Re: [Anima] Result//Re: WGLC for draft-ietf-anima-brski-ae-04, ends April 3rd, 2023

[David von Oheimb <it@von-Oheimb.de>]

Dear Brian, Toerless, Michael, et al.,

thank you
 * Brian for your comment during the WGLC,
 * Toerless for your further quick shepherd review thereafter, and
 * Michael for your response on the latter on how to reference EST,

all quoted below.

I've meanwhile prepared an intermediate version of the draft that is not
yet officially submitted to IETF,
i.e., a preview of version 05, available
at https://github.com/anima-wg/anima-brski-ae

The change log so far is:

 * Remove entries from the terminology section that should be clear from
   BRSKI
 * Tweak use of the terms IDevID and LDevID and replace PKI RA/CA by
   RA/CA
 * Add the abbreviation 'LwCMP' for Lightweight CMP to the terminology
   section
 * State clearly in Section 5.1 that LwCMP is mandatory when using CMP
 * Change URL of BRSKI-AE-overview graphics to slide on IETF 116 meeting
   material

The first two items were suggested internally by Steffen,
while the remaining ones address the below points by Toerless and Brian.

Regarding the reference to EST, the authors discussed this and came to
the conclusion
that we better keep the reference to EST [RFC 7030] as informative
because we do not really depend on its contents
since the EST instance of BRSKI-AE has effectively been removed from the
draft (and just remain as a theoretical option).
The only "feature" that stems from EST that we take over in BRSKI-AE,
namely the endpoint naming scheme,
is already covered by the reference to BRSKI [RFC 8995], such that
having BRSKI as a normative reference fully covers this.
OTOH, the references to CMP are clearly normative for the case that
BRSKI-AE is instantiated to CMP,
which we have made more explicit in the upcoming version as stated in
the above change log.

Thus we believe that we have covered all open points,
and since the IPR poll has been finished as well,
the draft would be ready for being submitted and for AD review, 
but:

On Thu, 2023-04-27 at 11:02 +0000, Fries, Steffen wrote:
To: anima@ietf.org <anima@ietf.org>
Subject: [Anima] Design Team Meeting discussion (April 25) on BRSKI-PRM
discovery with cross relation to BRSKI-AE

> Independent of the final solution picked, as BRSKI-AE is also
> enhancing the functionality of a BRSKI registrar by supporting
> alternative enrollment protocols, the same approach is to be intended
> for BRSKI-AE as well. Therefore, we will wait with the submission of
> an updated BRSKI-AE draft until the discussion has ended.

So we are holding back the draft until this has been sorted out,
most likely resulting in a small paragraph to be added to BRSKI-AE.

If there is any further comment or suggestion for improval, please let
us (the authors) know.

Best,
David


On Fri, 2023-03-24 at 09:11 +1300, Brian E Carpenter wrote:
> I have insufficient security expertise to review the details of this
> draft, but it seems to be complete and well written.
> 
> Section 4.2 "Message Exchange" refers to a diagram stored on GitHub in
> PNG format. It's a nice diagram, but I think that it's a bad idea to
> embed a GitHub URL in an RFC. This may be too much to ask, but an
> overview diagram in the same format as Figure 2 would be great.
> 
> Regards
>     Brian Carpenter


On Thu, 2023-04-20 at 05:03 +0200, Toerless Eckert wrote:
> On Wed, Apr 19, 2023 at 04:43:36PM -0400, Michael Richardson wrote:
> > 
> > Toerless Eckert <tte@cs.fau.de> wrote:
> >     > 2. I would suggest to move RFC7030 to normative references.
> > This would make
> >     > it consistent with lightweight CMP references also being
> > normative, and given
> >     > how the endpoint naming scheme is derived and meant to be
> > backward compatible with
> >     > EST, and EST being explicitly mentioned several times in that
> > context..
> > 
> > Do people implementing the CMP-AE need to know what EST is in
> > detail?
> > That doesn't jive with me.  I think it can stay informative, but
> > it's really
> > a quibble.
> 
> Yeah, i was just trying to do formal due diligence walking through the
> shepherd
> template and comparing with the draft. Given how the draft is
> generalizing
> th well-known/<protocol>/ concept introduced with EST and repeatedly
> refers
> to it as the original reference, it seems very much like a formal
> normative
> rference.
> 
> But also: BRSKI-AE does not really mandate _any_ particular protocol.
> If i would
> take on your argument, i could equally say that lightweight CMP is
> just an informational
> reference.
> 

On Wed, 2023-04-19 at 19:05 +0200, Toerless Eckert wrote:
> Dear authors
> 
> Thanks a lot for the work on the document (and as well thanks to all
> reviewers).
> 
> Please fix the following issues and upload a new version.
> 
> > From Brian Carpenters review:
> 
> 1. Michaels recommendation: Please replace URL for reference [BRSKI-
> AE-overview]
>    with one pointing to the slide deck from the last IETF ANIMA WG
> presentation
>    in which the slide was shown, using the IETF proceeding URL, as
> those are
>    deemed to be stable references.
> 
> Shepherd review suggestions:
> 
> 2. I would suggest to move RFC7030 to normative references. This would
> make
> it consistent with lightweight CMP references also being normative,
> and given
> how the endpoint naming scheme is derived and meant to be backward
> compatible with
> EST, and EST being explicitly mentioned several times in that
> context..
> 
> 3. Please introduce abbreviation LwCMP at an appropriate place where
> Lightweight CMP
> is expanded, because you are using LwCMP in a picture without
> explanation.
> 
> Once you have uploaded a new version and once we've received all
> authors IPR replies,
> we can advance the document to our AD.
> 
> FYI below is tentative shepherd writeup to be posted with the fixed
> version.
> 
> Cheers
>     Toerless
> 
> --------
> 
> > # Document Shepherd Write-Up for Group Documents
> > 
> > *This version is dated 4 July 2022.*
> > 
> > Thank you for your service as a document shepherd. Among the
> > responsibilities is
> > answering the questions in this write-up to give helpful context to
> > Last Call
> > and Internet Engineering Steering Group ([IESG][1]) reviewers, and
> > your
> > diligence in completing it is appreciated. The full role of the
> > shepherd is
> > further described in [RFC 4858][2]. You will need the cooperation of
> > the authors
> > and editors to complete these checks.
> > 
> > Note that some numbered items contain multiple related questions;
> > please be sure
> > to answer all of them.
> > 
> > ## Document History
> > 
> > 1. Does the working group (WG) consensus represent the strong
> > concurrence of a
> >    few individuals, with others being silent, or did it reach broad
> > agreement?
> 
> The document represents broad consensus of the working group.
> 
> > 2. Was there controversy about particular points, or were there
> > decisions where
> >    the consensus was particularly rough?
> 
> There where no controversies or rough consensus.
> 
> The document did during WG adoption get split up into two documents
> (the second one is draft-ietf-anima-brski-prm), because the WG felt
> that it
> would be easier to finish the two quite disjoint areas of the original
> document
> by doing that split.
> 
> As a result of this split, some of the early reviews of the document
> are now
> irrelevant, especially the YANG doctors review, because the document
> as it is
> finalized now does not contain any YANG. That part was all moved to
> the second document.
> 
> > 3. Has anyone threatened an appeal or otherwise indicated extreme
> > discontent? If
> >    so, please summarize the areas of conflict in separate email
> > messages to the
> >    responsible Area Director. (It should be in a separate email
> > because this
> >    questionnaire is publicly available.)
> 
> No.
> 
> > 4. For protocol documents, are there existing implementations of the
> > contents of
> >    the document? Have a significant number of potential implementers
> > indicated
> >    plans to implement? Are any existing implementations reported
> > somewhere,
> >    either in the document itself (as [RFC 7942][3] recommends) or
> > elsewhere
> >    (where)?
> 
> There are two known non-public-domain BRSKI-AE enhanced registrar
> implementations
> by Siemens (from co-authors), one PoC, and a second upcoming candidate
> product level
> implementation. There is also a BRSKI-AE enhanced pledge library from
> Siemens.
> 
> There are no implementation reports written down in documents.
> 
> > ## Additional Reviews
> > 
> > 5. Do the contents of this document closely interact with
> > technologies in other
> >    IETF working groups or external organizations, and would it
> > therefore benefit
> >    from their review? Have those reviews occurred? If yes, describe
> > which
> >    reviews took place.
> 
> As described above, there was a YANG doctors review, but it is now
> irrelevant.
> 
> Because everything in BRSKI variations is security relevant, we did
> requrest an
> early SECdir review, which was performed by Barry Leiba and all issues
> uncovered
> there where resolved. We therefore think the document is in a good
> state wrt.
> to IETF security expectations.
> 
> There is a dependency against two drafts from the IETF LAMPS WG,
> I-D.ietf-lamps-cmp-updates and I-D.ietf-lamps-lightweight-cmp-profile,
> both of which where
> developed also specifically in support of this document. Coordination
> with LAMPS WG
> was done via shared authorship across those three documents, aka:
> LAMPS WG is aware
> of ANIMA being an application of lightweight CMP work.
> 
> > 6. Describe how the document meets any required formal expert review
> > criteria,
> >    such as the MIB Doctor, YANG Doctor, media type, and URI type
> > reviews.
> 
> NA: No formal languages used, no IANA requests.
> 
> > 7. If the document contains a YANG module, has the final version of
> > the module
> >    been checked with any of the [recommended validation tools][4]
> > for syntax and
> >    formatting validation? If there are any resulting errors or
> > warnings, what is
> >    the justification for not fixing them at this time? Does the YANG
> > module
> >    comply with the Network Management Datastore Architecture (NMDA)
> > as specified
> >    in [RFC 8342][5]?
> 
> NA.
> 
> > 8. Describe reviews and automated checks performed to validate
> > sections of the
> >    final version of the document written in a formal language, such
> > as XML code,
> >    BNF rules, MIB definitions, CBOR's CDDL, etc.
> 
> NA.
> 
> > ## Document Shepherd Checks
> > 
> > 9. Based on the shepherd's review of the document, is it their
> > opinion that this
> >    document is needed, clearly written, complete, correctly
> > designed, and ready
> >    to be handed off to the responsible Area Director?
> 
> Yes.  This document is needed because it describes how to extend BRSKI
> generically to support more
> enrollment protocols beside EST. This will allow much broader adoption
> of BRSKI
> mechanisms. The document specifically refers to the co-developed (to
> be) RFCs
> to use lightweight CMP as the first instance of such alternative
> enrolment protocols.
> 
> The document is clearly written, complete, correctly designed and
> ready to be
> handed off to the responsible AD.
> 
> > 10. Several IETF Areas have assembled [lists of common issues that
> > their
> >     reviewers encounter][6]. For which areas have such issues been
> > identified
> >     and addressed? For which does this still need to happen in
> > subsequent
> >     reviews?
> 
> The shepherd has looked through the wiki page (*) and could not
> identify specific
> areas that this document could have problems with. This is primarily
> because
> all the formalism aspects are covered by the co-written CMP drafts in
> LAMPS
> (in the opinion of the shepherd, as also shown by absence of IANA
> requests here).
> 
> (*) Please note that te shepherd template should be updated to point
> to the
> new wiki page instead of the old one.
> TBD.
> 
> > 11. What type of RFC publication is being requested on the IETF
> > stream ([Best
> >     Current Practice][12], [Proposed Standard, Internet
> > Standard][13],
> >     [Informational, Experimental or Historic][14])? Why is this the
> > proper type
> >     of RFC? Do all Datatracker state attributes correctly reflect
> > this intent?
> 
> Proposed Standard.
> 
> > 12. Have reasonable efforts been made to remind all authors of the
> > intellectual
> >     property rights (IPR) disclosure obligations described in [BCP
> > 79][7]? To
> >     the best of your knowledge, have all required disclosures been
> > filed? If
> >     not, explain why. If yes, summarize any relevant discussion,
> > including links
> >     to publicly-available messages when applicable.
> 
> Yes. All authors have responded to the IPR disclosure request, and are
> not aware of IPR
> against this document.
> 
> > 13. Has each author, editor, and contributor shown their willingness
> > to be
> >     listed as such? If the total number of authors and editors on
> > the front page
> >     is greater than five, please provide a justification.
> 
> Yes, each author confirmed willingness to be author.
> Total number of authors is 3.
> 
> > 14. Document any remaining I-D nits in this document. Simply running
> > the [idnits
> >     tool][8] is not enough; please review the ["Content Guidelines"
> > on
> >     authors.ietf.org][15]. (Also note that the current idnits tool
> > generates
> >     some incorrect warnings; a rewrite is underway.)
> > 
> > 15. Should any informative references be normative or vice-versa?
> > See the [IESG
> >     Statement on Normative and Informative References][16].
> 
> The shepherd thinks that the document correctly classifies all its
> references as
> normative or informative.
> 
> > 16. List any normative references that are not freely available to
> > anyone. Did
> >     the community have sufficient access to review any such
> > normative
> >     references?
> 
> IEEE 802.1 AR is the only normative non-RFC reference, which is a
> common
> dependency in IETF certificate security systems, including RFC8995, so
> there
> is no new reference with non-free access issues, but only the same one
> that
> ANIMA had to rely on since the WG inception.
> 
> > 17. Are there any normative downward references (see [RFC 3967][9]
> > and [BCP
> >     97][10]) that are not already listed in the [DOWNREF
> > registry][17]? If so,
> >     list them.
> 
> No.
> 
> > 18. Are there normative references to documents that are not ready
> > to be
> >     submitted to the IESG for publication or are otherwise in an
> > unclear state?
> >     If so, what is the plan for their completion?
> 
> No. (CMP drafts are in RFC editor queue at time of Shepherd writeup).
> 
> > 19. Will publication of this document change the status of any
> > existing RFCs? If
> >     so, does the Datatracker metadata correctly reflect this and are
> > those RFCs
> >     listed on the title page, in the abstract, and discussed in the
> >     introduction? If not, explain why and point to the part of the
> > document
> >     where the relationship of this document to these other RFCs is
> > discussed.
> 
> NA: No changes in status of existing RFCs.
> 
> > 20. Describe the document shepherd's review of the IANA
> > considerations section,
> >     especially with regard to its consistency with the body of the
> > document.
> >     Confirm that all aspects of the document requiring IANA
> > assignments are
> >     associated with the appropriate reservations in IANA registries.
> > Confirm
> >     that any referenced IANA registries have been clearly
> > identified. Confirm
> >     that each newly created IANA registry specifies its initial
> > contents,
> >     allocations procedures, and a reasonable name (see [RFC
> > 8126][11]).
> 
> NA.
> 
> > 21. List any new IANA registries that require Designated Expert
> > Review for
> >     future allocations. Are the instructions to the Designated
> > Expert clear?
> >     Please include suggestions of designated experts, if
> > appropriate.
> 
> NA.
> 
> > [1]: https://www.ietf.org/about/groups/iesg/
> > [2]: https://www.rfc-editor.org/rfc/rfc4858.html
> > [3]: https://www.rfc-editor.org/rfc/rfc7942.html
> > [4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
> > [5]: https://www.rfc-editor.org/rfc/rfc8342.html
> > [6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
> > [7]: https://www.rfc-editor.org/info/bcp79
> > [8]: https://www.ietf.org/tools/idnits/
> > [9]: https://www.rfc-editor.org/rfc/rfc3967.html
> > [10]: https://www.rfc-editor.org/info/bcp97
> > [11]: https://www.rfc-editor.org/rfc/rfc8126.html
> > [12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
> > [13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
> > [14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
> > [15]: https://authors.ietf.org/en/content-guidelines-overview
> > [16]:
> > https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
> > [17]: https://datatracker.ietf.org/doc/downref/
> 
> EOF.
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>