Re: [Gen-art] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28

tom petch <daedulus@btconnect.com> Tue, 15 October 2019 09:41 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B16C6120071; Tue, 15 Oct 2019 02:41:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.246
X-Spam-Level:
X-Spam-Status: No, score=0.246 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RATWARE_MS_HASH=2.148, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9o6LdhP1NjI; Tue, 15 Oct 2019 02:41:00 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150091.outbound.protection.outlook.com [40.107.15.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02331200B2; Tue, 15 Oct 2019 02:40:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gQ3Wi98I0H0QAUBQrbtua5rwvxTKFYbJ/Z46dkZNWgG/GL94S7LmTxTZ3leT0iRlVWM97PGnmTAI4codpHrdCpHMyZ2AvWYga5XvK8snUldDlo2/MOWhWqxKW+k4E0/AwmmJfqgZnwN2ZXj//akQgsnh3a4rEHfdp6A9ANfHzN04tnsWkQ4vMz2C1m4i2J4AnU3782NXuDdJ/yo8rCIfgMBnOCv5VTn2GqcpY8TKLA0WkGkOnp46rHFDM/97K+tWRnpj1f536YYVQSbeV06X3krT2/BVgNWjxD3l3p83nCD/5lOFIj6rKa4TRsGxW8EczegSKdBc4UX5q3U8TR/noA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JeUpI9FaKLDp6Bgl/JMfX7/nD3yoGLnCmGcv9NT5bIY=; b=WQIRifURnR7HDyxuSbg7yFYukLOlLye6ucb9rTAQSVa1JLdTK6W3kg+Iqb9WjAxBLHa+pENM7dUXKkxR4M6gc3V09NU1KiFpKcf0TiSE1r/URpwiRNE//kfauHyZSlD3KMq63lLLs5qAwFPiZ01CB5da7p9KTQ/aH2E8cwsNngdMU3QLiNPVEyLy7peUEZG3WNEZ0YWQljyCwPadpPamm1vqw91sawnuYkFXxglyQzjuvrR9IOpNWjfr4YEvUE1zYxzXEbFC+twqJ/MrcRaXw2HUBncyZhZsQVyz2I73BTe6l0H43/RJwInC+qpLrBqC2AwD0KXUQV/LZUgxh8FHKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JeUpI9FaKLDp6Bgl/JMfX7/nD3yoGLnCmGcv9NT5bIY=; b=UJhx1WPC3zs3ZTWBZlbDcdoNH1KGXxE/qWXxMne33vo55+wI7uuJcYjHOyAmi/bSOS52XoJ81hXO+ouryfhDpmx1JWWoXx9xM9Pd86FwA4nkzA5xbVKaNinST281uBQ+Tf0Sx3XdSyFhDQm3NsomHwpxin8ftdrdf4aX8uyHO98=
Received: from AM0PR07MB5716.eurprd07.prod.outlook.com (20.178.115.216) by AM0PR07MB4756.eurprd07.prod.outlook.com (52.135.148.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.11; Tue, 15 Oct 2019 09:40:57 +0000
Received: from AM0PR07MB5716.eurprd07.prod.outlook.com ([fe80::fc43:ed41:fb5:b5e3]) by AM0PR07MB5716.eurprd07.prod.outlook.com ([fe80::fc43:ed41:fb5:b5e3%3]) with mapi id 15.20.2347.021; Tue, 15 Oct 2019 09:40:57 +0000
From: tom petch <daedulus@btconnect.com>
To: Dan Romascanu <dromasca@gmail.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org>, "dromasca@gmail.com" <dromasca@gmail.com>, "ietf@ietf.org" <ietf@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
Thread-Index: AQHVgzylZL/55Dso/kSfI5QixLQChA==
Date: Tue, 15 Oct 2019 09:40:57 +0000
Message-ID: <00f001d5833c$52aacf60$4001a8c0@gateway.2wire.net>
References: <157095596011.20750.2703747454081790983@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LNXP265CA0001.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5e::13) To AM0PR07MB5716.eurprd07.prod.outlook.com (2603:10a6:208:11e::24)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=daedulus@btconnect.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Microsoft Outlook Express 6.00.2800.1106
x-originating-ip: [86.139.211.103]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9cc88cb8-1f43-45e1-4d8b-08d75153c7f0
x-ms-traffictypediagnostic: AM0PR07MB4756:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <AM0PR07MB4756C9CB30D3221AB455E0ECC6930@AM0PR07MB4756.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3276;
x-forefront-prvs: 01917B1794
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(136003)(39860400002)(346002)(376002)(199004)(189003)(13464003)(54906003)(1556002)(4720700003)(4326008)(50226002)(99286004)(486006)(44716002)(476003)(8936002)(62236002)(9686003)(6512007)(110136005)(5660300002)(2501003)(66066001)(6306002)(14454004)(3846002)(6116002)(478600001)(316002)(6246003)(71200400001)(71190400001)(6436002)(14444005)(305945005)(4001150100001)(86362001)(25786009)(256004)(6486002)(7736002)(14496001)(81686011)(386003)(6506007)(81816011)(76176011)(26005)(229853002)(102836004)(66946007)(81156014)(52116002)(66476007)(66556008)(64756008)(186003)(8676002)(44736005)(66446008)(61296003)(81166006)(446003)(2906002)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM0PR07MB4756; H:AM0PR07MB5716.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: doekoj6NY50F8tg0BtrS6mf1z1SAc0BMubj/R1/GyNR/BD/VmjMgK01EEpduPlL4oJH4Vs/d++8+xRYZEvyIvZ7IXQNbcXg9Gw5oXh78BXy+rUfEb1AK5sZSkcQ8Swe4Cf41AoJ29CpVVDWkSXFTiTr7aSbHft61me55LeOiBQk7LH4Uvj6AH/I3J/hSSRuOoekS5VyEXTs0+XnFRslomwOOwmKhMeJQhp+UMVucQYRgmEHXNhADg7hAFrH6k5RFxDhIFAWVxQw2v8G20NOkyDHijcrNDAegOL4MEbBuD7JvGygxkLQaUenamVMzz+Fr4kNNoRPxt3oSYbPmZQM97BWu3kxbZh8MpkJXi7554xCyZXSii0uHa4MZjUdhOU/GXPX6Mok3P36fy06oPxVtNDjiWCKh8rigI+/xh8jGdHE4KK0f1afrWCz84nveHcuukd4434slq1LLS7aMZjwPNQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <B8ECC504B9839D4BA0FAF15A04B55ECD@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9cc88cb8-1f43-45e1-4d8b-08d75153c7f0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Oct 2019 09:40:57.6163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8p2WnHD9AbZcFs/aXS6gcmp9Yha201OPWfDDdINYmhgAwkjxJlGSQSiKIo7NQ/liTXGzMvO86Ut6xn3BhgdgFg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4756
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/CtF7PQD5FU_j1Qu9oU6uzrKssxE>
Subject: Re: [Gen-art] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 09:41:02 -0000

Dan

I had a quick look at the YANG and it does indeed need some work IMHO.
I have posted a separate e-mail listing what I saw.

Tom Petch


----- Original Message -----
From: "Dan Romascanu via Datatracker" <noreply@ietf.org>;
Sent: Sunday, October 13, 2019 9:39 AM

> Reviewer: Dan Romascanu
> Review result: Ready with Issues
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair. Please wait for direction from your
> document shepherd or AD before posting a new version of the draft.
>
> For more information, please see the FAQ at
>
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>;.
>
> Document: draft-ietf-anima-bootstrapping-keyinfra-??
> Reviewer: Dan Romascanu
> Review Date: 2019-10-13
> IETF LC End Date: None
> IESG Telechat date: 2019-10-17
>
> Summary: Ready with Issues
>
> This document specifies automated bootstrapping of an Autonomic
Control Plane
> by creating a Remote Secure Key Infrastructure (acronym BRSKI) using
> manufacturer installed X.509 certificates, in combination with a
manufacturer's
> authorizing service, both online and offline.
>
> Christian Huitema and Jari Arkko have performed early reviews of
previous
> versions of the document for SecDir and Gen-ART. As far as I can tell,
most if
> not all of their major concerns concerning applicability and security
have been
> addressed in the latest versions. A few more minor issues described
below would
> better be clarified before approval.
>
> I also observe that the document has consistent Operational
implications but
> there is no OPS-DIR review so far, as well as a YANG module and
several other
> references to YANG, but there is no YANG Doctors review. I hope that
these will
> be available prior to the IESG review.
>
> Major issues:
>
> Minor issues:
>
> 1. The Pledge definition in section 1.2:
>
> > Pledge:  The prospective device, which has an identity installed at
>       the factory.
>
> while in the Introduction:
>
> > ... new (unconfigured) devices that are called pledges in this
>    document.
>
> These two definitions seem different. The definition in 1.2 does not
include
> the fact that the device is 'new (unconfigured'. Also, arguably
'identity
> installed at the factory' may be considered a form of configuration.
>
> 2. The document lacks an Operational Considerations section, which I
believe is
> needed, taking into consideration the length and complexity of the
document.
> There are many operational issues spread across the document
concerning the
> type and resources of devices, speed of the bootstrapping process,
migration
> pass, impact on network operation. I suggest to consider adding such a
section
> pointing to the place where these issues are discussed and adding the
necessary
> information if missing. Appendix A.1 in RFC 5706 can be used as a
checklist of
> the issues to be discussed in such a section.
>
> 3. Section 5.4:
>
> > Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
>    REQUIRED.
>
> What is the reason for using 'encouraged'? Why not RECOMMENDED?
>
> Nits/editorial comments:
>
> 1. The Abstract includes:
>
> 'To do this a Remote Secure Key Infrastructure (BRSKI) is created'
>
> Later in the document BRSKI is idefined as a protocol. It would be
good to
> clarify if BRSKI = BRSKI protocol
>
> 2. In Section 1 - Introduction, 3rd paragraph:
>
> s/it's default modes/its default modes/
> s/it's strongest modes/its strongest modes/
>
> 3. Please expand non-obvious acronyms at first occurrence: EST
protocol, LLNs,
> REST interface, LDAP, GRASP, CDDL, CSR
>
> 4. I would suggest alphabetic order listing of the terms in section
1.2
>
> 5. Section 1.3.1 - a reference for LDevID would be useful
>
> 6. Section 7:
>
> s/Use of the suggested mechanism/Use of the suggested mechanisms/
>
>