Re: [Gen-art] [FORGED] Genart telechat review of draft-gutmann-scep-08
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 30 January 2018 10:14 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B79112D84B; Tue, 30 Jan 2018 02:14:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFtdIx2RUa-B; Tue, 30 Jan 2018 02:14:56 -0800 (PST)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4487812D863; Tue, 30 Jan 2018 02:14:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1517307278; x=1548843278; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=MyxcJ04u6bpmYbUjuoqy3aPkx5HiByIlCKzFtD3K14s=; b=w5VPTKkQxXQmxXl/fbbLcW5FO9RsWqN21nYTHG9yzDWOOPExhPzP8puy H2O3tdw5hm8ygb+WM6zMv9gtCiAp83RTMKlTUYZ5slElQjlsNo4I7qIRc Dr/s7wIHUw6f4KOeDQzh9NZbc4g4ITNJyW9KYtP5hvuDDepLk9rLP4sBA 5yms32rE02KESggzfGzpSh41zDKXAcXQxvXlg5Gqcmotjw5mK1ZHsu7wJ TYGJaO6p8u7buLre2V/PhtRofVBE+Td6IsOkmEhSf4ya8Up8rCdtqAnOC /z3SYxWG4GNsSOpf0ZyU85zHR8Z5RDyjF91yGsWN8xq5NNTJYOhudmQ3f A==;
X-IronPort-AV: E=Sophos;i="5.46,434,1511780400"; d="scan'208";a="72949"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from uxcn13-ogg-b.uoa.auckland.ac.nz ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Jan 2018 23:14:35 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 30 Jan 2018 23:14:35 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Tue, 30 Jan 2018 23:14:35 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Christer Holmberg <christer.holmberg@ericsson.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "draft-gutmann-scep.all@ietf.org" <draft-gutmann-scep.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [FORGED] Genart telechat review of draft-gutmann-scep-08
Thread-Index: AQHTlgkC+l0bK/3mPku2wzljIJ6AiqOMOY3R
Date: Tue, 30 Jan 2018 10:14:34 +0000
Message-ID: <1517307294489.32269@cs.auckland.ac.nz>
References: <151690435171.8462.17376545317175159264@ietfa.amsl.com>
In-Reply-To: <151690435171.8462.17376545317175159264@ietfa.amsl.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/9MnGSjTxNPhu6_JJCpTbo5ytGzs>
Subject: Re: [Gen-art] [FORGED] Genart telechat review of draft-gutmann-scep-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2018 10:14:59 -0000
>However, there are some issues (mostly editorial) that I would like the
>authors to address.
One comment on this, I didn't write the original text so I'll try and
accommodate as much as possible, but in some cases I've had to guess at what
the original authors intended. Also, the explanations for several of the
points raised in the questions is "it was like that when I got here". So in
the following, when I respond with another question, it's because I'm not sure
myself what should go in there, and I'm welcoming any suggestions...
Another general point, because this has spent close to twenty years in draft
status, it's been a de facto standard for most of that time so there are
"standards-compliant" implementations that have been in use for more than a
decade based on the draft. Because of this, I've had to be very careful to
avoid breaking things by introducing a MUST or MUST NOT after nearly two
decades of something not being a MUST. This is why, in some places, there's a
SHOULD with strong hints rather than a MUST.
The primary goal for this was to make it bits-on-the-wire compatible (apart
from the unavoidable single DES + MD5 -> AES + SHA-2), and to minimise
(ideally not to have any) breakage with deployed code. So there are places
where there are weasel-words ("we know you've been doing this for fifteen
years but you probably shouldn't any more"), and others where I've retained
text that I wouldn't have put in there if I'd been the one writting the doc.
>Q1:
>
>[Editing changes]
I've had a go at changing this, but no matter what I do just ends up as the
same wording shuffled around, I end up just moving bits from one location to
another (it's already gone through a number of re-wordings across different
drafts). If there's a specific goal that you're aiming for with the changes I
can try and hit that, but I just ended up saying more or less the same thing
with different phrasing.
>Q2:
>
>Doesn’t the "While implementers are encouraged to…" sentence belong to the
>Security Considerations?
It's not a security consideration, unless I'm missing something it only
discusses functionality and interoperability issues.
>Q3:
>
>The text says:
>
> "A CA MAY enforce any arbitrary policies and apply them to certificate
> requests, and MAY reject any request."
>
>The "MAY reject any request" parts sounds unfinished. I assume it’s refers to
>cases where the client don’t support such arbitrary policies? If so, I suggest
>to explicitly say so.
>
>Currently it sounds like a generic CA-may-reject-any-request statement, which
>I assume is not what you intend to say :)
That's exactly what it's meant to say: "You can ask for anything you want, but
the CA isn't obligated to comply with your request".
(Also: "It was like that when I got here").
>Q4:
>
>As the text talks about certificate distribution, is this really a subsection
>to section 2.1?
"It was like that when I got here". I can make it a non-subsection if it
reads better that way.
>Q5:
>
>The 4th paragraph contains a couple of SHOULDs. Is there a reason they can’t
>be MUST?
There are many ways to verify certs, those are just suggestions. For example
they may be hardcoded into the client (that's actually not uncommon in SCADA
use), in which case there's nothing to verify.
>Q6:
>
>The 5th paragraph talks about how early versions of the draft used GET
>messages for all communication.
>
>The text also says:
>
>“If the remote CA supports it, any of the CMS-encoded SCEP messages SHOULD be
>sent via HTTP POST instead of HTTP GET.”
>
>If the remove CA supports what? HTTP POST?
Yes, fixed.
>Why SHOULD, and not MUST?
See the note about introducing breakage.
>If the client understands to use POST if GET fails, why can’t it use POST to
>begin with?
It was meant to say (subtly) "if you're seeing these problems then perhaps
it's time you updated your code". I've changed the text to make this more
explicit:
The solution to this problem is to update the implementation to use HTTP
POST instead.
>In general, what is the reason for having this text about early versions of
>the draft? Backward compatibility with CAs that will only support GET?
Yes. Not just CAs but major implementations like Microsoft's NDES.
>Q7:
>
>The title of the section talks about state transitions, but then the text
>says that the section contains examples.
>
>Is there a reference to the state machine(s) that are represented in the
>examples? OR, does the section define the state machine(s)?
"It was like that when I got here". It's supposed to illustrate state
transitions, so it's both a diagram and an example of what's supposed to
happen. I'm reluctant to start rewriting that to any extent because, well,
would you want to start poking around in there?
>Q8:
>
>The text says “previous editors” and “earlier editors”. Please pick one and
>use it in both places :)
It's actually "earlier authors", and it was deliberate, to distinguish between
the people who wrote it (authors) and those who came later and merely edited
the original authors' work (editors).
Peter.
________________________________________
From: Christer Holmberg <christer.holmberg@ericsson.com>
Sent: Friday, 26 January 2018 07:19
To: gen-art@ietf.org
Cc: draft-gutmann-scep.all@ietf.org; ietf@ietf.org
Subject: [FORGED] Genart telechat review of draft-gutmann-scep-08
Reviewer: Christer Holmberg
Review result: Ready with Nits
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please wait for direction from your
document shepherd or AD before posting a new version of the draft.
For more information, please see the FAQ at
<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
Document: draft-gutmann-scep-08
Reviewer: Christer Holmberg
Review Date: 2018-01-25
IETF LC End Date: None
IESG Telechat date: 2018-03-08
Summary: The document is well written, and almost ready for publication.
However, there are some issues (mostly editorial) that I would like the authors
to address.
Major issues: None
Minor issues: None
Nits/editorial comments:
Section 1:
----------
Q1:
The text says:
“While widely deployed, this protocol omits some certificate
management features, e.g. certificate revocation transactions, which
may enhance the security achieved in a PKI.”
I suggest to remove the “While widely deployed” part. I assume you refer to the
Cisco protocol that SCEP is based on. If so, I suggest that you move the
following sentence from the Abstract to the Introduction:
“SCEP is the evolution of the enrolment protocol sponsored by Cisco Systems,
which enjoys wide support in both client and server implementations, as well
as being relied upon by numerous other industry standards that work with
certificates.”
In the Abstract, I think it is enough to keep the following:
"SCEP is the evolution of the enrolment protocol sponsored by Cisco Systems."
Then, you can also remove the following from the Introduction:
"so that it enjoys widespread support and ready interoperability across a
range of platforms"
…or combine it with the sentence above.
Q2:
Doesn’t the "While implementers are encouraged to…" sentence belong to the
Security Considerations?
Section 2.1.2:
--------------
Q3:
The text says:
"A CA MAY enforce any arbitrary policies and apply them to certificate
requests, and MAY reject any request."
The "MAY reject any request" parts sounds unfinished. I assume it’s refers to
cases where the client don’t support such arbitrary policies? If so, I suggest
to explicitly say so.
Currently it sounds like a generic CA-may-reject-any-request statement, which I
assume is not what you intend to say :)
Section 2.1.3:
--------------
Q4:
As the text talks about certificate distribution, is this really a subsection
to section 2.1?
Q5:
The 4th paragraph contains a couple of SHOULDs. Is there a reason they can’t be
MUST?
Section 4.1:
------------
Q6:
The 5th paragraph talks about how early versions of the draft used GET messages
for all communication.
The text also says:
“If the remote CA supports it, any of the CMS-encoded SCEP messages SHOULD be
sent via HTTP POST instead of HTTP GET.”
If the remove CA supports what? HTTP POST?
Why SHOULD, and not MUST?
…and later:
"If a client or CA uses HTTP GET and encounters HTTP-related problems
such as messages being truncated, seeing errors such as HTTP 414
("Request URI too long"), or simply having the message not sent/
received at all, when standard requests to the server (for example
via a web browser) work, then this is a symptom of the problematic
use of HTTP GET. The solution to this problem is typically to move
to HTTP POST instead."
If the client understands to use POST if GET fails, why can’t it use POST to
begin with?
In general, what is the reason for having this text about early versions of the
draft? Backward compatibility with CAs that will only support GET?
Section 5:
----------
Q7:
The title of the section talks about state transitions, but then the text says
that the section contains examples.
Is there a reference to the state machine(s) that are represented in the
examples? OR, does the section define the state machine(s)?
If the main purpose of the section is to show example flows, I think the title
of the section should be "Examples".
Section 6:
----------
Q8:
The text says “previous editors” and “earlier editors”. Please pick one and use
it in both places :)
- [Gen-art] Genart telechat review of draft-gutmann… Christer Holmberg
- Re: [Gen-art] [FORGED] Genart telechat review of … Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Christer Holmberg
- Re: [Gen-art] Genart telechat review of draft-gut… Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Christer Holmberg