Re: [Anima] My comments about draft-richardson-anima-masa-considerations-02:

"Panwei (William)" <william.panwei@huawei.com> Tue, 17 March 2020 07:08 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7276D3A1996 for <anima@ietfa.amsl.com>; Tue, 17 Mar 2020 00:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sT9HCh34u_cu for <anima@ietfa.amsl.com>; Tue, 17 Mar 2020 00:08:37 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 390103A1994 for <anima@ietf.org>; Tue, 17 Mar 2020 00:08:37 -0700 (PDT)
Received: from lhreml706-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 1967CA5561178C206726; Tue, 17 Mar 2020 07:08:32 +0000 (GMT)
Received: from nkgeml704-chm.china.huawei.com (10.98.57.158) by lhreml706-cah.china.huawei.com (10.201.108.47) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 17 Mar 2020 07:08:31 +0000
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml704-chm.china.huawei.com (10.98.57.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 17 Mar 2020 15:08:28 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1713.004; Tue, 17 Mar 2020 15:08:28 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] My comments about draft-richardson-anima-masa-considerations-02:
Thread-Index: AdXuAaZTd23akt0LRFiEvEAkZcXn1gH6Et2AAY8BqdA=
Date: Tue, 17 Mar 2020 07:08:28 +0000
Message-ID: <09dc16c096354052b399b1f6e75f3fb7@huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F13EC88B58@DGGEMM531-MBS.china.huawei.com> <4178.1583770121@localhost>
In-Reply-To: <4178.1583770121@localhost>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.138.33.152]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/ndZraXByV3ZhbwUUulzFeWDXnIc>
Subject: Re: [Anima] My comments about draft-richardson-anima-masa-considerations-02:
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2020 07:08:39 -0000

Hi Michael,

Please see inline.

> -----Original Message-----
> From: Anima [mailto:anima-bounces@ietf.org] On Behalf Of Michael
> Richardson
> Sent: Tuesday, March 10, 2020 12:09 AM
> To: anima@ietf.org; Xialiang (Frank, Network Standard & Patent Dept)
> <frank.xialiang@huawei.com>
> Subject: Re: [Anima] My comments about
> draft-richardson-anima-masa-considerations-02:
> 
>     > pg 4:
>     > A serial number for the device can be assigned and placed into a
> 
> 
>     > comment:
>     > Is it appropriate to assign the serial number to device, since device
> has
>     > already had its own SN?
> 
> This is device has a single serial number.
> The point is that a device may not yet have a serial number, and it is possible
> to assign the serial number during this process.  Or perhaps more to the
> point, the manufacturer step that a serial number is assigned,  is the right
> time to deploy the private key.
> 

[Wei] I think what needs to be explained is the distinct characteristics of the serial number for the device. Maybe how it is assigned is not important, but other aspects, such as what it is used for, are important. So the readers can match the specific thing in their implementation with the serial number you mean.

> 
>     > pg 5:
>     > Ongoing access to the root-CA is important, but not as critical as
>     > access to the MASA key.
> 
> 
>     > comment:
>     > MASA key is not relevant with the IDevID three-tier PKI
>     > infrastructure. So, does this sentence make sense here?
> 
> This comment is about relative levels of access to the private keys.
> The key that the MASA uses to sign vouchers *needs* to be online.
> The root-CA for the IDevID PKI can be offline, locked in a vault (and
> guarded by Godzilla if you like).
> 

[Wei] Two comments:
1) Why ongoing access to the root CA is important? In the document it is said the root-CA private key should be kept offline, so how to ongoing access to the root-CA?
2) This sentence seems inappropriate in this section. This section and the upper-level section is talking about the device's IDevID. Suddenly mentioning the MASA key doesn't make sense.


Regards & Thanks!
Wei Pan