[Gen-art] Re: Resolving the DISCUSS on draft-ietf-msec-policy-token-sec-05.txt (Summary)
Lakshminath Dondeti <ldondeti@qualcomm.com> Mon, 23 January 2006 21:59 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F19jD-0008P0-JP; Mon, 23 Jan 2006 16:59:59 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F19jB-0008NT-HW for gen-art@megatron.ietf.org; Mon, 23 Jan 2006 16:59:57 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25248 for <gen-art@ietf.org>; Mon, 23 Jan 2006 16:58:28 -0500 (EST)
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F19sa-0007h0-LZ for gen-art@ietf.org; Mon, 23 Jan 2006 17:09:42 -0500
Received: from sabrina.qualcomm.com (sabrina.qualcomm.com [129.46.61.150]) by numenor.qualcomm.com (8.12.10/8.12.5/1.0) with ESMTP id k0NLxe8r018384 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 23 Jan 2006 13:59:40 -0800
Received: from LDONDETI.qualcomm.com (qconnect-10-50-68-214.qualcomm.com [10.50.68.214]) by sabrina.qualcomm.com (8.12.10/8.12.5/1.0) with ESMTP id k0NLxcgv002060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 23 Jan 2006 13:59:38 -0800 (PST)
Message-Id: <6.2.5.6.2.20060123135433.03b885d0@qualcomm.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 23 Jan 2006 13:59:37 -0800
To: Brian E Carpenter <brc@zurich.ibm.com>, Scott W Brim <sbrim@cisco.com>, gen-art@ietf.org
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
In-Reply-To: <6.2.5.6.2.20060123130749.038b9f98@qualcomm.com>
References: <6.2.5.6.2.20060119135416.03d59288@qualcomm.com> <BFF579C3.DC2%Andrea.Colegrove@sparta.com> <6.2.5.6.2.20060123130749.038b9f98@qualcomm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 825e642946eda55cd9bc654a36dab8c2
Cc: Hugh Harney <hh@sparta.com>, Andrea Colegrove <Andrea.Colegrove@sparta.com>, canetti <canetti@watson.ibm.com>, Russ Housley <housley@vigilsec.com>, uri.meth@sparta.com
Subject: [Gen-art] Re: Resolving the DISCUSS on draft-ietf-msec-policy-token-sec-05.txt (Summary)
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Sender: gen-art-bounces@ietf.org
Errors-To: gen-art-bounces@ietf.org
Hi Brian and Scott,
Please review the following notes to see if they address your
concerns on the MSEC Policy Token draft. Thanks to Russ for helping
Andrea and Uri craft some of the responses.
Please look for <Res></Res> below (there is one <LD></LD> below,
please ignore that for now; it is related to an IANA concern).
thanks and regards,
Lakshminath
At 01:31 PM 1/23/2006, Lakshminath Dondeti wrote:
>1) Misuse of ASN.1. The document cites the 1997 ASN.1, but has a
>number of choices and structures that seem like they are intended to
>be extended in the future. Without extensibility markers, a
>conforming implementation will reject a sequence or choice with
>elements not permitted by the abstract syntax.
>
><Res>
>The EXPORTS statement is to be removed so that any structure def can be
>exported.
>
></Res>
>
>
>2) There is no extensibility or versioning strategy described in the
>document. How do we add fields? What should recipients of a token do
>if they do not understand part of it?
>
><Res>
>A Policy Token version indicator is to be added to the TokenID.
>
></Res>
>
><Res>
>Russ provided the following example that we might use:
> TBSCertificate ::= SEQUENCE {
> version [0] Version DEFAULT v1,
> ....
>
> Version ::= INTEGER { v1(0), v2(1), v3(2) }
>
>
></Res>
>
><Res>
>"Implementations encountering unknown protocol identifiers MUST handle
>this gracefully by providing indicators that an unknown protocol is among
>the sequence of permissible protocols. If the unknown protocol is the only
>allowable protocol in the sequence, then the implementation cannot support
>that field and the member cannot join the group.
>It is a matter of local policy whether a join is permitted when
>an unknown protocol exists among other allowable, known protocols."
>
></Res>
>The above will be added to provide
>handling instructions when encountering unknown protocols.
>
>
><Res>
>Under the main token structure it will say that additional protocols
>SHOULD NOT be added unless the MSEC architecture changes.
>
></Res>
>
>3) It's not clear that the GSAKMP document combined with this document
>provides enough mandatory to implement features that any two
>implementations of this specification will work together. The GSAKMP
>document specifies mandatory to implement mechanisms for GSAKMP.
>However the policy token allows for a wide variety of combinations of
>protocols. For example, a policy token could specify one protocol for
>registration, one protocol for rekey, and a completely different
>protocol for de-registration. If only one of these is GSAKMP, what
>happens? Where is it specified what combinations a GM, a GC/KS etc
>must support in terms of policy token contents?
>
>
><Res>I understand the issue, but the token's purpose is to tie the
>abstract MSEC
>architecture to a configurable system. The MSEC architecture allows for any
>of these protocols for registration, de-registration, etc. and does not
>specify what the mandatory to implement protocols are. To say that the
>appendix B and appendix C protocols are the mandatory-to-implement protocols
>would mean that the MSEC architecture now requires those protocols. This is
>one case where I believe a mandatory to implement scheme would be a
>disservice to the community.
>
>Interoperability testing for the token, really becomes system
>interoperability testing vs. protocol interoperability testing.
></Res>
>
>
>4) IANA Comments:
>The IANA Considerations section requests that 13 object identifiers
>be assigned.
>In which registry should these be assigned? IANA needs clarification.
>
>
><Res>
>Statement to IANA section will essentially say that the spec is extended
>through specification. Those specifying new objects will register them with
>IANA. Those that change the structure of the PT must change the version
>indicator.
>
></Res>
>
><LD>
>The resolution does not address the question on "which registry"
>should be used. I think this requires a new registry, right?
></LD>
_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Re: Resolving the DISCUSS on draft-ietf… Lakshminath Dondeti
- Re: [Gen-art] Re: Resolving the DISCUSS on draft-… Lakshminath Dondeti