Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06
Lars Eggert <lars.eggert@nokia.com> Wed, 08 September 2010 07:46 UTC
Return-Path: <lars.eggert@nokia.com>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A23C43A6782 for <gen-art@core3.amsl.com>; Wed, 8 Sep 2010 00:46:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.433
X-Spam-Level:
X-Spam-Status: No, score=-101.433 tagged_above=-999 required=5 tests=[AWL=-2.993, BAYES_20=-0.74, MANGLED_LIST=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TnrlEUN-gTg for <gen-art@core3.amsl.com>; Wed, 8 Sep 2010 00:46:21 -0700 (PDT)
Received: from mgw-sa02.nokia.com (mgw-sa02.nokia.com [147.243.1.48]) by core3.amsl.com (Postfix) with ESMTP id 00C503A6768 for <gen-art@ietf.org>; Wed, 8 Sep 2010 00:46:20 -0700 (PDT)
Received: from mail.fit.nokia.com (esdhcp030222.research.nokia.com [172.21.30.222]) by mgw-sa02.nokia.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id o887klGp025361 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 8 Sep 2010 10:46:47 +0300
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.96.2 at fit.nokia.com
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: Lars Eggert <lars.eggert@nokia.com>
In-Reply-To: <4C7E4385.1050107@tkk.fi>
Date: Wed, 08 Sep 2010 10:46:35 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <363D4DC2-CF6F-4E7B-AEAC-E7558B1AA9AA@nokia.com>
References: <21082_1283295381_ZZ0L8100F02H1WZO.00_18532_1283295379_4C7D8893_18532_74_1_74BBA174-C2A2-49F4-89F6-873146DD6655@nostrum.com> <4C7E4385.1050107@tkk.fi>
To: Jukka Manner <jukka.manner@tkk.fi>
X-Mailer: Apple Mail (2.1081)
X-Nokia-AV: Clean
Cc: Ben Campbell <ben@nostrum.com>, General Area Review Team <gen-art@ietf.org>, "draft-ietf-nsis-nslp-auth.all@tools.ietf.org" <draft-ietf-nsis-nslp-auth.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 07:46:25 -0000
Hi, Roland, please respond. Otherwise this draft is unlikely to be approved on tomorrow's telechat. Thanks, Lars On 2010-9-1, at 15:13, Jukka Manner wrote: > Hi, > > Thank you for the good review, this was very helpful. > > Roland Bless is our editor, I'll let him take charge of the edits and > propose fixes as needed. > > regards, > Jukka > > On 09/01/2010 01:55 AM, Ben Campbell wrote: >> I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. >> >> Please resolve these comments along with any other Last Call comments you may receive. >> >> Document: draft-ietf-nsis-nslp-auth-06.txt >> Reviewer: Ben Campbell >> Review Date: 2010-08-31 >> IETF LC End Date: 2010-08-31 >> IESG Telechat date: (if known) >> >> Summary: >> >> This draft is almost ready for publication as an experimental RFC. There are some minor issues that should be considered first, and a few editorial comments. >> >> -Major issues: None >> >> -Minor issues: >> >> -- section 3.2.7, 2nd paragraph: "The creator of this attribute lists every NSLP object..." >> >> Is there an order requirement? At least, the order in this list must match the order in the signature, right? >> >> -- section 4.1.1, 2nd paragraph: >> >> Is HMAC-MD5 still a reasonable choice for a single mandatory-to-implement algorithm these days? >> >> -- Section 6.4, 1st paragraph: >> >> This paragraph seems to conflate authentication with authorization. Integrity protection provides authentication, from which one can apply authorization policy. But it's not authorization policy in itself. >> >> -- Section 7, 3rd paragraph: >> >> This seems to conflict with 3.2.7 and 3.2.8, which only conditionally require AUTHENTICATION_DATA to be included. >> >> >> -Nits/editorial comments: >> >> -- section 2, paragraph 2, 2nd sentence: >> >> s/chose/choose >> >> -- section 2, 5th paragraph, 1st sentence: "...operation of the authorization is to add one authorization policy object" >> >> Does this mean "... operation of the authorization layer..."? >> >> -- section 4.2, 2nd paragraph: "The ticket can be presented to the NSLP node via Kerberos by sending a KRB_CRED message to the NSLP node..." >> >> Who presents it? >> >> "...must be known in advance..." >> >> Who must know it? >> >> -- section 4.3.1.1, 1st paragraph: "...X509_V3_CERT, AUTHENTICATION_DATA MUST be generated following these steps" >> >> Who must generate it? >> >> -- section 4.3.1.1, 2nd paragraph: "...verification MUST be done following these steps:" >> >> Who must do the verification? >> >> -- section 4.3.1.1, 7th paragraph: " ... the public key of the authorizing entity can be extracted from the certificate." >> >> I assume this step is not intended to be optional, but the language "can be" implies that it is. >> >> -- section 4.3.1.2, 1st paragraph: "...AUTHENTICATION_DATA MUST be generated following these steps:" >> >> Who must generate it? >> >> -- section 4.3.1.2, first bullet in list of steps: >> >> That's not really a step. >> >> --... Third bullet >> >> Who signs it? >> >> -- ... First paragraph after first bullet list: "verification MUST be done" >> >> Who must do the verification? >> >> -- section 4.4, 1st paragraph after bullet list: The Key-ID in the AUTHENTICATION_DATA allows to refer" >> >> "allows" is a transitive verb in this context. I suggest "... allows [some actor] to refer", or "...allows the reference..." >> >> -- section 6.2.3, general: >> >> It's not clear to me if you mean for QNE/PDP to refer to one or the other, or the combination of the QNE and PDP. >> >> > > -- > Jukka MJ Manner, Professor, PhD. Phone: +358+(0)9+451 2481 > Aalto University Mobile: +358+(0)50+5112973 > Department of Communications Fax: +358+(0)9+451 2474 > and Networking (Comnet) Office: G320a (Otakaari 5A) > P.O. Box 13000, FIN-00076 Aalto E-mail: jukka.manner@tkk.fi > Finland WWW: www.comnet.tkk.fi
- [Gen-art] Gen-ART LC Review of draft-ietf-nsis-ns… Ben Campbell
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Lars Eggert
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Jukka Manner
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Lars Eggert
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Russ Housley
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Lars Eggert