Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.txt
Alissa Cooper <alissa@cooperw.in> Thu, 21 May 2020 01:11 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37043A07B3; Wed, 20 May 2020 18:11:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=lgYaIG3F; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=cqr5j1du
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMc8Aamo8Exq; Wed, 20 May 2020 18:11:09 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6EF23A0972; Wed, 20 May 2020 18:11:09 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id CE0F25C00B1; Wed, 20 May 2020 21:11:08 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 20 May 2020 21:11:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= from:message-id:content-type:mime-version:subject:date :in-reply-to:cc:to:references; s=fm3; bh=+XuDsCm/ggfFCKifvR27Iwp ude6urfdMlWxVStkdJsA=; b=lgYaIG3FHdgik9RLXDMoUQEGXSxoJJYDmabGx4/ v9GtIDLYudSJ/Je1VRh5Zt1CaVMgIeW6pdGaJ9UMkTSsR43pCJkqkNL0iG/TQt1N QwLUrPJae+iZwOE55bLdzm2BCkgA2UJr1nFCMygQaq2xBkeYnlyx9SOqHf5TZxO9 Iud7kBczW1yHLSQOKSL90AvvT8KLsstOUsvROtgrXPDywvCH9IUk7leTtKZNU1UX cj3qovZIhouG5SuztSprM0AzU5HmF8RHr2EbTPtXoJGRvIRLWSqJjVU2xaSAy+xE 0sJjNrglf9vLWLtjyeDJ5ECK0VjrcIsBEghx3y8MOSI7InA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=+XuDsC m/ggfFCKifvR27Iwpude6urfdMlWxVStkdJsA=; b=cqr5j1duK7GfNlKYcQKnSm qmaLAOKJP5a6OazSvNZdPZgVgeEANB6oXgC5r5+Kdfe/OcuJHIxej168+Y/1fNjh fNYz2FIWk1aTeEHgTRRaa8hUazD39xxkFAAB0xgkJAreNix+AvoRyExDOyvCBFt7 Jqw25XETH0g6kKKd1hd4VMvoxhzqsP+eoB/f1KN2ovcF5qRhOY21qweSXRhc03Mf 8Hjj/6n1VV3pb8ZDgwPJpeXeI0g1p8lM1di/ZQ5gBrxf9c8Fa9dL21cflNh5xwe9 CSeq+ce37+wGBqFm3xU6Ma1BiCBTLgSjANdq/cc9CPeTXpQblYwQoH9XNQpb5c0g ==
X-ME-Sender: <xms:LNXFXh4ePljkd-yrJrKGwJI6TX578bqWvAd5Buj-5tugMYQaH1H82g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddutddggedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffktgggufffjgfvfhfosegrtdhmrehhtdejnecuhfhrohhmpeetlhhishhs rgcuvehoohhpvghruceorghlihhsshgrsegtohhophgvrhifrdhinheqnecuggftrfgrth htvghrnhepgeegffefuddvffeflefgheektdeigfehffdtteetieeffefhfedugeduuedv vefhnecuffhomhgrihhnpehivghtfhdrohhrghenucfkphepuddtkedrhedurddutddurd elkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegr lhhishhsrgestghoohhpvghrfidrihhn
X-ME-Proxy: <xmx:LNXFXu7iH3F94U9JpMnBplTv2giPmiPRB3N5bml4773kCNLB-pB6sA> <xmx:LNXFXofLPV9EP6PlG168XU23Tze5OSOKw93_Fckyybp8DFe4lMcZrg> <xmx:LNXFXqJeggnHcLB0XtMTn6dQVQfDM8wNqTPoS7eXWioG3wB6xwgROg> <xmx:LNXFXnwyMBSbV-Gx6Y2VGU0bLMP2-iNpyQoiozCJpKp4npRxHRjgcA>
Received: from alcoop-m-c46z.fios-router.home (pool-108-51-101-98.washdc.fios.verizon.net [108.51.101.98]) by mail.messagingengine.com (Postfix) with ESMTPA id 0700D3066467; Wed, 20 May 2020 21:11:08 -0400 (EDT)
From: Alissa Cooper <alissa@cooperw.in>
Message-Id: <2B8D7500-CBEB-43B0-805D-024868255243@cooperw.in>
Content-Type: multipart/alternative; boundary="Apple-Mail=_352666A0-18FF-4572-B2B1-509D40C0666C"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
Date: Wed, 20 May 2020 21:11:06 -0400
In-Reply-To: <CAHw9_iL7e4Q1+OeByYv-ezcBSiwpBFOep0unnB4edSvUsFO7wg@mail.gmail.com>
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-opsawg-sdi.all@ietf.org
To: Warren Kumari <warren@kumari.net>, Francis Dupont <Francis.Dupont@fdupont.fr>
References: <202002181502.01IF253D063816@givry.fdupont.fr> <CAHw9_iKCKc9T9rQNfi2LVa_NiA-LRQPjJuO7BPGrUjVeji6A0w@mail.gmail.com> <CAHw9_iL7e4Q1+OeByYv-ezcBSiwpBFOep0unnB4edSvUsFO7wg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/SDrwxn1muUlnbLYTRVAmtykVqF4>
Subject: Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 01:11:20 -0000
Francis, thanks for your review. Warren, thanks for addressing Francis’ comments. I entered a No Objection ballot. Alissa > On Mar 6, 2020, at 12:13 PM, Warren Kumari <warren@kumari.net> wrote: > > Whoops, apologies, I just realized that I forgot to mention that I've > posted a new version (-05) addressing these / hit send too soon. > > Thank you again, Francis. > W > > > On Fri, Mar 6, 2020 at 12:09 PM Warren Kumari <warren@kumari.net <mailto:warren@kumari.net>> wrote: >> >> Wow, apologies, I had completely missed this email -- I have a complex >> set of filtering rules to allow me to focus on drafts on the upcoming >> telechats, and this fell into the cracks. >> >> On Tue, Feb 18, 2020 at 10:57 AM Francis Dupont >> <Francis.Dupont@fdupont.fr> wrote: >>> >>> I am the assigned Gen-ART reviewer for this draft. The General Area >>> Review Team (Gen-ART) reviews all IETF documents being processed >>> by the IESG for the IETF Chair. Please treat these comments just >>> like any other last call comments. >>> >>> For more information, please see the FAQ at >>> >>> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. >>> >>> Document: draft-ietf-opsawg-sdi-02.txt >>> Reviewer: Francis Dupont >>> Review Date: 20200212 >>> IETF LC End Date: 20200218 >>> IESG Telechat date: unknown >>> >>> Summary: Almost Ready >>> >>> Major issues: None >>> >>> Minor issues: crypto use details are missing. IMHO it is a problem of >>> presentation, I propose: >>> - make only requirements in the first/normative part >>> - put all details in the appendix/demo part >> >> Thank you. >> >> I have attempted to do this - where I have crypto discussion I am >> clarifying that this is just illustrative, and that the vendor should >> figure out what is best for their environment. I also suggest vendors >> may want to consider draft-gutmann-scep. >> >>> >>> Nits/editorial comments: >>> - ToC page 2 and 8 page 11: Acknowledgements -> Acknowledgments >> >> Thank you, done. >> >>> >>> - 2 page 4: there are two kinds of certificates so I suggest at the >>> first occurrence to put "public key certificate". >> >> Done. Thank you. >> >>> >>> - 2 page 5, 2.2 page 5, 4.2 page 6, 5.3 page 10, 7 page 11: e.g -> e.g., >> >> Done (x8!) >> Thank you. >> >> >>> >>> - 3.1 page 5: as an example of something which could be specified but >>> IMHO should not be: the certificate has (extended) key usages and >>> other policy parameters. >> >> I added: :The vendor's Certificate Publication >> Server should only accept certificates from the manufacturing facility, >> and which match vendor defined policies (for example, extended key usage, >> extensions, etc.)" >> >> Does this address your concern? I suspect that this section (and >> others :-)) will get a fair but of discussion / feedback during IETF >> LC, and SecDir / IESG review :-) >> >>> >>> - 4.2 page 6: in "The operator will then encrypt the >>> initial configuration to the key in the certifcate" >>> * the "to" seems a bit strange to me (I expected "with" but I am >>> not a native English speaker) >>> * public key crypto does not provide a way to directly encrypt >>> a large amount of data. IMHO it is not a real problem: just >>> require the key is used to protect the initial configuration >>> * it will be fine to have a bit more than confidentiality, for >>> instance to protect integrity or at least the data length. >>> Last both points are handled by SMIME so again it is only a >>> presentation problem. >> >> Thank you -- the example uses SMIME specifically for this reason. I >> was trying to word it in a way that was neither too prescriptive, nor >> too convoluted. How is: >> "The operator will then encrypt the initial >> configuration (for example, using SMIME) using the key in the certificate, >> and place it on their TFTP server. " >> >>> >>> - 4.3 page 7: Add that DHCP option 66 is TFTP server name and >>> option 150 is TFTP server address. >> >> Oooh, thank you. Done. >> >>> >>> - 5.1 page 10: I've checked (googled it) the TPM abbrev and it seems >>> the common usage in the context is the expected one (BTW it is >>> not in the RFC editor abbrev table). >> >> Thank you - I expanded it. >> >>> >>> - B.1.1 page 13: IMHO it is a good diea to give the OpenSSL command >>> line (OpenSSL man pages are more than cryptic :-). >> >> Thank you - OpenSSL CLI processing is indeed, um, cryptic. I somewhat >> think that this is by design - if someone accidentally publishes their >> key, it doesn't actually matter, because no-one will figure out how to >> invoke OpenSSL to *do* anything with it :-P >> >>> >>> - B.2.2 page 14: I support the choice of S/MIME: it does the job >>> (including length check) and it is commonly available. >>> Of course there should be better ways but it is clearly far >>> better than a home made solution. BTW as it is encoded ASN.1 it >>> is trivial to recognize (i.e., no ambiguity with ASCII text). >> >> Thank you! >> >>> >>> - B.3 page 15: then then -> then >> >> Oooh, good catch, fixed, thank you. >> W >> >> >>> Regards >>> >>> Francis.Dupont@fdupont.fr >>> >>> PS: I removed spelling errors which were fixed in version 03. >> >> >> >> -- >> I don't think the execution is relevant when it was obviously a bad >> idea in the first place. >> This is like putting rabid weasels in your pants, and later expressing >> regret at having chosen those particular rabid weasels and that pair >> of pants. >> ---maf > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org <mailto:Gen-art@ietf.org> > https://www.ietf.org/mailman/listinfo/gen-art <https://www.ietf.org/mailman/listinfo/gen-art>
- [Gen-art] review of draft-ietf-opsawg-sdi-02.txt Francis Dupont
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Joe Clarke (jclarke)
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Warren Kumari
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Warren Kumari
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Alissa Cooper