provides the following advantages. The origin of > 107 requests and responses can be authenticated independent of message > 108 transfer. This supports end-to-end authentication (proof of origin) > 109 also over multiple hops, as well as asynchronous operation of > 110 certificate enrollment. This in turn provides architectural > 111 flexibility where and when to ultimately authenticate and authorize > 112 certification requests while retaining full-strength integrity and > 113 authenticity of certification requests. > > [major] > I am not sure what is the correlation between (proof of origin) and > "end-to-end authentication". Why is the prrof of origin between brakets? [stf] Proposal text for clarification as replacement: OLD This supports end-to-end authentication (proof of origin) NEW This supports end-to-end authentication (i.e., end-to-end proof of origin) > > [minor] > I found this paragraph unfortunatly strucured. What about following proposal: > > " > This approach offers several distinct advantages. It allows for the > authentication of the origin of requests and responses independently > of the message transfer mechanism. This capability facilitates > end-to-end authentication (proof of origin) across multiple hops and > supports the asynchronous operation of certificate enrollment. > Consequently, this provides architectural flexibility in determining > the location and timing for the ultimate authentication and > authorization of certification requests, while ensuring the integrity > and authenticity of those requests is maintained with full cryptographic strength. " [stf] Your proposal already includes a formulation addressing your major point above. We will take the whole paragraph into consideration when updating this part. > > 137 The goals of BRSKI-AE are to provide an enhancement of BRSKI for > 138 LDevID certificate enrollment using, alternatively to EST, a protocol > 139 that > 140 > 141 * supports end-to-end authentication over multiple hops > 142 > 143 * enables secure message exchange over any kind of transfer, > 144 including asynchronous delivery. > 145 > 146 Note that the BRSKI voucher exchange of the pledge with the registrar > 147 and MASA uses authenticated self-contained objects, so the voucher > 148 exchange already has these properties. > 149 > 150 The well-known URI approach of BRSKI and EST messages is extended > 151 with an additional path element indicating the enrollment protocol > 152 being used. > 153 > 154 Based on the definition of the overall approach and specific > 155 endpoints, this specification enables the registrar to offer multiple > 156 enrollment protocols, from which pledges and their developers can > 157 then pick the most suitable one. > 158 > 159 It may be noted that BRSKI (RFC 8995) specifies how to use HTTP over > 160 TLS, but further variants are known, such as Constrained BRSKI > 161 [I-D.ietf-anima-constrained-voucher] using CoAP over DTLS. In the > 162 sequel, 'HTTP' and 'TLS' are just references to the most common case, > 163 where variants such as using CoAP and/or DTLS are meant to be > 164 subsumed - the differences are not relevant here. > 165 > 166 This specification is sufficient together with its references to > 167 support BRSKI with the Certificate Management Protocol (CMP, > 168 [RFC9480]) profiled in the Lightweight CMP Profile (LCMPP, > 169 [RFC9483]). Combining BRSKI with a protocol or profile other than > 170 LCMPP will require additional IANA registrations based on the rules > 171 specified in this document. It may also require additional > 172 specifications for details of the protocol or profile (similar to > 173 [RFC9483]), which are outside the scope of this document. > > [minor] > A possible alternate rewrite to make the text easier to read: > > " > The objectives of BRSKI-AE are to enhance BRSKI by enabling LDevID > certificate enrollment through the use of an alternative protocol to EST, which: > > * Supports end-to-end authentication across multiple hops. > * Facilitates secure message exchange over any type of transfer > mechanism, including asynchronous delivery. > > It should be noted that the BRSKI voucher exchange between the pledge, > registrar, and MASA involves the use of authenticated self-contained > objects, which inherently possess these properties. > > The existing well-known URI structure used for BRSKI and EST messages > is extended by introducing an additional path element that specifies > the enrollment protocol being employed. > > This specification allows the registrar to offer multiple enrollment > protocols, enabling pledges and their developers to select the most > appropriate one based on the defined overall approach and specific endpoints. > > It is important to recognize that BRSKI (RFC 8995) specifies the use > of HTTP over TLS, but variations such as Constrained BRSKI > [I-D.ietf-anima-constrained-voucher], which uses CoAP over DTLS, are > also recognized. In this context, 'HTTP' and 'TLS' are used as > references to the most common implementation, though variants using > CoAP and/or DTLS are implied where applicable, as the distinctions are > not pertinent here. > > This specification, together with its referenced documents, is > sufficient to support BRSKI with the Certificate Management Protocol > (CMP, [RFC9480]) as profiled in the Lightweight CMP Profile (LCMPP, > [RFC9483]). Integrating BRSKI with a protocol or profile other than > LCMPP will necessitate additional IANA registrations, as detailed in > this document. Furthermore, additional specifications may be required > for the details of the protocol or profile, which fall outside the scope of this document. " > > 175 1.1. Supported Scenarios > 176 > 177 BRSKI-AE is intended to be used in situations like the following. > 178 > 179 * Pledges and/or the target domain reuse an already established > 180 certificate enrollment protocol different from EST, such as CMP. > 181 > 182 * The application scenario indirectly excludes the use of EST for > 183 certificate enrollment, for reasons like these: > 184 > 185 - The Registration Authority (RA) is not co-located with the > 186 registrar while it requires end-to-end authentication of > 187 requesters. Yet EST does not support end-to-end authentication > 188 over multiple hops. > 189 > 190 - The RA or certification authority (CA) operator requires > 191 auditable proof of origin for Certificate Signing Requests > 192 (CSRs). This is not possible with TLS because it provides only > 193 transient source authentication. > 184 > 195 - Certificates are requested for types of keys, such as Key > 196 Encapsulation Mechanism (KEM) keys, that do not support signing > 197 (nor alternative forms of single-shot proof of possession like > 198 those described in [RFC6955]). This is not supported by EST > 199 because it uses CSRs in PKCS #10 [RFC2986] format, which can > 200 only use proof-of-possession methods that need just a single > 201 message, while proof of possession for KEM keys, for instance, > 202 requires receiving a fresh challenge value beforehand. > 203 > 204 - The pledge implementation uses security libraries not providing > 205 EST support or uses a TLS library that does not support > 206 providing the so-called tls-unique value [RFC5929], which is > 207 needed by EST for strong binding of the source authentication. > 208 > 209 * No full RA functionality is available on-site in the target > 210 domain, while connectivity to an off-site RA may be intermittent > 211 or entirely offline. > 212 > 213 * Authoritative actions of a local RA at the registrar is not > 214 sufficient for fully and reliably authorizing pledge certification > 215 requests. This may be due to missing data access or due to an > 216 insufficient level of security, for instance regarding the local > 217 storage of private keys. > 217 > 219 Bootstrapping can be handled in various ways, depending on the > 220 application domains. The informative Appendix A provides > 221 illustrative examples from various industrial control system > 222 environments and operational setups motivating the support of > 223 alternative enrollment protocols. > > [minor] > possible rewrite for readability > > " > BRSKI-AE is designed for use in scenarios such as the following: > > * Pledges and/or the target domain leverage an existing certificate > enrollment protocol other than EST, such as CMP. > > * The application context precludes the use of EST for certificate > enrollment due to factors such as: > > - The Registration Authority (RA) is not co-located with the registrar and > requires end-to-end authentication of requesters, which EST does not > support over multiple hops. > > - The RA or Certification Authority (CA) operator mandates auditable proof > of origin for Certificate Signing Requests (CSRs), which cannot be provided > by TLS as it only offers transient source authentication. > > - Certificates are required for key types, such as Key Encapsulation > Mechanism (KEM) keys, that do not support signing or other single-shot > proof of possession methods, as described in [RFC6955]. EST, which relies > on CSRs in PKCS #10 [RFC2986] format, does not accommodate these > key types > because it necessitates proof-of-possession methods that operate within a > single message, whereas proof of possession for KEM keys requires prior > receipt of a fresh challenge value. > > - The pledge implementation employs security libraries that do not support > EST or uses a TLS library lacking support for the "tls-unique" value > [RFC5929], which EST requires for the strong binding of source > authentication. > > * Full RA functionality is not available on-site within the target > domain, and connectivity to an off-site RA may be intermittent or entirely offline. > > * Authoritative actions by a local RA at the registrar are > insufficient for fully and reliably authorizing pledge certification > requests, potentially due to a lack of access to necessary data or > inadequate security measures, such as the local storage of private keys. > > Bootstrapping may be managed in various ways depending on the > application domain. Appendix A provides illustrative examples from > different industrial control system environments and operational > contexts that justify the support of alternative enrollment protocols. " > > 258 CSR: Certificate Signing Request > > [minor] > other entries have a RFC associated as reference, but this one has > not? Is that intentional? > > 847 BRSKI-AE provides generalizations to the addressing scheme defined in > 848 BRSKI [RFC8995], Section 5 to accommodate alternative enrollment > 849 protocols that use authenticated self-contained objects for > 850 certification requests. In existing RAs/CAs supporting such an > 851 enrollment protocol (see also Section 5), these generalizations can > 852 be employed without modifications. > > [minor] > This seems to read odd. What about the following alternative: > > " > BRSKI-AE extends the addressing scheme outlined in [RFC8995], Section > 5, to support alternative enrollment protocols that utilize > authenticated, self-contained objects for certification requests. > These extensions are designed to be compatible with existing > Registration Authorities (RAs) and Certification Authorities (CAs) > that already support such enrollment protocols, enabling their use without requiring any modifications. " > > 921 5.1. BRSKI-CMP: BRSKI-AE instantiated with CMP > 922 > 923 Instead of referring to CMP as specified in [RFC4210] and [RFC9480], > 924 this document refers to the Lightweight CMP Profile (LCMPP) [RFC9483] > 925 because the subset of CMP defined there is sufficient for the > 926 functionality needed here. > 927 > 928 When using CMP, adherence to the LCMPP [RFC9483] is REQUIRED. In > 929 particular, the following specific requirements apply (cf. > 930 Figure 2). > 931 > 932 * CA Certs Request (1) and Response (2): > 933 Requesting CA certificates is OPTIONAL. > 934 If supported, it SHALL be implemented as specified in [RFC9483], > 935 Section 4.3.1. > 936 > 937 * Attribute Request (3) and Response (4): > 938 Requesting certification request attributes is OPTIONAL. > 939 If supported, it SHALL be implemented as specified in [RFC9483], > 940 Section 4.3.3. > 941 > 942 Alternatively, the registrar MAY modify the contents of the > 943 requested certificate contents as specified in [RFC9483], > 944 Section 5.2.3.2. > 945 > 946 * Certification Request (5) and Response (6): > 947 Certificates SHALL be requested and provided as specified in the > 948 LCMPP [RFC9483], Section 4.1.1 (based on CRMF) or [RFC9483], > 949 Section 4.1.4 (based on PKCS #10). > 950 > 951 Proof of possession SHALL be provided in a way suitable for the > 952 key type. Proof of identity SHALL be provided by signature-based > 953 protection of the certification request message as outlined in > 954 [RFC9483], Section 3.2 using the IDevID secret. > 955 > 956 When the registrar forwards a certification request by the pledge > 957 to a backend RA/CA, the registrar is RECOMMENDED to wrap the > 958 original certification request in a nested message signed with its > 959 own credentials as described in [RFC9483], Section 5.2.2.1. This > 960 explicitly conveys the consent by the registrar to the RA while > 961 retaining the original certification request message with its > 962 proof of origin provided by the pledge signature. > 963 > 964 In case additional trust anchors (besides the pinned-domain-cert) > 965 need to be conveyed to the pledge, this SHOULD be done in the > 966 caPubs field of the certification response rather than in a CA > 967 Certs Response. > 968 > 969 * Certificate Confirm (7) and PKI/Registrar Confirm (8): > 970 Explicit confirmation of new certificates to the RA/CA MAY be used > 971 as specified in [RFC9483], Section 4.1.1. > 972 > 973 Note that independently of the certificate confirmation within > 974 CMP, enrollment status telemetry with the registrar at BRSKI level > 975 will be performed as described in [RFC8995], Section 5.9.4. > 976 > 977 * If delayed delivery of CMP messages is needed (for instance, to > 978 support enrollment over an asynchronous channel), it SHALL be > 979 performed as specified in Section 4.4 and Section 5.1.2 of > 980 [RFC9483]. > 981 > 982 How messages are exchanged between the registrar and backend PKI > 983 components (i.e., RA and/or CA) is out of scope of this document. > 984 Since CMP is independent of message transfer, the mechanism for this > 985 exchange can be freely chosen according to the needs of the > 986 application scenario. For the applicable security considerations, > 987 see Section 7. Further guidance can be found in [RFC9483], > 988 Section 6. > 989 > 990 BRSKI-AE with CMP can also be combined with Constrained BRSKI > 991 [I-D.ietf-anima-constrained-voucher], using CoAP for enrollment > 992 message transport as described by CoAP Transport for CMP [RFC9482]. > 993 In this scenario, the EST-specific parts of > 994 [I-D.ietf-anima-constrained-voucher] do not apply. > 995 > 996 For BRSKI-AE scenarios where a general solution (cf. Section 4.2.1) > 997 for discovering registrars with CMP support is not available, the > 998 following minimalist approach MAY be used. Perform discovery as > 999 defined in BRSKI [RFC8995], Appendix B but using the service name > 1000 "brski-registrar-cmp" (defined in Section 6) instead of "brski- > 1001 registrar" (defined in [RFC8995], Section 8.6). Note that this > 1002 approach does not support join proxies. > > [minor] > proposed readability rewrite: > > " > In this document, references to CMP follow the Lightweight CMP Profile > (LCMPP) [RFC9483] rather than [RFC4210] and [RFC9480], as the subset > of CMP defined in LCMPP sufficiently meets the required functionality. > > Adherence to the LCMPP [RFC9483] is REQUIRED when using CMP. The > following specific requirements apply (refer to Figure 2): > > * CA Certificates Request (1) and Response (2): Requesting CA certificates is > OPTIONAL. If supported, it SHALL be implemented as specified in [RFC9483], > Section 4.3.1. > > * Attribute Request (3) and Response (4): Requesting certification request > attributes is OPTIONAL. If supported, it SHALL be implemented as specified in > [RFC9483], Section 4.3.3. > > Alternatively, the registrar MAY modify the requested certificate contents as > specified in [RFC9483], Section 5.2.3.2. > > * Certification Request (5) and Response (6): Certificates SHALL be requested > and provided as specified in LCMPP [RFC9483], Section 4.1.1 (based on CRMF) > or Section 4.1.4 (based on PKCS #10). > > Proof of possession SHALL be provided in a manner suitable for the key type. > Proof of identity SHALL be provided by signature-based protection of the > certification request message as outlined in [RFC9483], Section 3.2, using > the IDevID secret. > > When the registrar forwards a certification request from the pledge to a > backend RA/CA, it is RECOMMENDED that the registrar wraps the original > certification request in a nested message signed with its own credentials, as > described in [RFC9483], Section 5.2.2.1. This approach explicitly conveys the > registrar's consent to the RA while retaining the original certification > request with the proof of origin provided by the pledge's signature. > > If additional trust anchors, beyond the pinned-domain-cert, need to be > conveyed to the pledge, this SHOULD be done in the caPubs field of the > certification response rather than through a CA Certificates Response. > > * Certificate Confirm (7) and PKI/Registrar Confirm (8): Explicit > confirmation of new certificates to the RA/CA MAY be used as specified in > [RFC9483], Section 4.1.1. > > Note that independent of certificate confirmation within CMP, enrollment > status telemetry with the registrar at the BRSKI level will be performed as > described in [RFC8995], Section 5.9.4. > > * If delayed delivery of CMP messages is required (e.g., to support > enrollment over an asynchronous channel), it SHALL be performed as specified > in Section 4.4 and Section 5.1.2 of [RFC9483]. > > The mechanisms for exchanging messages between the registrar and > backend PKI components (i.e., RA and/or CA) are outside the scope of > this document. CMP's independence from the message transfer mechanism > allows for flexibility in choosing the appropriate exchange method > based on the application scenario. For applicable security > considerations, refer to Section 7. Further guidance can be found in [RFC9483], Section 6. > > BRSKI-AE with CMP can also be combined with Constrained BRSKI > [I-D.ietf-anima-constrained-voucher], using CoAP for enrollment > message transport as described by CoAP Transport for CMP [RFC9482]. In > such scenarios, the EST-specific parts of [I-D.ietf-anima-constrained-voucher] do not apply. > > For BRSKI-AE scenarios where a general solution for discovering > registrars with CMP support is not available (cf. Section 4.2.1), the > following minimalist approach MAY be used: perform discovery as > defined in BRSKI [RFC8995], Appendix B, but use the service name > "brski-registrar-cmp" (as defined in Section 6) instead of > "brski-registrar" (as defined in [RFC8995], Section 8.6). Note that > this approach does not support join proxies. " > >
- [Anima] Gunter Van de Velde's No Objection on dra… Gunter Van de Velde via Datatracker
- [Anima] Re: Gunter Van de Velde's No Objection on… Fries, Steffen
- [Anima] Re: Gunter Van de Velde's No Objection on… Gunter van de Velde (Nokia)