Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.txt
Warren Kumari <warren@kumari.net> Fri, 06 March 2020 17:13 UTC
Return-Path: <warren@kumari.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C80573A0B32 for <gen-art@ietfa.amsl.com>; Fri, 6 Mar 2020 09:13:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Wg1xv0-tp07 for <gen-art@ietfa.amsl.com>; Fri, 6 Mar 2020 09:13:41 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC4153A0B2C for <gen-art@ietf.org>; Fri, 6 Mar 2020 09:13:40 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id u26so2976130ljd.8 for <gen-art@ietf.org>; Fri, 06 Mar 2020 09:13:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RKZHlICjfBblmnu4SajU2QDpOL5WUeJ0dWrLMIPaVyo=; b=JHrNH9aFdHlxYdG4fgK45GxkGZUfC0txJHea8aWo+7k+EXEQxMJ1BUpAyF6WLjuJdR cYClZE6sunMDWG8lQ851Z3PCiQ5epu0Fl9nx+2CTO5+vzw0/Pc5imdBgumLcH2krpi4U WZ49ePSmCJ9Ijw04cvCoCr/9CkhpSK6vKrK3dp6RcKJ4eW436F4OfQcO2zdwlkwX5gpG P8o0+yDD/jMKxoLQw5yxT5O3eftmbBQmK2tIyO4pJy/Zk0sh3wkgCmnmfbNPzP1mqnyg Jr+OSE4SK3VBz57TnsFHkQ8sbGmuXULx65T2/KnZ7GqOqd+q5aVGaT+4j0EsZ1GM/0tp wq1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RKZHlICjfBblmnu4SajU2QDpOL5WUeJ0dWrLMIPaVyo=; b=tIWpCeO6xIu/6A5YyDh02BoOmocBh4scu3rGXHGPCGBM8AosIr5jP22zg78iSOwADI nqg6Q9wcCr+nbDGbwKrtDLXAUyGoQhcP6QZqEpvt8OjNdyUxfYmsWKTxTzjmxdeuvViu cF1uTcS1yawTkN5Mg1LutG6QDmxYcG7GxK+7Lg+OzK1GtwLox8t3ehHxKs8KaY5tOPq1 UjnNSxZm8dKq5NApiF/1vtIKVapybE4wtDGeTHhsY/gy10FrYrl9bWtUlDMYqfPqjErB 4c9Hk2QEeYfYL7NuCCjISH2VtsfuP+morOf1i4Kebw4uOhXdJh/HUZ4aXOInHll8/cS4 UOoA==
X-Gm-Message-State: ANhLgQ20rXIJTJxOaZwDaWF36aotSH5AwxeNhLz++Ovuz9ds/SJe+HrJ Mu3vazVbgXSGei31mXc8hJwx5/R5GfitnKokL7wkQg==
X-Google-Smtp-Source: ADFU+vsNY07GD/rV1OvemMiRsI6vMQmTNOEX89fvSNvb4mjfIzhU4Hrj8gQ4hdqF3uKPJUF/J/83kx+cRdeejFy8a84=
X-Received: by 2002:a2e:a366:: with SMTP id i6mr1631863ljn.198.1583514818628; Fri, 06 Mar 2020 09:13:38 -0800 (PST)
MIME-Version: 1.0
References: <202002181502.01IF253D063816@givry.fdupont.fr> <CAHw9_iKCKc9T9rQNfi2LVa_NiA-LRQPjJuO7BPGrUjVeji6A0w@mail.gmail.com>
In-Reply-To: <CAHw9_iKCKc9T9rQNfi2LVa_NiA-LRQPjJuO7BPGrUjVeji6A0w@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 06 Mar 2020 12:13:02 -0500
Message-ID: <CAHw9_iL7e4Q1+OeByYv-ezcBSiwpBFOep0unnB4edSvUsFO7wg@mail.gmail.com>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-opsawg-sdi.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/SOMVhTlUKGJn-ofBarmu_3URBxs>
Subject: Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 17:13:43 -0000
Whoops, apologies, I just realized that I forgot to mention that I've posted a new version (-05) addressing these / hit send too soon. Thank you again, Francis. W On Fri, Mar 6, 2020 at 12:09 PM Warren Kumari <warren@kumari.net> wrote: > > Wow, apologies, I had completely missed this email -- I have a complex > set of filtering rules to allow me to focus on drafts on the upcoming > telechats, and this fell into the cracks. > > On Tue, Feb 18, 2020 at 10:57 AM Francis Dupont > <Francis.Dupont@fdupont.fr> wrote: > > > > I am the assigned Gen-ART reviewer for this draft. The General Area > > Review Team (Gen-ART) reviews all IETF documents being processed > > by the IESG for the IETF Chair. Please treat these comments just > > like any other last call comments. > > > > For more information, please see the FAQ at > > > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > > > Document: draft-ietf-opsawg-sdi-02.txt > > Reviewer: Francis Dupont > > Review Date: 20200212 > > IETF LC End Date: 20200218 > > IESG Telechat date: unknown > > > > Summary: Almost Ready > > > > Major issues: None > > > > Minor issues: crypto use details are missing. IMHO it is a problem of > > presentation, I propose: > > - make only requirements in the first/normative part > > - put all details in the appendix/demo part > > Thank you. > > I have attempted to do this - where I have crypto discussion I am > clarifying that this is just illustrative, and that the vendor should > figure out what is best for their environment. I also suggest vendors > may want to consider draft-gutmann-scep. > > > > > Nits/editorial comments: > > - ToC page 2 and 8 page 11: Acknowledgements -> Acknowledgments > > Thank you, done. > > > > > - 2 page 4: there are two kinds of certificates so I suggest at the > > first occurrence to put "public key certificate". > > Done. Thank you. > > > > > - 2 page 5, 2.2 page 5, 4.2 page 6, 5.3 page 10, 7 page 11: e.g -> e.g., > > Done (x8!) > Thank you. > > > > > > - 3.1 page 5: as an example of something which could be specified but > > IMHO should not be: the certificate has (extended) key usages and > > other policy parameters. > > I added: :The vendor's Certificate Publication > Server should only accept certificates from the manufacturing facility, > and which match vendor defined policies (for example, extended key usage, > extensions, etc.)" > > Does this address your concern? I suspect that this section (and > others :-)) will get a fair but of discussion / feedback during IETF > LC, and SecDir / IESG review :-) > > > > > - 4.2 page 6: in "The operator will then encrypt the > > initial configuration to the key in the certifcate" > > * the "to" seems a bit strange to me (I expected "with" but I am > > not a native English speaker) > > * public key crypto does not provide a way to directly encrypt > > a large amount of data. IMHO it is not a real problem: just > > require the key is used to protect the initial configuration > > * it will be fine to have a bit more than confidentiality, for > > instance to protect integrity or at least the data length. > > Last both points are handled by SMIME so again it is only a > > presentation problem. > > Thank you -- the example uses SMIME specifically for this reason. I > was trying to word it in a way that was neither too prescriptive, nor > too convoluted. How is: > "The operator will then encrypt the initial > configuration (for example, using SMIME) using the key in the certificate, > and place it on their TFTP server. " > > > > > - 4.3 page 7: Add that DHCP option 66 is TFTP server name and > > option 150 is TFTP server address. > > Oooh, thank you. Done. > > > > > - 5.1 page 10: I've checked (googled it) the TPM abbrev and it seems > > the common usage in the context is the expected one (BTW it is > > not in the RFC editor abbrev table). > > Thank you - I expanded it. > > > > > - B.1.1 page 13: IMHO it is a good diea to give the OpenSSL command > > line (OpenSSL man pages are more than cryptic :-). > > Thank you - OpenSSL CLI processing is indeed, um, cryptic. I somewhat > think that this is by design - if someone accidentally publishes their > key, it doesn't actually matter, because no-one will figure out how to > invoke OpenSSL to *do* anything with it :-P > > > > > - B.2.2 page 14: I support the choice of S/MIME: it does the job > > (including length check) and it is commonly available. > > Of course there should be better ways but it is clearly far > > better than a home made solution. BTW as it is encoded ASN.1 it > > is trivial to recognize (i.e., no ambiguity with ASCII text). > > Thank you! > > > > > - B.3 page 15: then then -> then > > Oooh, good catch, fixed, thank you. > W > > > > Regards > > > > Francis.Dupont@fdupont.fr > > > > PS: I removed spelling errors which were fixed in version 03. > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [Gen-art] review of draft-ietf-opsawg-sdi-02.txt Francis Dupont
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Joe Clarke (jclarke)
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Warren Kumari
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Warren Kumari
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Alissa Cooper