Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06
Jukka Manner <jukka.manner@tkk.fi> Wed, 01 September 2010 12:18 UTC
Return-Path: <jukka.manner@tkk.fi>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A679C3A6C7D for <gen-art@core3.amsl.com>; Wed, 1 Sep 2010 05:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.699
X-Spam-Level:
X-Spam-Status: No, score=-101.699 tagged_above=-999 required=5 tests=[BAYES_50=0.001, MANGLED_LIST=2.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULYtdY4t4LsS for <gen-art@core3.amsl.com>; Wed, 1 Sep 2010 05:18:28 -0700 (PDT)
Received: from smtp-3.hut.fi (smtp-3.hut.fi [130.233.228.93]) by core3.amsl.com (Postfix) with ESMTP id 148013A695D for <gen-art@ietf.org>; Wed, 1 Sep 2010 05:13:38 -0700 (PDT)
Received: from localhost (katosiko.hut.fi [130.233.228.115]) by smtp-3.hut.fi (8.13.6/8.12.10) with ESMTP id o81CE8AT031914; Wed, 1 Sep 2010 15:14:08 +0300
Received: from smtp-3.hut.fi ([130.233.228.93]) by localhost (katosiko.hut.fi [130.233.228.115]) (amavisd-new, port 10024) with LMTP id 23698-594; Wed, 1 Sep 2010 15:14:07 +0300 (EEST)
Received: from smtp.netlab.hut.fi (luuri.netlab.hut.fi [130.233.154.177]) by smtp-3.hut.fi (8.13.6/8.12.10) with ESMTP id o81CE1BT031851; Wed, 1 Sep 2010 15:14:01 +0300
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.netlab.hut.fi (Postfix) with ESMTP id A42941E079; Wed, 1 Sep 2010 15:14:01 +0300 (EEST)
X-Virus-Scanned: by amavisd-new at luuri.netlab.hut.fi
Received: from smtp.netlab.hut.fi ([127.0.0.1]) by localhost (luuri.netlab.hut.fi [127.0.0.1]) (amavisd-new, port 10024) with LMTP id aSdZUoW4PF01; Wed, 1 Sep 2010 15:13:57 +0300 (EEST)
Received: from [130.233.154.25] (pc25.netlab.hut.fi [130.233.154.25]) by smtp.netlab.hut.fi (Postfix) with ESMTPSA id 8B00C1E120; Wed, 1 Sep 2010 15:13:57 +0300 (EEST)
Message-ID: <4C7E4385.1050107@tkk.fi>
Date: Wed, 01 Sep 2010 15:13:57 +0300
From: Jukka Manner <jukka.manner@tkk.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9pre) Gecko/20100818 Lanikai/3.1.3pre
MIME-Version: 1.0
To: Ben Campbell <ben@nostrum.com>
References: <21082_1283295381_ZZ0L8100F02H1WZO.00_18532_1283295379_4C7D8893_18532_74_1_74BBA174-C2A2-49F4-89F6-873146DD6655@nostrum.com>
In-Reply-To: <21082_1283295381_ZZ0L8100F02H1WZO.00_18532_1283295379_4C7D8893_18532_74_1_74BBA174-C2A2-49F4-89F6-873146DD6655@nostrum.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-TKK-Virus-Scanned: by amavisd-new-2.1.2-hutcc at katosiko.hut.fi
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-nsis-nslp-auth.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 12:18:33 -0000
Hi, Thank you for the good review, this was very helpful. Roland Bless is our editor, I'll let him take charge of the edits and propose fixes as needed. regards, Jukka On 09/01/2010 01:55 AM, Ben Campbell wrote: > I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Please resolve these comments along with any other Last Call comments you may receive. > > Document: draft-ietf-nsis-nslp-auth-06.txt > Reviewer: Ben Campbell > Review Date: 2010-08-31 > IETF LC End Date: 2010-08-31 > IESG Telechat date: (if known) > > Summary: > > This draft is almost ready for publication as an experimental RFC. There are some minor issues that should be considered first, and a few editorial comments. > > -Major issues: None > > -Minor issues: > > -- section 3.2.7, 2nd paragraph: "The creator of this attribute lists every NSLP object..." > > Is there an order requirement? At least, the order in this list must match the order in the signature, right? > > -- section 4.1.1, 2nd paragraph: > > Is HMAC-MD5 still a reasonable choice for a single mandatory-to-implement algorithm these days? > > -- Section 6.4, 1st paragraph: > > This paragraph seems to conflate authentication with authorization. Integrity protection provides authentication, from which one can apply authorization policy. But it's not authorization policy in itself. > > -- Section 7, 3rd paragraph: > > This seems to conflict with 3.2.7 and 3.2.8, which only conditionally require AUTHENTICATION_DATA to be included. > > > -Nits/editorial comments: > > -- section 2, paragraph 2, 2nd sentence: > > s/chose/choose > > -- section 2, 5th paragraph, 1st sentence: "...operation of the authorization is to add one authorization policy object" > > Does this mean "... operation of the authorization layer..."? > > -- section 4.2, 2nd paragraph: "The ticket can be presented to the NSLP node via Kerberos by sending a KRB_CRED message to the NSLP node..." > > Who presents it? > > "...must be known in advance..." > > Who must know it? > > -- section 4.3.1.1, 1st paragraph: "...X509_V3_CERT, AUTHENTICATION_DATA MUST be generated following these steps" > > Who must generate it? > > -- section 4.3.1.1, 2nd paragraph: "...verification MUST be done following these steps:" > > Who must do the verification? > > -- section 4.3.1.1, 7th paragraph: " ... the public key of the authorizing entity can be extracted from the certificate." > > I assume this step is not intended to be optional, but the language "can be" implies that it is. > > -- section 4.3.1.2, 1st paragraph: "...AUTHENTICATION_DATA MUST be generated following these steps:" > > Who must generate it? > > -- section 4.3.1.2, first bullet in list of steps: > > That's not really a step. > > --... Third bullet > > Who signs it? > > -- ... First paragraph after first bullet list: "verification MUST be done" > > Who must do the verification? > > -- section 4.4, 1st paragraph after bullet list: The Key-ID in the AUTHENTICATION_DATA allows to refer" > > "allows" is a transitive verb in this context. I suggest "... allows [some actor] to refer", or "...allows the reference..." > > -- section 6.2.3, general: > > It's not clear to me if you mean for QNE/PDP to refer to one or the other, or the combination of the QNE and PDP. > > -- Jukka MJ Manner, Professor, PhD. Phone: +358+(0)9+451 2481 Aalto University Mobile: +358+(0)50+5112973 Department of Communications Fax: +358+(0)9+451 2474 and Networking (Comnet) Office: G320a (Otakaari 5A) P.O. Box 13000, FIN-00076 Aalto E-mail: jukka.manner@tkk.fi Finland WWW: www.comnet.tkk.fi
- [Gen-art] Gen-ART LC Review of draft-ietf-nsis-ns… Ben Campbell
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Lars Eggert
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Jukka Manner
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Lars Eggert
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Russ Housley
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Lars Eggert