Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-lamps-rfc3709bis-10> for your review
Russ Housley <housley@vigilsec.com> Fri, 07 April 2023 19:41 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E932C152A26; Fri, 7 Apr 2023 12:41:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgvKu_SjVueI; Fri, 7 Apr 2023 12:41:00 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AEE8C15153F; Fri, 7 Apr 2023 12:41:00 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 05411169E36; Fri, 7 Apr 2023 15:40:59 -0400 (EDT)
Received: from [192.168.1.161] (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id CDBF5169C78; Fri, 7 Apr 2023 15:40:58 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20230407181524.E739B7FDC0@rfcpa.amsl.com>
Date: Fri, 07 Apr 2023 15:40:58 -0400
Cc: Stefan Santesson <sts@aaa-sec.com>, Trevor Freeman <frtrevor@amazon.com>, Leonard Rosenthol <lrosenth@adobe.com>, lamps-ads@ietf.org, LAMPS Chairs <lamps-chairs@ietf.org>, Tim Hollebeek <tim.hollebeek@digicert.com>, "Roman D. Danyliw" <rdd@cert.org>, auth48archive@rfc-editor.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B03E3C87-9E01-4D04-B344-EA0176D66F10@vigilsec.com>
References: <20230407181524.E739B7FDC0@rfcpa.amsl.com>
To: RFC Editor <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/zQ7o_NA8wjY38OFAQCHzLtjQmxA>
Subject: Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-lamps-rfc3709bis-10> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2023 19:41:05 -0000
Dear RFC Editor: Thanks for the editorial improvements. > 1) <!-- [rfced] Please insert any keywords (beyond those that appear in the > title) for use on https://www.rfc-editor.org/search. --> The keywords for RFC 3709 and this RFC should be the same. > 2) <!-- [rfced] FYI - While we understand RFCs 3709 and 6170 were published with > the some of the text we are questioning below, the questions are aimed at > making the text as correct as possible. We have tried to indicate when > such text appeared in RFCs 3709 and 6170. Please review carefully. > --> Thanks for the heads up. No response needed. > 3) <!-- [rfced] May we update "rather" to "instead" and include a semicolon? Note > that this text appears in RFC 3709. > > Original: > Very few consumers > actually read all terms and conditions they agree to in accepting a > service, rather they commonly act on trust derived from previous > experience and recognition. > ... > If the client is unable to support a provided logotype, the > client MUST NOT report an error, rather the client MUST behave as > though no logotype extension was included in the certificate. > > Perhaps: > Very few consumers > actually read all terms and conditions they agree to in accepting a > service; instead, they commonly act on trust derived from previous > experience and recognition. > ... > If the client is unable to support a provided logotype, the > client MUST NOT report an error; instead, the client MUST behave as > though no logotype extension was included in the certificate. > --> I am fine with this change. > 4) <!-- [rfced] We updated this sentence as shown below (i.e., updated > "LogoTypeData" to "LogotypeData" to match usage in the rest of the > document, added "the" before "referenced LogoTypeData", and removed "the" > before "HTTP" and "HTTP with TLS). Please let us know any objections. > > Original: > Clients MUST > support retrieval of referenced LogoTypeData with the HTTP [RFC9110] > and the HTTP with TLS [RFC8446], or subsequent versions of these > protocols. > > Updated: > Clients MUST > support retrieval of the referenced LogotypeData with HTTP [RFC9110], > HTTP with TLS [RFC8446], or subsequent versions of these > protocols. > --> Thanks for catching this mistake. "LogotypeData" is correct. > 5) <!-- [rfced] We are having difficulty parsing this sentence, specifically "or > claims its issuer and community logotypes". Please review and let us know > how to update. Note that this sentence appeared in RFC 3709. > > Original: > The policies and practices > employed by the issuer to check subject organization logotypes or > claims its issuer and community logotypes is outside the scope of > this document. > > Perhaps: > The policies and practices > employed by the issuer that check subject organization logotypes or > claims about its issuer and community logotypes are outside the scope of > this document. > --> Thanks. Your wording is much more clear. > 6) <!--[rfced] We see "logotype" but not "logotype type" in Section 1.1. Please > review and let us know if updates are needed. > > In addition, please review the use of "logotype type" throughout the document > (this phrase was also used in RFC 3709). Is this correct, or can just > "logotype" be used? No. There are three standard logotype types: community, issuer organization, and subject organization, and there is a mechanism to define other logotype types. This is covered in Section 2. > > > Original: > "Logotype type" is > defined in Section 1.1, and it refers to the type of entity or > affiliation represented by the logotype, not the of binary format of > the image or audio. > --> I do not think that any changes are needed. > 7) <!-- [rfced] Please review "name resolution traffic associated fetching". How > may we update for clarity? > > Original: > In addition, the use of an encrypted DNS mechanism, such as DoT > [RFC7858] or DoH [RFC9230], hides the name resolution traffic > associated fetching remote logotype objects from third parties. > --> Suggestion: In addition, the use of an encrypted DNS mechanism, such as DoT [RFC7858] or DoH [RFC9230], hides the name resolution traffic, which is usually a first step in fetching remote logotype objects. > 8) <!-- [rfced] Questions about IANA Considerations > > a) IANA assigned "id-mod-logotype-2022" (107) in the "SMI Security for PKIX > Module Identifier" per the following: > > Original (IANA Considerations): > For the new ASN.1 Module in Appendix A.2, IANA is requested to assign > an object identifier (OID) for the module identifier. The OID for > the module should be allocated in the "SMI Security for PKIX Module > Identifier" registry (1.3.6.1.5.5.7.0). > > Link to registry: > https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.0 > > However, the ASN.1 module in Appendix A.2 uses "id-mod-logotype", which is > already listed in the registry as value 22. We updated the module in Appendix > A.2 to use "id-mod-logotype-2022(107)". Please review carefully and let us > know if this is incorrect. > > Original (Appendix A.2): > <CODE BEGINS> > LogotypeCertExtn > { iso(1) identified-organization(3) dod(6) internet(1) > security(5) mechanisms(5) pkix(7) id-mod(0) > id-mod-logotype(TBD) } > > Updated: > <CODE BEGINS> > LogotypeCertExtn > { iso(1) identified-organization(3) dod(6) internet(1) > security(5) mechanisms(5) pkix(7) id-mod(0) > id-mod-logotype-2022(107) } Even better: <CODE BEGINS> LogotypeCertExtn-2022 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-logotype-2022(107) } > b) FYI: We updated the <artwork> block in the IANA Considerations section to > be three separate tables. > --> This looks fine to me. > 9) <!--[rfced] [SVGT] has been updated by a new version (see > https://www.w3.org/TR/2008/REC-SVGTiny12-20081222/). Should this > reference be updated to point to the newest version? > > Note that text in the document references Sections 14.1.4 and 15.2 of [SVGT]; > these section references seem to be correct for the new version. > > Original: > [SVGT] World Wide Web Consortium, "Scalable Vector Graphics (SVG) > Tiny 1.2 Specification", W3C PR-SVGTiny12-20081117, 17 > November 2008, > <https://www.w3.org/TR/2008/PR-SVGTiny12-20081117>. > --> Using the newer version seems fine to me. I'll let my co-authors raise the alarm if they know otherwise. > 10) <!-- [rfced] XML formatting > > a) We have updated <artwork> to <sourcecode> in the appendices and in > Sections 4.1, 4.3, 4.4.1, 4.4.2, and 4.4.3 (we left <artwork> in > Section 7). Please let us know if the "type" attribute should be set for > these sourcecode elements. If the current list of preferred values for > "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) does > not contain an applicable type, then feel free to suggest a new one. > Also, it is acceptable to leave the "type" attribute not set. This seems fine to me. Section 4.1: the type is ASN.1 Section 4.3: the type is ABNF Section 4.4: the type is ASN.1 Section:4.4.2: the type is ASN.1 Section 4.4.3: the type is ASN.1 > b) Please review whether any of the notes in this document > should be in the <aside> element. It is defined as "a container for > content that is semantically less important or tangential to the > content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside). I think that the NOTE text at the end of Section 4.3 and the NOTE after Table 1 could be marked as <aside>. > c) FYI - We used a bulleted list in the Acknowledgments section. We wanted to > avoid multiple Acknowledgements sections since the section is not > numbered. Note that this list format was also used in RFC 8504. > --> This seems fine to me. > 11) <!--[rfced] Terminology > > a) If no objections, we will update instances of "MIME type" and "MIME media > type" to "media type". The "Media Types" registry > (https://www.iana.org/assignments/media-types/) notes: > > [RFC2046] specifies that Media Types (formerly known as MIME types) and Media > Subtypes will be assigned and listed by the IANA. Yes, please use "media type" throughout the document. > b) Should "CA" be expanded as "certificate authority" or "certification > authority"? Please use "Certification Authority". This is the term used in RFC 5280. > c) We note inconsistencies in the terms below throughout the text. > Should these be uniform? If so, please let us know which form is > preferred. > > certificate issuer vs. Certificate Issuer > Note: This term is lowercase is RFC 3709 and capitalized in RFC 6170. Also note > that we will apply the decision here to "Certificate Context" and "Certificate > Subject" as these are used in similar contexts. Lower case is fine. > end entity certificate vs. end-entity certificate > Note: Both forms were used in RFC 3709. The open form is used in RFC 5280, > but the hyphenated form is more common in the RFC Series. Please align with RFC 5280; use "end entity". > Logotype certificate extension vs. logotype certificate extension vs. logotype extension Please use "logotype certificate extension" > d) For consistency, we used lowercase for the names of logotypes as most > instances in the document were lowercase: > > loyalty logotype > certificate image logotype > Note: We also used lowercase in context of "certificate image object identifier". > community logotype > issuer organization logotype > subject organization logotype > issuer logotype > subject logotype > > Also, are "issuer logotype" and "subject logotype" correct? Or should these be > updated to "issuer organization logotype" and "subject organization logotype", > respectively? This seems fine to me. > e) Should "issuer" here be updated to "issuer organization"? Or is the current > correct? > > Original: > Implementations that simultaneously display multiple logotype types > (subject organization, issuer, community, or other), MUST ensure that > there is no ambiguity as to the binding between the image and the > type of logotype that the image represents. > --> Yes. The three standard logotype types are: community, issuer organization, and subject organization. > 12) <!-- [rfced] Please review the "Inclusive Language" portion of the online > Style Guide > <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let > us know if any changes are needed. > > For example, please consider whether "black" should be updated. > > In addition, please review the usage of pronouns indicating gender (e.g., > "his", "her", "she"), and let us know if you would like to use gender-neutral > text (e.g., "its", "their") instead. Below is the only instance we see in the > document. May we change "his" to "their"? > > Original: > This situation is comparable to a person selecting a suitable plastic > card from his wallet. > --> Suggestion: This situation is comparable to a person selecting a suitable plastic card from their wallet. Russ
- [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-lamps… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Alanna Paloma
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Alanna Paloma
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Alanna Paloma
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Leonard Rosenthol
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Alanna Paloma
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Roman Danyliw
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Alanna Paloma
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Stefan Santesson
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Russ Housley
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Carsten Bormann
- [auth48] [AD] Re: AUTH48: RFC-to-be 9399 <draft-i… Alanna Paloma
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Carsten Bormann
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Russ Housley
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Carsten Bormann
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Stefan Santesson
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Carsten Bormann
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Stefan Santesson
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Russ Housley
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Alanna Paloma
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Russ Housley
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Russ Housley
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Russ Housley
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Alanna Paloma
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Russ Housley
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Alanna Paloma
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Leonard Rosenthol
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Stefan Santesson
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Alanna Paloma
- Re: [auth48] [AD] AUTH48: RFC-to-be 9399 <draft-i… Roman Danyliw
- Re: [auth48] AUTH48: RFC-to-be 9399 <draft-ietf-l… Alanna Paloma