IETF Logo Mail Archive

Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

Alexey Melnikov <alexey.melnikov@isode.com> Thu, 19 January 2012 12:07 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CD6D21F85A4; Thu, 19 Jan 2012 04:07:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.134
X-Spam-Level:
X-Spam-Status: No, score=-102.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ByyAa8oE51zw; Thu, 19 Jan 2012 04:07:51 -0800 (PST)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 0775D21F857D; Thu, 19 Jan 2012 04:07:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1326974868; d=isode.com; s=selector; i=@isode.com; bh=vkKH/nK8TcISPKfqMJHdnH2S4xNdfEamsfEMtrZ+6MM=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=vsLsRChcwHmgjoS6fSoWRvglQTMh2mEcQbqrRKo76Joz+sZdBbWGGB/uFsEAEOCP/iB+c1 CZKmMmC31zpAMuiC8iIU88iOTMoiok9WWkubW6LdLIdkZGZ4GJBT1TZ79DSlEXTGc7aFYS uu+/NNaJowfpMvS7oomjTIHJxo04rFs=;
Received: from [188.28.157.129] (188.28.157.129.threembb.co.uk [188.28.157.129]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <TxgHkQAV5z-F@rufus.isode.com>; Thu, 19 Jan 2012 12:07:47 +0000
Message-ID: <4F18078D.6090603@isode.com>
Date: Thu, 19 Jan 2012 12:07:41 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20111105 Thunderbird/8.0
To: Brian Trammell <trammell@tik.ee.ethz.ch>
References: <4F11E975.9070307@isode.com> <10722E0B-059E-4800-84C0-B330F397B63A@tik.ee.ethz.ch> <4F16D95A.3000006@isode.com> <89E47BB4-C228-4700-94C4-3F4ED03F99A2@tik.ee.ethz.ch> <4F1704DE.1090208@isode.com> <B1B72265-9C9C-4803-AFFA-CDD9B723FA36@tik.ee.ethz.ch>
In-Reply-To: <B1B72265-9C9C-4803-AFFA-CDD9B723FA36@tik.ee.ethz.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Kathleen Moriarty <kathleen.moriarty@emc.com>, gen-art@ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2012 12:07:52 -0000

On 19/01/2012 09:45, Brian Trammell wrote:
> Hi Alexey,
Hi Brian,
> Thanks for helping me work through these... one more round on open issues, inline below:
>
> On Jan 18, 2012, at 6:43 PM, Alexey Melnikov wrote:
>
>> Hi Brian,
>>
>> On 18/01/2012 16:16, Brian Trammell wrote:
>>> On Jan 18, 2012, at 3:38 PM, Alexey Melnikov wrote:
>>>> On 17/01/2012 10:16, Brian Trammell wrote:
>>>>> On Jan 14, 2012, at 9:45 PM, Alexey Melnikov wrote:
>>>>>
>>>>>>    RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual
>>>>>>    authentication for transport confidentiality, identification, and
>>>>>>
>>>>>> Do you mean that a RID client must use X.509 certificates?
>>>>> Well, each RID system (HTTP client or server) is identified by an X.509 certificate (hence "mutual"); how can I make this clearer?
>>>>>
>>>>>>    authentication, as in [RFC2818].
>>>>>>
>>>>>> I find the whole sentence to be confusing. Note that the rules of RFC 6125 for certificate verification are stricter than in RFC 2818 and this sentence can be read as conflicting with the paragraph below which requires use of RFC 6125. What are you trying to say here?
>>>>> The intention here is "Use current best practices as would be supported by off-the-shelf HTTP/1.1 and TLS 1.1 implementations to provide mutual authentication." "Current best practices", however, seems to be something of a moving target.
>>>>>
>>>>> I cite 2818 as it is the current binding between HTTP/1.1 and TLS. I cite 6125 solely for certificate verification.
>>>> How about something like this:
>>>>
>>>> OLD:
>>>>   RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual
>>>>   authentication for transport confidentiality, identification, and
>>>>   authentication, as in [RFC2818].
>>>>
>>>> NEW:
>>>>   RID systems MUST use HTTP over TLS as specified in [RFC2818], with the exception
>>>>   of server TLS identity verification which is detailed below.
>>> Ah. Okay, now I understand the issue...
>> This is only one of them...
>>>>   RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual
>>>>   X.509 authentication. TLS provides for transport confidentiality,
>>>>   identification, and authentication.
>>> The language has changed in -07 to the following; would this be acceptable?
>>>
>>>     RID systems MUST use TLS version 1.1 [RFC4346] or higher with mutual
>>>     authentication for confidentiality, identification, and
>>>     authentication, as in [RFC2818],
>> Part of the issue with this text is that reads as if "mutual authentication" results in "confidentiality, identification and authentication". TLS does, that is why I split the sentence into multiple. Also RFC 2818 is a wrong reference because it doesn't even mention confidentiality.
>> I am hoping this is not nitpicking, but I think using simpler sentences clearer.
> Absolutely.
>
>>> when transporting RID messages over
>>>     HTTPS.
>> The rest looks good to me:
>>> RID systems MUST use mutual authentication; that is, both RID
>>>     systems acting as HTTPS clients and RID systems acting as HTTPS
>>>     servers MUST be identified by an X.509 certificate [RFC5280].  Mutual
>>>     authentication requires full path validation on each certificate, as
>>>     defined in [RFC5280].
> So, how about the following:
>
>     RID systems MUST use TLS version 1.1 [RFC4346] or higher for
>     confidentiality, identification, and authentication, as in
>     Section 2 of [RFC2818].
I am Ok with your latest proposal, but if you want to make me 
super-happy ;-), I suggest you make "as in Section 2 ..." a separate 
sentence (E.g. "Use of HTTP over TLS is specified in Section 2...", or 
at least insert the word "specified" after "as".
> RID systems MUST use mutual authentication;
>     that is, both RID systems acting as HTTPS clients and RID systems
>     acting as HTTPS servers MUST be identified by an X.509 certificate
>     [RFC5280].  Mutual authentication requires full path validation on
>     each certificate, as defined in [RFC5280].
>
> Many thanks, best regards,
Thanks for working with me on this.
>
> Brian

v2.23.0 | Report a Bug | By Email