Re: [Gen-art] Genart last call review of draft-ietf-stir-certificates-15
Joel Halpern Direct <jmh.direct@joelhalpern.com> Tue, 21 November 2017 15:24 UTC
Return-Path: <jmh.direct@joelhalpern.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A7F1294DF; Tue, 21 Nov 2017 07:24:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3uM8Thhhnxpv; Tue, 21 Nov 2017 07:24:56 -0800 (PST)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7928C1294AC; Tue, 21 Nov 2017 07:24:56 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 51A8A6A00EF; Tue, 21 Nov 2017 07:24:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1511277896; bh=Bd4pyA6hVKJw/gIUoEXIBL44lVNQxPIa8RuLG3UfcIU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=akZveQYPGgXNy9WKC5ylrRBW4+KY1KLX6asd4qe3ERoMJhhqbeIFi88k2Lvb6EO0s KBy85+NcJd5K29wxeeWj2OyxDdW+OcVH4LCUoY/mCMwz5kwkMFqU7xeIugph3gq82L kEDSHEpclPQdlWkNbvi7CxiajAVZXtHVzJTWFE3w=
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from Joels-MacBook-Pro.local (unknown [50.225.209.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 69D506A1432; Tue, 21 Nov 2017 07:24:55 -0800 (PST)
To: Sean Turner <sean@sn3rd.com>
Cc: gen-art@ietf.org, draft-ietf-stir-certificates.all@ietf.org, stir@ietf.org, ietf@ietf.org
References: <151090177468.22136.5281729043778955691@ietfa.amsl.com> <3A0F58AA-1397-445F-AD99-CED165E4EAE4@sn3rd.com>
From: Joel Halpern Direct <jmh.direct@joelhalpern.com>
Message-ID: <09f05bf5-c23a-ba1f-116a-a94b44680f59@joelhalpern.com>
Date: Tue, 21 Nov 2017 10:24:54 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <3A0F58AA-1397-445F-AD99-CED165E4EAE4@sn3rd.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/PF6UUodiHHZYnjUn6ZVl0sEjnNE>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-stir-certificates-15
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2017 15:24:58 -0000
Thanbks Sean. On the first point, using "latter" will fix the problem nicely. On the point about CA conflicts, I understand the desire to stay out of the swamp. Given that calls are frequently international, I am unclear how National Numbering Authorities can address the issue of inappropriate assertions from foreign CAs. Each country can protect itself from folks pretending to be it. But they can't protect themselves from other-A authorizing numbers within other-B. I could well understand identifying the problem and saying that this work does not attempt to resolve it. I would not consider that to be copying text, given that the referenced section is MUCH vaguer than that. Having said that, I do consider it minor, and if you feel it would harm the document then that is more important. Yours, Joel On 11/21/17 10:19 AM, Sean Turner wrote: > >> On Nov 17, 2017, at 14:56, Joel Halpern <jmh@joelhalpern.com> wrote: >> >> Reviewer: Joel Halpern >> Review result: Ready >> >> I am the assigned Gen-ART reviewer for this draft. The General Area >> Review Team (Gen-ART) reviews all IETF documents being processed >> by the IESG for the IETF Chair. Please treat these comments just >> like any other last call comments. >> >> For more information, please see the FAQ at >> >> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. >> >> Document: draft-ietf-stir-certificates-15 >> Reviewer: Joel Halpern >> Review Date: 2017-11-16 >> IETF LC End Date: 2017-11-30 >> IESG Telechat date: 2017-12-14 >> >> Summary: >> >> Major issues: >> >> Minor issues: >> Section 4 bullet 4 in naming the crypto algorithms refers quite clearly to >> 2 algorithms. It then references one of them as RS256. I assume those >> versed in the field will know which one is meant. But it would be better >> if the abbreviation RS256 appeared next to the first reference to whichever >> algorithm it means. > > Ah okay I see what’s going on, the two algorithms are introduced in the previous sentence but we use the registered value as opposed to the name in the next sentence. How about I replace “RS256" with the “latter” as it is the 2nd algorithm discussed in the previous sentence. > >> The security considerations section points to RFC 5280 security >> considerations for most issues. I presume that the intention is to use >> that section regarding trusting CAs. However, it seems that there is an >> issue here much like that of classic web CAs. The number of CAs that must >> be trusted seems to be on the order of the number of countries in the >> world. That seems to leave a large window for false or misleading >> certifications, as I can see nothing which restricts what numbers for which >> those top level CAs can provide attestation. I presume we do not want to >> go down the path of requiring an uber-CA for all national authorities. I >> would expect some explicit recognition of this issue in this document. > > Two points intertwined here: > > - uber-CA: The WG explicitly agreed to say nothing about this topic. I agree with you that we should not add any text concerning this point. > > - Trust Anchor/Delegation: RFC5280’s SecCons already state that determining the Trusted CA (aka Trust Anchor) is out of scope. The same is true here and I guess I could copy that text over, but it seems unnecessary in my mind given that a) half the time I get chastised for copying forward SecCons, and more importantly b) there’s are more specifications required to implement this including but not limited to a CP (Certification Policy) and CPS (Certification Practice Statement); these additional specifications get written/approved/published by National Numbering Authorities. > > spt >
- [Gen-art] Genart last call review of draft-ietf-s… Joel Halpern
- Re: [Gen-art] Genart last call review of draft-ie… Sean Turner
- Re: [Gen-art] Genart last call review of draft-ie… Joel Halpern Direct
- Re: [Gen-art] [stir] Genart last call review of d… Gorman, Pierce A [CTO]
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper