Re: [Gen-art] [Emu] Genart last call review of draft-ietf-emu-eaptlscert-05
Mohit Sethi M <mohit.m.sethi@ericsson.com> Wed, 28 October 2020 10:46 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 811BC3A08E3; Wed, 28 Oct 2020 03:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OetZ-i_IDbQe; Wed, 28 Oct 2020 03:46:01 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70055.outbound.protection.outlook.com [40.107.7.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BABDB3A0820; Wed, 28 Oct 2020 03:45:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TaCXqwYQ9YR7d1sfYzPM5CSFdWd5XtfAA6WrP7z6psl+R62tOT1KUp90geHPLSNPyhoclmg2fLcorkimmsHZb5RY/b4aeqiYfG/01qvAwOw/grmtBZUxUWnHxJEEcfD6MLs69bUlOpzziKavTc/fuw0adrdO9wWRezYEXgp8glrytRCjm+5Ztws/5oAuJhBY+X9PMNY39VhmrFpnWit6NPheLRd8T2xibyGAX3dbO+8HkH/n+eEBL78245Nqmnu6kjkMga+Ix23M+7oDzNGkmq/AmgBEaAZAqIhwTZvLmFUUENcBpgtIpgwk0/jL3fzJHYQNzCJEaMsWFGgws3I94w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jYS1R5dp1zD0821hviauYKfJiqoxMJO752H/HiWDWII=; b=WJ3fdPbhbjnXIGHGLyls7j4bn77kLY5FnzB3M3uaWHo73NW2TnqpCGDuvwI4qR3H2+XSDS7XKKBhICb2KNJ6Gryfl5Ae2e8OdtFoRegsdnu+sPymZQ83AmMDApPW654Do6/l2OYx4pXcrLq9N3UCNiglevrFvYw5W2sKpfhurRo9/Rgdez1cbya2iEO7zodnI9cVAfVZfqo4slQfPlf1gPwI9HJF7LJJ0/QKUHGabmRMPAUyknwhUdcpyM1WbV/DKFjjCUE6M0xbKmjotHEQY4zFqJMU5IXZ+oxizCx18hxWDmB2wIBw2EzTjajAwaRUw94mRv3lERbGf2QQwn70mA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jYS1R5dp1zD0821hviauYKfJiqoxMJO752H/HiWDWII=; b=cxFDXpxBeZAKv2JqvVFj2YoSWH91a/6fPPs87v5w8WEPk1NwiMSRrpzpV8XnLNQmbZ3y9CcCCo2812S8OxUrkOi62VqMjR897lvfVFDZshCwhdCqcEWADkRvdny/7XNK7Xig7vkYynty/u+oiqq49yrMEFzEr6vuQOWtPYl2fJk=
Received: from HE1PR07MB3209.eurprd07.prod.outlook.com (2603:10a6:7:32::14) by HE1PR0701MB2730.eurprd07.prod.outlook.com (2603:10a6:3:98::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8; Wed, 28 Oct 2020 10:45:54 +0000
Received: from HE1PR07MB3209.eurprd07.prod.outlook.com ([fe80::1550:2d88:a5be:95ca]) by HE1PR07MB3209.eurprd07.prod.outlook.com ([fe80::1550:2d88:a5be:95ca%6]) with mapi id 15.20.3499.018; Wed, 28 Oct 2020 10:45:54 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Elwyn Davies <elwynd@dial.pipex.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-emu-eaptlscert.all@ietf.org" <draft-ietf-emu-eaptlscert.all@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] Genart last call review of draft-ietf-emu-eaptlscert-05
Thread-Index: AQHWqfKlqhflg4aBaUOBXqV8XBPAeqms2x6A
Date: Wed, 28 Oct 2020 10:45:54 +0000
Message-ID: <d3797730-ca22-162f-a887-9c593838fde1@ericsson.com>
References: <160353625817.30765.14852413837090655602@ietfa.amsl.com>
In-Reply-To: <160353625817.30765.14852413837090655602@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: dial.pipex.com; dkim=none (message not signed) header.d=none;dial.pipex.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [37.136.189.206]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 701bd155-a8e9-4f07-0bb1-08d87b2ea583
x-ms-traffictypediagnostic: HE1PR0701MB2730:
x-microsoft-antispam-prvs: <HE1PR0701MB2730E959A0006452D1F4061BD0170@HE1PR0701MB2730.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sYmOBH3RsuKEIJtHAezjv5Wh7s4rEJq5g74MFp3MpBujr5tlgufX3WClR4rcrxK5C6LYLBpTnk+TZEKIvDUa4cpOH3hJZ9LR5sbRM8WGyaGUPyhrA33PjGLkRe5vMXOQcIeKa9cyfO0eknFz2io/zJC9rcYkb/O6JyIMfXB+FQZ0pryu+5HwTYNT4BTLoZ9I2q9Mceh6ea0WV6v0zpS2H7sdIVagjNxVC1CPcBIsRa3K6ZEp8B4G/jM3mK+C1z3z94q6U82XcjoE6NVOxfhgSRFBq3VmR9gLQ32fR/ZpgH6O/8YDbF/7B2IwMoHn6n4u0ApFt2dLEUjSVuMJV1rgRCwr750HTngoY4V9oq3h2TJt0Qa5/84qKD1C7Gz2OjCA9IjmvkFgD78u8dhF5hJR1qqcH3a+nKy2y7CaDi2uglxOHsUsCjaE0iP2ldA3eyprP45aHwQJqqvVhqqCfvCZvQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3209.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(376002)(366004)(39860400002)(346002)(186003)(110136005)(66556008)(6506007)(54906003)(8936002)(2906002)(66476007)(53546011)(4326008)(66446008)(26005)(2616005)(316002)(5660300002)(76116006)(6512007)(6486002)(71200400001)(36756003)(86362001)(64756008)(66946007)(31696002)(8676002)(966005)(478600001)(31686004)(4001150100001)(83380400001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: MwKc4JbrZ3rUD4qgYKL7OeV/pCESb3BRBiOOWkES8e88s/mZY8O0qF8ah4zl96YEDFWol3GvVGOl9RclK96X555CGQo26mKbY9VVjEgFzXg+Wn0Xl5/TSa0a9sxO4gsk4MGFmMWSNHIGEsZ0iLgDxXLjtWDvE6ZDH+7sqCGBem9afOlS/50Yq0tjcuv0D8xHXKtLLqCrBNRuQLdWkaImtvi7WJX73jO/e4v1OF92WBm0tme5y6eQtFb0TENaFFTGg/6NduRCbRfJ6oR1Kog2UCCG6EPCT9Md4FWjI7k85jfx1TJZn0LfXiYT/1M7lG4zY90HGYs49ydsgKQC56uQRN8pFN1aQ06iCEcs0B7WjczlDQrOlPd2EJBkHfspByxbNL0r9BsQZ/TzBAPwj2k9S1GZJnQ6UIstQE2Zki9wzkyU5OSvqoLeptrUIinbj8eT/oGtiWpMkogOQ3slUoNYpETGY8R6VYs9nZvAc03ndsJPzakU2fpbZ55dI7pfgobNmH0J4JRG/5ylLVjgExBidVW7HUDZMNCZ6ZWz6iGQBTdkngSdTZH6rxH/pepbCX3ya3rXfmkZ/zdhJBciqkNNxJ9R/oz3gLJ/d2H2A3e1GyFCYXhNGqcR3uKkkNc7anS4qg7jzFQVSqY39Ht1nk3TMw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <641D095DAE4A654082DCECF0EE2BF044@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3209.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 701bd155-a8e9-4f07-0bb1-08d87b2ea583
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Oct 2020 10:45:54.6727 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sWjn66bU2FK7We8/vLzMpAkgA4E72FM2k+phJy0IRQku8IeazmVXstJO16aSXWlkItf6qCAPgF7NwGeQjiMlx9zbIZyaFEs3AACeIKC+UF8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2730
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/PBz1jhudVGqMeAqnykkatzbzfMM>
Subject: Re: [Gen-art] [Emu] Genart last call review of draft-ietf-emu-eaptlscert-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 10:46:04 -0000
Hi Elwyn, Thank you for the careful review. We have updated the draft based on your feedback. Here is the diff for you convenience: https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-eaptlscert-06. See our responses in-line. --Mohit On 10/24/20 1:44 PM, Elwyn Davies via Datatracker wrote: > Reviewer: Elwyn Davies > Review result: Ready with Nits > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-emu-eaptlscert-05 > Reviewer: Elwyn Davies > Review Date: 2020-10-24 > IETF LC End Date: 2020-10-28 > IESG Telechat date: Not scheduled for a telechat > > Summary: Ready with nits. There are quite a number of references to > associated work that is still in progress as drafts. Whilst this is unlikely > to compromise the content of this work, it will potentially delay its > publication. In particular I have suggested rewriting s4.2.7 to omit more > speculative references to incomplete work in favour of a general recommendation > to make use of relevant new proposals as they become available. Most of the normative references are to already published RFCs. There is only one normative reference to a draft which will also hopefully move forward soon. You are right that there are many informational references to work in progress. But this is what the working group participants wanted. For example, Hannes suggested to add references to new TLS certificate types and certificate compression with CBOR: https://mailarchive.ietf.org/arch/msg/emu/cIVEGF6eLCvrdCqkA5Zzjxor9vs/. I think it can be valuable for a reader to have concrete examples of work in progress. > > Major Issues: > None > > Minor Issues: > None > > Nits and Editoral Issues: > > General: RFC 2119 key words: In the document there are two MUSTs and a SHOULD > NOT none of which are appropriate usages in my opinion (see notes below), aside > from the intended infromational status. The RFC 2119 etc boilerplate in s2 > could be omitted. Now there is only one SHOULD NOT. I'll let the IESG deliberate if they want us to change to "should not" instead. But I think it is an important operational guideline and as Alan DeKok noted, administrators should really ensure that certificate chains don't contain more than 2-4 intermediate certificates. > > Abstract: Need to expand EAP-TLS and EAP on first occurrence. Done. > > s1, end of para 2: Suggest s/involves significantly more octets/involves > exchange of significantly more octets/ Done. > > s2, definition of EAP server: Where would a reader find a definition of > "backend authentication"? Uncle Google was singularly unhelpful. The text does say "Readers are expected to be familiar with the terms and concepts used in EAP [RFC3748]". The term backend authentication server is defined there: https://tools.ietf.org/html/rfc3748#section-1.2. In this document, we only define the terms that are used frequently. And backend authentication server wasn't one of them. > > s3, last para: clarify the meaning of kB: suggest s/~ 60kB/approximately 60 > kbytes/ (I assume). Done. > > s4: The usage of the form " we look/discuss/etc." typically used in academic > papers is not appropriate for standards documents. Section 4 needs to be > redrafted to eliminate this usage. The following may be appropriate: > > OLD: > This section discusses some possible alternatives for overcoming the challenge > of large certificates and long certificate chains in EAP- TLS authentication. > In Section 4.1 we look at recommendations that require an update of the > certificates or certificate chains that are used for EAP-TLS authentication > without requiring changes to the existing EAP-TLS code base. We also provide > some guidelines when issuing certificates for use with EAP-TLS. In Section 4.2 > we look at recommendations that rely on updates to the EAP-TLS implementations > which can be deployed with existing certificates. In Section 4.3 we shortly > discuss the solution to update or reconfigure authenticator which can be > deployed without changes to existing certificates or EAP-TLS code. > > NEW: > This section discusses some possible alternatives for overcoming the challenge > of large certificates and long certificate chains in EAP- TLS authentication. > Section 4.1 considers recommendations that require an update of the > certificates or certificate chains that are used for EAP-TLS authentication > without requiring changes to the existing EAP-TLS code base. The section also > provides some guidelines that ahould be followed when issuing certificates for > use with EAP-TLS. Section 4.2 considers recommendations that rely on updates to > the EAP-TLS implementations which can be deployed with existing certificates. > Finally Section 4.3 briefly discusses what could be done to update or > reconfigure authenticators where it is infeasible to replace deployed > components giving a solution can be deployed without changes to existing > certificates or EAP-TLS code. ENDS Thank you. I have used your text with slight modifications. > > s4.1.1, para 1: s/is as follows/are as follows/ Done. > > s4.1.1, para 2 (1st bullet): s/Object Identifiers (OIDs) is ASN.1/The Object > Identifier (OID) is an ASN.1/ Done. > > s4.1.1, para 3 (1st bullet): Need to expand DER. Also useful to add reference > to RFC5280 after X.509. Done. > > s4.1.1, para 4 (1st sub-bullet n 1st bullet) 'vs' needs to be expanded - either > 'versus' or (Better) 'as against'. Done. > > s4.1.3, para 1: The use of capitalized SHOULD NOT here is, I think, > inappropriate. This is an operational recommendation rather than a protocol > requirement, so s/SHOULD NOT/should not/. No change. See above. > > s4.2.2, para 1: s/useful when, for example, when/useful when, for example,/ Done. > > s4.2.4: s/can define dictionary of/can define a dictionary of/ Done. > > s4.2.5: s/For a client that has all intermediates,/For a client that has all > intermediate certificates in the certificate chain/ Done. > > s4.2.5: The second sentence of this section needs to be rewritten as if > draft-thomson-tls-sic is already an RFC. Could you give the RFC number. As far as I can tell, it is an expired personal submission but I could be wrong: https://datatracker.ietf.org/doc/draft-thomson-tls-sic/ > > s4.2.7: This section is not 'future proof'. It should be rewritten omitting the > explicit examples but exhorting implementors and operatirs to consider relevant > future developments. No change. See above. > > s4.3, para 1: The second and third sentences don't read well.Suggest: > OLD: > Another second reason is that unlimited communication from an unauthenticated > device as EAP could otherwise be use for bulk data transfer. A third reason is > to prevent denial-of-service attacks. NEW: Other reasons include that unlimited > communication from an unauthenticated device using EAP could provide a channel > for inappropriate bulk data transfer, and that communication could facilitate > denial-of-service attacks. ENDS Updated with slight modifications. > > s6, para 2: The MUSTs look as if they are imposing requirements on > draft-ietf-tls-certificate-compression. I am sure that the draft would be > effectively saying these things anyway (if not, why not?) Also the first > sentence appears to be truncated - it doesn't make any sense as it stands. I > suggest rewriting the paragraph with the third sentence first, and, if really > necessary, adding the two points from the first sentences as reminders rather > than MUSTs. Done. > > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu
- [Gen-art] Genart last call review of draft-ietf-e… Elwyn Davies via Datatracker
- Re: [Gen-art] [Emu] Genart last call review of dr… Mohit Sethi M