[auth48] [AD] Re: AUTH48: RFC-to-be 9456 <draft-ietf-opsawg-tlstm-update-15> for your review
rfc-editor@rfc-editor.org Thu, 17 August 2023 21:29 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42E1CC15108F; Thu, 17 Aug 2023 14:29:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.467
X-Spam-Level:
X-Spam-Status: No, score=-4.467 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ucRdjr7wu9Yz; Thu, 17 Aug 2023 14:29:39 -0700 (PDT)
Received: from rfcpa.amsl.com (unknown [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76312C14CE30; Thu, 17 Aug 2023 14:29:39 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id 3512C88BC9; Thu, 17 Aug 2023 14:29:39 -0700 (PDT)
To: kvaughn@trevilon.com
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, opsawg-ads@ietf.org, opsawg-chairs@ietf.org, jclarke@cisco.com, rwilton@cisco.com, auth48archive@rfc-editor.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20230817212939.3512C88BC9@rfcpa.amsl.com>
Date: Thu, 17 Aug 2023 14:29:39 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/j8X7iEpmczBfLVL39ZnpptgRTNo>
Subject: [auth48] [AD] Re: AUTH48: RFC-to-be 9456 <draft-ietf-opsawg-tlstm-update-15> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2023 21:29:43 -0000
Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. 1) <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on <https://www.rfc-editor.org/search>. --> 2) <!-- [rfced] Please review <https://wiki.ietf.org/group/ops/mib-boilerplate>; it appears that the section "The Internet-Standard Management Framework" is missing from this document. May we add this section as a new Section 1.1, move "Conventions" to Section 1.2, and add RFC 3410 to the Normative References section? --> 3) <!-- [rfced] Section 1.1: It appears that RFC 3413 ("Simple Network Management Protocol (SNMP) Applications") should be cited here instead of RFC 3411 (which only mentions "SNMP applications" in passing in its text (Abstract, Section 3.1.1.2, and Section 4.1)). May we update as suggested? Original: See "SNMP Applications" (RFC3411) for further information. Suggested: See "Simple Network Management Protocol (SNMP) Applications" [RFC3413] for further information. --> 4) <!-- [rfced] Section 2.1: Please let us know if any changes are needed for the following: a) For ease of the reader, we added a citation for RFC 8446 here. However, we could not verify that TLS 1.3 replaced the one-octet hash algorithm identifier with a two-octet TLS 1.3 cipher suite identifier. Please let us know if this text should be clarified. Original: TLS 1.3 replaced the one- octet hash algorithm identifier with a two-octet TLS 1.3 cipher suite identifier. Currently: TLS 1.3 [RFC8446] replaced the one-octet hash algorithm identifier with a two-octet TLS 1.3 cipher suite identifier. b) We could not find any instances of "fingerprint algorithm" in RFC 6353. Would the updates suggested below be helpful to readers? Original: [RFC6353] defines a fingerprint algorithm that references the one- octet TLS 1.2 hash algorithm identifier. ... This document updates the definition of SnmpTLSFingerprint to clarify that the one-octet identifier in the fingerprint algorithm uses the IANA SNMP-TLSTM HashAlgorithm Registry; this registry is consistent with the IANA TLS HashAlgorithm Registry for its initial values but can be extended as needed to support new hashing algorithms without implying that the new values can be used by TLS version 1.2. Suggested (assuming that "one-octet algorithm identifier" is correct): [RFC6353] defines a SnmpTLSFingerprint algorithm identifier that references the one-octet TLS 1.2 hash algorithm identifier. ... This document updates the definition of SnmpTLSFingerprint to clarify that the one-octet algorithm identifier uses the values in the IANA "SNMP-TLSTM HashAlgorithm" registry; this registry is consistent with the IANA "TLS HashAlgorithm" registry for its initial values but can be extended as needed to support new hashing algorithms without implying that the new values can be used by TLS version 1.2. --> 5) <!-- [rfced] Section 4: We have been advised that MIB modules should be self-contained. We do not see any "REFERENCE" entries for RFC 5246, RFC 5953, or RFC 6353. May we update as suggested? Original: This module makes references to [RFC1123], RFC2578, RFC2579, RFC2580, RFC3411, RFC3413, [RFC5246], [RFC5280], [RFC5890], [RFC5952], [RFC5953], [RFC6353], and [STD58] ... DESCRIPTION "This version of this MIB module is part of RFC 6353; see the RFC itself for full legal notices. The only change was to introduce new wording to reflect require changes for IDNA addresses in the SnmpTLSAddress TC." REVISION "201005070000Z" DESCRIPTION "This version of this MIB module is part of RFC 5953; see the RFC itself for full legal notices." ::= { mib-2 198 } ... Historically, the 1-octet hashing algorithm identifier was based on the IANA TLS HashAlgorithm Registry (RFC 5246); however, this registry is no longer in use for TLS 1.3 and above and are not expected to have any new registrations added to it. ... Suggested: This SNMP-TLS-TM-MIB module imports items from [RFC2578], [RFC2579], [RFC2580], [RFC3411], and [RFC3413]. It also references [RFC1123], [RFC5246], [RFC5280], [RFC5890], [RFC5952], [RFC5953], [RFC6353], and [STD58]. ... DESCRIPTION "This version of this MIB module is part of RFC 6353; see the RFC itself for full legal notices. The only change was to introduce new wording to reflect required changes for Internationalized Domain Names for Applications (IDNA) addresses in the SnmpTLSAddress textual convention (TC)." REFERENCE "RFC 6353: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)" REVISION "201005070000Z" DESCRIPTION "This version of this MIB module is part of RFC 5953; see the RFC itself for full legal notices." REFERENCE "RFC 5953: Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)" ::= { mib-2 198 } ... Historically, the one-octet hashing algorithm identifier was based on the IANA 'TLS HashAlgorithm' registry (RFC 5246); however, this registry is no longer in use for TLS 1.3 and above and is not expected to have any new registrations added to it. ... REFERENCE "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2" --> 6) <!-- [rfced] Section 4: We could not find a relationship between RFC 2579 and these two entries. Please confirm that these citations for RFC 2579 will be clear to readers. Original: snmpTLSTCPDomain OBJECT-IDENTITY STATUS current DESCRIPTION "The SNMP over TLS via TCP transport domain. The corresponding transport address is of type SnmpTLSAddress. The securityName prefix to be associated with the snmpTLSTCPDomain is 'tls'. This prefix MAY be used by security models or other components to identify which secure transport infrastructure authenticated a securityName." REFERENCE "RFC 2579: Textual Conventions for SMIv2" ::= { snmpDomains 8 } snmpDTLSUDPDomain OBJECT-IDENTITY STATUS current DESCRIPTION "The SNMP over DTLS via UDP transport domain. The corresponding transport address is of type SnmpTLSAddress. The securityName prefix to be associated with the snmpDTLSUDPDomain is 'dtls'. This prefix MAY be used by security models or other components to identify which secure transport infrastructure authenticated a securityName." REFERENCE "RFC 2579: Textual Conventions for SMIv2" ::= { snmpDomains 9 } --> 7) <!-- [rfced] Section 4: Please review the following, and advise. a) This sentence does not parse. Does "both the" mean "both of the" (in which case text for the second item is missing and we will need you to provide it), or should the word "both" be removed (to make clear that the model's support for transport prefixes is the only concept mentioned in this sentence)? Also, for ease of the reader, should RFC 5591 (SNMP-TSM-MIB) be added to this document, perhaps (1) in the first paragraph of this section, (2) as a reference entry after this description clause, and (3) in the list of Informative References? Original: "... Using both the Transport Security Model's support for transport prefixes (see the SNMP-TSM-MIB's snmpTsmConfigurationUsePrefix object for details) will result in securityName lengths that exceed what VACM can handle." b) Please confirm that "local part" (2 words, no hyphen) and "host-part" (hyphenated) are both correct. Would "localpart" and "hostpart" be acceptable? Original: The local part of the rfc822Name is passed unaltered but the host-part of the name MUST be passed in lowercase. c) Should "certificate of the above types" be "certificates of the above types"? Original: The first matching subjectAltName value found in the certificate of the above types MUST be used when deriving the tmSecurityName. d) This sentence does not parse. Does "all child certificate's subjectAltName to" mean "all child certificates' subjectAltName fields to" or something else? Original: Users are encouraged to make use of certificates with subjectAltName fields that can be used as tmSecurityNames so that a single root CA certificate can allow all child certificate's subjectAltName to map directly to a tmSecurityName via a 1:1 transformation. e) Does "mapping type that does not require data present in this column" mean "mapping type that does not require that data be present in this column", "mapping type that does not require data that is present in this column", or something else? Original: "... The value in this column MUST be ignored for any mapping type that does not require data present in this column." Perhaps A: "... The value in this column MUST be ignored for any mapping type that does not require that data be present in this column." Perhaps B: "... The value in this column MUST be ignored for any mapping type that does not require data that is present in this column."--> 8) <!-- [rfced] Security Considerations: It appears that, per the first paragraph of this section, this document adequately follows the guidelines provided on <https://wiki.ietf.org/group/ops/mib-security>. Please review and confirm that no further changes are needed as related to the IETF security guidelines for MIB documents. --> 9) <!-- [rfced] Section 6: IANA Considerations a) [AD]: We see that extensive updates have been made to the IANA Considerations section between versions -14 and -15. Email from Ken dated 1 May 2023 (with PDF attached): "Based on comments received during the implementation of the IANA actions, we would like to edit the IANA Considerations section of draft-ietf-opsawg-tlstm-update-14 according to the attached. I am happy to upload a new version of the document, but I recognize that it is in the editing queue and was advised to coordinate with your efforts. Please let me know what I should do. (Note: I assume the first couple of paragraphs will be deleted now that IANA has completed their task)" It appears that the decision was made later (8 May 2023) to upload the updated version -15 to the Datatracker. We assume that the updates mentioned in Ken's 1 May email were all incorporated into version -15. Please review the updates to the IANA Considerations carefully, and let us know if any further changes are needed. Also, does IANA need to add anything on iana.org as related to the version -15 updates? b) FYI, we will update this text once this action has been completed by the secretariat. See mail from IANA sent on 8/14/2023. Original: IANA is also asked to either 1) create the <snmp-tlstm-reg-review@ietf.org> email address that appears later in this section or 2) update the email address to an appropriate address. c) As the "SNMP-TLSTM HashAlgorithm" registry (https://www.iana.org/assignments/smi-numbers) lists multiple algorithms, would you like the registry name to be pluralized, i.e., "SNMP-TLSTM HashAlgorithms"? If so, we will ask IANA to update this registry title accordingly. --> 10) <!-- [rfced] Section 6: Should "SHOULD not" be "SHOULD NOT" here, or "should not"? This was flagged by the Datatracker idnits script as follows: Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Original: Assignments that are inspecific (e.g., reserved values) SHOULD not receive an assigned value for the recommended column. --> 11) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide at <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>, and let us know if any changes are needed. Note that our script did not flag any words in particular, but this should still be reviewed as a best practice. --> 12) <!-- [rfced] Please let us know if any changes are needed for the following: a) The following terms were used inconsistently in this document. We chose to use the latter forms. Please let us know any objections. 1-octet (DESCRIPTION clause for SnmpTLSFingerprint) / one-octet (elsewhere) common name (1 instance) / CommonName (6 instances in text) b) The following terms appear to be used inconsistently in this document. Please let us know which form is preferred. host name (5 instances) / hostname (4 instances) [T][t]his textual convention (4 instances) / This TEXTUAL-CONVENTION (1 instance) (We also see "existing fingerprint TEXTUAL-CONVENTION" in Section 2.1.) c) Column names were quoted in the original document in four of approximately 22 instances (e.g., 'Algorithm' column, snmpTlstmCertToTSNMapType column, "Recommended" column, recommended column). We added quotes throughout for consistency. Please let us know if you would prefer that all quotes for column names be removed. d) Would you like spacing to be consistent within this document for the following? Curly brackets (most have spaces around them): {snmpTlstmConfig 1} OBJECTS { snmpTlstmAddrServerFingerprint, snmpTlstmSessionInvalidServerCertificates} "SIZE" entries: (SIZE (1..255)) (SIZE (0..255)) (SIZE(1..255)) (SIZE(0..1024)) --> Thank you. RFC Editor/lb/ap On Aug 17, 2023, at 2:27 PM, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2023/08/17 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9456.xml https://www.rfc-editor.org/authors/rfc9456.html https://www.rfc-editor.org/authors/rfc9456.pdf https://www.rfc-editor.org/authors/rfc9456.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9456-diff.html https://www.rfc-editor.org/authors/rfc9456-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9456-xmldiff1.html Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9456 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9456 (draft-ietf-opsawg-tlstm-update-15) Title : Updates to the TLS Transport Model for SNMP Author(s) : K. Vaughn, Ed. WG Chair(s) : Henk Birkholz, Joe Clarke, Tianran Zhou Area Director(s) : Warren Kumari, Robert Wilton
- [auth48] AUTH48: RFC-to-be 9456 <draft-ietf-opsaw… rfc-editor
- [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-ietf… Lynne Bartholomew
- Re: [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-… Kenneth Vaughn
- Re: [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-… Kenneth Vaughn
- Re: [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- Re: [auth48] AUTH48: RFC-to-be 9456 <draft-ietf-o… Kenneth Vaughn
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Rob Wilton (rwilton)
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Kenneth Vaughn
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Kenneth Vaughn
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Joe Clarke (jclarke)
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Joe Clarke (jclarke)
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Kenneth Vaughn
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Kenneth Vaughn
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Joe Clarke (jclarke)
- Re: [auth48] [AD] AUTH48: RFC-to-be 9456 <draft-i… Joe Clarke (jclarke)
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Lynne Bartholomew
- [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <draft-… Lynne Bartholomew
- [auth48] [AD] Re: AUTH48: RFC-to-be 9456 <draft-i… rfc-editor
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Rob Wilton (rwilton)
- Re: [auth48] *[AD] Re: AUTH48: RFC-to-be 9456 <dr… Lynne Bartholomew
- Re: [auth48] [AD] AUTH48: RFC-to-be 9456 <draft-i… Kenneth Vaughn
- [auth48] [IANA] Re: AUTH48: RFC-to-be 9456 <draft… Lynne Bartholomew
- [auth48] [IANA #1285701] [IANA] Re: AUTH48: RFC-t… Amanda Baber via RT
- Re: [auth48] *[AD] AUTH48: RFC-to-be 9456 <draft-… Kenneth Vaughn
- Re: [auth48] [IANA #1285701] [IANA] Re: AUTH48: R… Lynne Bartholomew
- Re: [auth48] [AD] AUTH48: RFC-to-be 9456 <draft-i… Kenneth Vaughn