Re: [Gen-art] Genart telechat review of draft-gutmann-scep-08
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 01 February 2018 13:42 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F0B212E852 for <gen-art@ietfa.amsl.com>; Thu, 1 Feb 2018 05:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.321
X-Spam-Level:
X-Spam-Status: No, score=-4.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4CTdhlyPsWlD for <gen-art@ietfa.amsl.com>; Thu, 1 Feb 2018 05:42:15 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A66EA12E034 for <gen-art@ietf.org>; Thu, 1 Feb 2018 05:42:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1517492531; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2OjGfgwr+x3yi6y5z+DGgh7QrcjB7QQTI/WhM6uGZFM=; b=PRp6+M90mI9FfV/IHS8xRPiMLQZB4dKpzdXVBFmhdvXPYQ7LxsqHfE444NUKWKfJ f1HWh6L1Lamk7vtshSqY9fu/lWHnjilAuD+OtJJk6dkpdGheCRii1xFSA9XDZ1Ih F6krJPIkl/MKOfw1eaqKshh13A/rLJwOZQGwKzf/ItY=;
X-AuditID: c1b4fb2d-b35ff70000007932-1d-5a73193349dd
Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.183.51]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id C1.DD.31026.339137A5; Thu, 1 Feb 2018 14:42:11 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.195]) by ESESSHC011.ericsson.se ([153.88.183.51]) with mapi id 14.03.0352.000; Thu, 1 Feb 2018 14:42:10 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "gen-art@ietf.org" <gen-art@ietf.org>, "pgut001@DOMAIN.HIDDEN" <pgut001@DOMAIN.HIDDEN>
CC: "draft-gutmann-scep.all@ietf.org" <draft-gutmann-scep.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [Gen-art] Genart telechat review of draft-gutmann-scep-08
Thread-Index: AQHTlgkCELmr+HoHm0eiD/BWeQTXJKOPrNqA
Date: Thu, 01 Feb 2018 13:42:09 +0000
Message-ID: <D698E1C1.2A474%christer.holmberg@ericsson.com>
References: <151690435171.8462.17376545317175159264@ietfa.amsl.com>
In-Reply-To: <151690435171.8462.17376545317175159264@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
x-originating-ip: [153.88.183.20]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <CEAD4154B148BF49BC89377677EF88E9@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOIsWRmVeSWpSXmKPExsUyM2K7sa6xZHGUwc5z0hYzdv5nt7j66jOL xbON81ks1n5eweLA4vHh4C8WjyVLfjIFMEVx2aSk5mSWpRbp2yVwZeya9Y6lYJpxxcPHTxkb GDdqdDFyckgImEjs3fmVqYuRi0NI4DCjxIZjzawQzmJGidePzjN3MXJwsAlYSHT/0wZpEBGI kbj56xEziM0skCWxouUSE4gtLOAmcfBXPzNEjbvEth2PmUBaRQSMJA4/FgAJswioSOzY+his hFfAWqLpQyM7iC0k4CzxctdDVhCbU8BF4sXHT2A1jAJiEt9PrWGCWCUucevJfCaImwUkluw5 zwxhi0q8fPwPrFdUQE9iw4nb7BBxRYmr05dD9RpIvD83H+wTZqC9E646QYS1JZYtfA11jqDE yZlPWCYwis9Csm0Wku5ZCN2zkHTPQtK9gJF1FaNocWpxcW66kbFealFmcnFxfp5eXmrJJkZg 9B3c8lt3B+Pq146HGAU4GJV4eFcyFkcJsSaWFVfmHmKU4GBWEuF9s68oSog3JbGyKrUoP76o NCe1+BCjNAeLkjjvSU/eKCGB9MSS1OzU1ILUIpgsEwenVAOjZ9gsjpIiyyM2hR8/fah6F7Na LmjPpvjt7S9qdkQvce8TYvnqY139U/w0j5KE1XTb82c1JybFVUqy/+BnP1ua8uiLTPCUZ3H+ Om/fNR77pOnie9ReX/WSZ9KcJC3HD++6M3dHfNLQ/PVD5Z7Ww9lVsvWfvu9Qnu2+o9JcdrZS +sYTB60/nqxWYinOSDTUYi4qTgQAvYdms7oCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/PKsIyK2McS_rkJRIG5vRgiUCcZ0>
Subject: Re: [Gen-art] Genart telechat review of draft-gutmann-scep-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2018 13:42:17 -0000
Hi, >>However, there are some issues (mostly editorial) that I would like the >>authors to address. > > One comment on this, I didn't write the original text so I'll try and > accommodate as much as possible, but in some cases I've had to guess at >what > the original authors intended. Also, the explanations for several of the > points raised in the questions is "it was like that when I got here". >So in > the following, when I respond with another question, it's because I'm >not sure > myself what should go in there, and I'm welcoming any suggestions... > > Another general point, because this has spent close to twenty years in >draft > status, it's been a de facto standard for most of that time so there are > "standards-compliant" implementations that have been in use for more >than a > decade based on the draft. Because of this, I've had to be very careful >to > avoid breaking things by introducing a MUST or MUST NOT after nearly two > decades of something not being a MUST. This is why, in some places, >there's a > SHOULD with strong hints rather than a MUST. > > The primary goal for this was to make it bits-on-the-wire compatible >(apart > from the unavoidable single DES + MD5 -> AES + SHA-2), and to minimise > (ideally not to have any) breakage with deployed code. So there are >places > where there are weasel-words ("we know you've been doing this for fifteen > years but you probably shouldn't any more"), and others where I've >retained > text that I wouldn't have put in there if I'd been the one writting the >doc. Maybe some text about all that somewhere (e.g., in the Introduction section, or in a dedicated ³History² section)? >Q1: > >[Editing changes] > > I've had a go at changing this, but no matter what I do just ends up as >the > same wording shuffled around, I end up just moving bits from one >location to > another (it's already gone through a number of re-wordings across >different > drafts). If there's a specific goal that you're aiming for with the >changes I > can try and hit that, but I just ended up saying more or less the same >thing > with different phrasing. I just think it sounds weird to talk about a widely deployed protocol that you are just about to publish. But, maybe with some history (see previous comment) it would become more clear. --- >>Q2: >> >>Doesn¹t the "While implementers are encouraged toŠ" sentence belong to >>the >>Security Considerations? > >It's not a security consideration, unless I'm missing something it only >discusses functionality and interoperability issues. Ok. --- >>Q3: >> >>The text says: >> >> "A CA MAY enforce any arbitrary policies and apply them to certificate >> requests, and MAY reject any request." >> >>The "MAY reject any request" parts sounds unfinished. I assume it¹s >>refers to >>cases where the client don¹t support such arbitrary policies? If so, I >>suggest >>to explicitly say so. >> >>Currently it sounds like a generic CA-may-reject-any-request statement, >>which >>I assume is not what you intend to say :) > > That's exactly what it's meant to say: "You can ask for anything you >want, but > the CA isn't obligated to comply with your request". Sure, but the text doesn¹t give any guidance on why it would reject the request. Since the sentence is in the same sentence talking about policies I assume the rejection would be if the policies are not fulfilled. --- >>Q4: >> >>As the text talks about certificate distribution, is this really a >>subsection >>to section 2.1? > > "It was like that when I got here". I can make it a non-subsection if >it reads better that way. I think it would be good. The text itself doesn¹t change, soŠ --- >>Q5: >> >>The 4th paragraph contains a couple of SHOULDs. Is there a reason they >>can¹t >>be MUST? > >There are many ways to verify certs, those are just suggestions. For >example >they may be hardcoded into the client (that's actually not uncommon in >SCADA >use), in which case there's nothing to verify. Since you use ³SHOULD², it sounds more like just suggestions. --- >>Q6: >> >>The 5th paragraph talks about how early versions of the draft used GET >>messages for all communication. >> >>The text also says: >> >>³If the remote CA supports it, any of the CMS-encoded SCEP messages >>SHOULD be >>sent via HTTP POST instead of HTTP GET.² >> >>If the remove CA supports what? HTTP POST? > > Yes, fixed. > >>Why SHOULD, and not MUST? > > See the note about introducing breakage. > >>If the client understands to use POST if GET fails, why can¹t it use >>POST to >>begin with? > > It was meant to say (subtly) "if you're seeing these problems then >perhaps > it's time you updated your code". I've changed the text to make this >more > explicit: > > The solution to this problem is to update the implementation to use HTTP > POST instead. Ok. >>In general, what is the reason for having this text about early versions >>of >>the draft? Backward compatibility with CAs that will only support GET? > >Yes. Not just CAs but major implementations like Microsoft's NDES. I think it would be good to mention that. --- >>Q7: >> >>The title of the section talks about state transitions, but then the text >>says that the section contains examples. >> >>Is there a reference to the state machine(s) that are represented in the >>examples? OR, does the section define the state machine(s)? > >"It was like that when I got here". It's supposed to illustrate state >transitions, so it's both a diagram and an example of what's supposed to >happen. I'm reluctant to start rewriting that to any extent because, >well, >would you want to start poking around in there? I just think it¹s strange to talk about "state transitions" without any reference to a state machine (in fact, there seems to be two state machines - one for the client and one for the CA). Couldn¹t the section simply be called ³SCTP Transaction Examples², or something? --- >>Q8: >> >>The text says ³previous editors² and ³earlier editors². Please pick one >>and >>use it in both places :) > > It's actually "earlier authors", and it was deliberate, to distinguish >between > the people who wrote it (authors) and those who came later and merely >edited > the original authors' work (editors). Ok. Regards, Christer
- [Gen-art] Genart telechat review of draft-gutmann… Christer Holmberg
- Re: [Gen-art] [FORGED] Genart telechat review of … Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Christer Holmberg
- Re: [Gen-art] Genart telechat review of draft-gut… Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Christer Holmberg