IETF Logo Mail Archive

Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09

"Max Pritikin (pritikin)" <pritikin@cisco.com> Thu, 15 February 2018 16:06 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00663126B7E for <anima@ietfa.amsl.com>; Thu, 15 Feb 2018 08:06:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.53
X-Spam-Level:
X-Spam-Status: No, score=-14.53 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6APWZcAPz3o for <anima@ietfa.amsl.com>; Thu, 15 Feb 2018 08:06:40 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A59E124C27 for <anima@ietf.org>; Thu, 15 Feb 2018 08:06:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8860; q=dns/txt; s=iport; t=1518710800; x=1519920400; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=+cvUlhK7tjQE2J7LtSQ9uDhCROPKxonDGMXFKpGDLGU=; b=dK0VjRzjoqlyHqieTEN8TYYqTc8HDErgewYpDjEZHDdm8+SPQJ8IHmP6 /pfL+lCQam7h5pCRWN1MjDMBl7hrMNixb7u5CzA3TJuWhwRhpz1bfQI9l 3d3UDDcWkwcGmnTODbp8JaBkirtMQXxkQ8l1iZu8tyKKAoFzcr/m0bvkx w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DpAgCxr4Va/4sNJK1dGQEBAQEBAQEBAQEBAQcBAQEBAYNSZnAoCoNbmCmCAnwblkUVgSQDXAoYDYFcgzoCGoIoVRcBAgEBAQEBAQJrKIUjAQEBAwEBASERFSULBQsCAQgSBgICJgICAiULFQIOAgQOBYotCBCuN4InhQGDe4ITAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYEPg3SCJ4M/KYJPNoMvAQECAYE7ARIBCRaDFzGCNAWKZBeJSo9tCQKIHo1lgh+GKot9jgWJagIRGQGBOwEhATYyLnFwFRkkKgGCGwmEbngBCYt1gSWBGQEBAQ
X-IronPort-AV: E=Sophos;i="5.46,517,1511827200"; d="scan'208";a="356262068"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Feb 2018 16:06:34 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w1FG6Yux016442 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 15 Feb 2018 16:06:34 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 15 Feb 2018 10:06:33 -0600
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1320.000; Thu, 15 Feb 2018 10:06:33 -0600
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09
Thread-Index: AQHTpgcblAy+qFNx50mP05nV7UQFlKOmBmyA
Date: Thu, 15 Feb 2018 16:06:33 +0000
Message-ID: <89C98637-ACD2-423A-A8C4-52191C35FA53@cisco.com>
References: <20180214010910.GA27823@faui40p.informatik.uni-erlangen.de> <11878.1518662730@obiwan.sandelman.ca>
In-Reply-To: <11878.1518662730@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.5]
Content-Type: text/plain; charset="utf-8"
Content-ID: <66FD0F982A888F439DFE735FF1DD7347@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/plEHtVnAaPihDd1aC_YBZkUU0a4>
Subject: Re: [Anima] Shepherd review draft-ietf-anima-bootstrapping-keyinfra-09
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2018 16:06:43 -0000


> On Feb 14, 2018, at 7:45 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>> 1.2) Terminology:
> 
>> a) vendor vs. manufacturer.
> 
>> The document uses 48 times "vendor" and 13 times "manufacturer". Please
>> revisit this: If there is a clear reason when/why to use vendor and when/why
>> to use the term "manufacturer", then please put these explanations into
>> terminology. Otherwise maybe eliminate "vendor".
> 
> Ha. Good catch.
> I'm pretty sure we want to say manufacturer consistently.
> The IETF has often talked about vendors rather than manufacturers, so this
> might cause some confusion.  Let's go ahead with this and see what confusion
> we cause.
> 
> There is a distinction between vendor (which generally includes VARs) and
> OEMs.
> 
>> For example: Abstract: "using vendor installed X.509 certificate" ...
>> "vendor's authorizing service". This latter one definitely seems to be
>> wrong (MASA = "manufacturer authorizied..., not vendor).
> 
> I've also condensed a number of cases like you noticed:
>     "vendor authorized MASA service"  ==> MASA
> 
> I am concerned that we might lose some subtly between the entity that sold
> the device to the customer, and the entity that signs the vouchers.
> We used the term MASA specifically because we were sure that the service
> would be outsourced by many manufacturers.
> 
>> b)  Key infrastructure
> 
>> There  is no definition/reference for this term.  Please describe on
>> first use and in terminology.  Is there a difference
>> between "key infrastructure" and  "keying material" ? If not, then
>> maybe remove one term otherwise pls. describe difference.
> 
> The term is in the title and in section 1.
> And you are right that it does not appear again, nor is it defined.
> I think it generally refers to the mechanism of PKI, but I'm not sure what to do.

An “infrastructure” is the basic entities and protocols necessary for the operations of key management. I think it comes from the common language term and can’t find a normative definition within IETF document. As a native english speaker who has used the concept in IETF interactions for eons it feels silly to try and define it. Odd. 

Key management itself is defined in RFC4949, although ironically a “public key infrastructure” or “key infrastructure” is not defined. 

"Keying material" is defined in RFC4949.

- max

> 
>> c) (terminology) MASA definition: "A third-party Manufacturer...". Why "third-party" ?
>> who are the first two parties ? If this is only slang and we can't explain who the
>> first two parties are, delete "third-party" ?
> 
> Fixed...  The first party is the Pledge and manufacturer.
> The second party is the Domain Owner.
> The third party is the entity running the MASA, which may not be the manufacturer.
> 
>> d) "Domain Registrar" vs. "Join Registrar", JRC. Especially because the text mostly
>> uses "Domain Registrar" and very seldom "Join Registar".
> 
> Yes, because we agreed that the term across WGs would be JRC, and we say
> in the terminology that we shorten it to Registrar.  We say "Domain
> Registrar" because we want to link it to the PKI concept of a Registration
> Authority (RA).
> 
>> JRC is used in exactly three places in the draft. I also can not find on www.google.com
>> or wikipedia any example of "The term JRC is used in common with other bootstrap
>> mechanisms" as the Terminology claims. Either provide a non-anima reference for the
>> use of that term or eliminate it in the document.
> 
> We agreed to use common terms.
> It was a thread on ANIMA and 6tisch a year ago.
> I can't get mailarchive to find it for me...
> Ah, I see because "JRC" was never used contracted in that thread.
>    https://mailarchive.ietf.org/arch/msg/anima/iotBM0-kxsIB66t8hBo4XUtZLag
> 
> As long as they Informative references.
> https://tools.ietf.org/html/draft-ietf-6tisch-architecture-13#section-6.1
> https://tools.ietf.org/html/draft-ietf-6tisch-terminology-09
>        (yes, expired, but not forgotten, just not a priority)
> 
>> e) Voucher
>> - misses ":" after term.
>> - please change "statement" to "artifact" so the terminology aligns with both voucher
>> draft and voucher-request text which also uses artifact. See also section 2.2
>> where you use "cryptographically protected" instead of "signed" and figure out
>> which term you want to use in all cases (hint: signed).
> 
> I've changed it to:
>  <t>A voucher is a cryptographically protected artifact (a digital signature) to the Pledge
> 
> I feel that we need to say it's cryptographically signed at least once.
> 
>> f) IMPORTANT: Please add/define the term "ANI"
> 
>> ANI - "Autonomic Network Infrastructure". Systems that support both BRSKI and
>> Autonomic Control plane - ACP ([I-D.ietf-anima-autonomic-control-plane]). ANI
>> systems (pledges, proxies, registrar) have specific requirements detailled in
>> the document.
> 
>            <t hangText="ANI:">The Autonomic Network Infrastructure as
>            defined by <xref target="I-D.ietf-anima-autonomic-control-plane"
>            />.  This document details specific requirements for pledges,
>            proxies and registrars when they are part of an ANI.</t>
> 
> Does this work for you?
> 
>> Without this term we can not nail down the explicit requirements against
>> ANI Pledges, Proxies, Registrars that we need from the document (and distinguish
>> from requirements against any non-ANI adaptation of BRSKI). I added according
>> comments into other parts of the doc.
> 
>> g) Please replace "MASA server" with "MASA service" everywhere.
> 
> I prefer to just say "MASA" actually.
> Are you okay with that?
> 
> Let me wrap up here for the moment so you can see the edits and
> I'll reply to the rest as Max and I digest it.  It's a lot of comments.
> I'd like to push an -11 (if only to fix email for M. Behringer).
> 
>    https://github.com/anima-wg/anima-bootstrap/pull/42
>    https://github.com/anima-wg/anima-bootstrap/pull/42/commits/cb7af66344ad709aaf70287a40fa13a67bbf601c
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email