[Gen-art] Gen-ART Last Call review of draft-ietf-dice-profile-14
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 01 September 2015 23:30 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5D01B2B64; Tue, 1 Sep 2015 16:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1ljJ7ZYt0kd; Tue, 1 Sep 2015 16:30:18 -0700 (PDT)
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75A571ACCD8; Tue, 1 Sep 2015 16:30:15 -0700 (PDT)
Received: by pacwi10 with SMTP id wi10so10718558pac.3; Tue, 01 Sep 2015 16:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:organization:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=vWcsE1mckHPB+41QVtAh+9iNUeGTtNewxUOmYjdC0b4=; b=gwL9COMOr/EVRMxxUHVQOWuNERSODmQNBqaBaqf4uPKA2OF2rA3his60NnG4rsRc5l rozHGTzvdzDBYuZKBkyCvLHC/IYghGdZTHea3TQq/sNlQUkIcIlo5IPqHJS1Ynxtpfob RAgbVnQorEKo0Kuh93MZSvNz8ldL+UYTYphd0Cu2Qjwhda5MkH7L/cEbTfjaF6BfE+CO TfwZwIsvzL2dcOq1ZhA8Hsb0RQ15uYUe/k1LDv5BWLWK78MgerNO3hFMPUxuX/CtcKeV 88RYEZH36yJ52pJYqA824dMtpu2LCnHlizKIOsNgxdGIR0wzsabhHwzhR3ApJeKXB3Ah eoYw==
X-Received: by 10.68.65.104 with SMTP id w8mr39922653pbs.48.1441150214987; Tue, 01 Sep 2015 16:30:14 -0700 (PDT)
Received: from ?IPv6:2001:df0:0:2006:c0da:ac17:5f6d:8e76? ([2001:df0:0:2006:c0da:ac17:5f6d:8e76]) by smtp.gmail.com with ESMTPSA id ea13sm19515587pac.30.2015.09.01.16.30.11 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Sep 2015 16:30:13 -0700 (PDT)
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
To: draft-ietf-dice-profile.all@ietf.org, General Area Review Team <gen-art@ietf.org>
Organization: University of Auckland
Message-ID: <55E63507.40404@gmail.com>
Date: Wed, 02 Sep 2015 11:30:15 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/YlfqBKbDsxLojc0nOpSzzeECcl8>
Subject: [Gen-art] Gen-ART Last Call review of draft-ietf-dice-profile-14
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 23:30:20 -0000
I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Document: draft-ietf-dice-profile-14.txt Reviewer: Brian Carpenter Review Date: 2015-09-02 IETF LC End Date: 2015-09-04 IESG Telechat date: Summary: Ready with issues -------- Comment: -------- This is complicated and I'm not an expert. I went through the whole document but have to take most of the details on trust. Major Issues: ------------- One thing puzzles me. Unless I have missed it, the profile is neutral on the choice described in Section 6 (Credential Types): pre-shared secrets, raw public keys, or certificates. How does this work to help interoperability in multivendor environments? Wouldn't it be better to RECOMMEND one? ((The answer to this interests me in the Anima context too.)) Would it be possible to add a summary table of the MUST, SHOULD, MAY and MUST NOT items in the profile? At the moment there is a lot of prose and nothing that can be used as an implementer's check list. Minor Issues: ------------- " Figure 7 shows an example interaction... The IPv6 multicast address used for site-local discovery is FF02::FD." Where does ff02::fd come from? Is it just used as an example? That isn't clear in the text. (IANA lists it as "variable scope allocation".) ((Incidentally, this is a side track, but note that a command such as GET coap://[FF02::FD]/.well-known/core is problematic in a device with more than one interface, unless you support RFC6874.)) "6.4.2. Certificates used by Clients For client certificates the identifier used in the SubjectAltName or in the leftmost CN component of subject name MUST be an EUI-64, as mandated in Section 9.1.3.3 of [RFC7252]." Actually it is not mandated there, it is only suggested: " The subject in the certificate would be built out of a long-term unique identifier for the device such as the EUI-64 [EUI64]." You can certainly choose to mandate it here, but s/mandated/described/ in the text. However, I am confused by this MUST in 6.4.2, and other normative keywords in Section 6. Are we now in the specification of the DICE profile, or are we still in the descriptive text? I would expect a very clear break in the text when we move from description to specification. Looking at the table of contents, I can't figure out where that point is. OK, now I found a sentence at the beginning: "If you are familiar with (D)TLS, then skip ahead to Section 6." But please reflect this in the arrangement of the sections. I would suggest nesting sections 3,4, and 5 within a single "Overview" section, and put something at start of section 6 to make it clear that is where the profile starts. Or nest sections 6 etc. inside a single "Profile" section. Nits: ----- The RFC2119 boilerplate is messed up. == Outdated reference: draft-ietf-tls-sslv3-diediedie has been published as RFC 7568 The downref to RFC7251 was not mentioned in the last call and that RFC isn't in the downref registry. ((Yes, I've been in the IESG and I know how annoying this can be, but it's a process glitch.))
- [Gen-art] Gen-ART Last Call review of draft-ietf-… Brian E Carpenter
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Hannes Tschofenig
- Re: [Gen-art] Gen-ART Last Call review of draft-i… FOSSATI, Thomas (Thomas)
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Brian E Carpenter
- Re: [Gen-art] Gen-ART Last Call review of draft-i… FOSSATI, Thomas (Thomas)
- Re: [Gen-art] [Dtls-iot] Gen-ART Last Call review… Stephen Farrell
- Re: [Gen-art] [Dtls-iot] Gen-ART Last Call review… Brian E Carpenter
- Re: [Gen-art] [Dtls-iot] Gen-ART Last Call review… Stephen Farrell