Re: [Gen-art] Re: Resolving the DISCUSS on draft-ietf-msec-policy-token-sec-05.txt (Summary)
Lakshminath Dondeti <ldondeti@qualcomm.com> Mon, 23 January 2006 22:06 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F19ph-0002Tl-Pv; Mon, 23 Jan 2006 17:06:41 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F19pf-0002Tb-SV for gen-art@megatron.ietf.org; Mon, 23 Jan 2006 17:06:40 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA26054 for <gen-art@ietf.org>; Mon, 23 Jan 2006 17:05:10 -0500 (EST)
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F19z2-00085O-37 for gen-art@ietf.org; Mon, 23 Jan 2006 17:16:21 -0500
Received: from neophyte.qualcomm.com (neophyte.qualcomm.com [129.46.61.149]) by numenor.qualcomm.com (8.12.10/8.12.5/1.0) with ESMTP id k0NM6O8r019499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 23 Jan 2006 14:06:24 -0800
Received: from LDONDETI.qualcomm.com (qconnect-10-50-68-214.qualcomm.com [10.50.68.214]) by neophyte.qualcomm.com (8.12.10/8.12.5/1.0) with ESMTP id k0NM6LFB023477 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 23 Jan 2006 14:06:22 -0800 (PST)
Message-Id: <6.2.5.6.2.20060123140444.03e6c878@qualcomm.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 23 Jan 2006 14:06:22 -0800
To: Brian E Carpenter <brc@zurich.ibm.com>, Scott W Brim <sbrim@cisco.com>, gen-art@ietf.org
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: [Gen-art] Re: Resolving the DISCUSS on draft-ietf-msec-policy-token-sec-05.txt (Summary)
In-Reply-To: <6.2.5.6.2.20060123135433.03b885d0@qualcomm.com>
References: <6.2.5.6.2.20060119135416.03d59288@qualcomm.com> <BFF579C3.DC2%Andrea.Colegrove@sparta.com> <6.2.5.6.2.20060123130749.038b9f98@qualcomm.com> <6.2.5.6.2.20060123135433.03b885d0@qualcomm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 22bbb45ef41b733eb2d03ee71ece8243
Cc: Hugh Harney <hh@sparta.com>, Andrea Colegrove <Andrea.Colegrove@sparta.com>, canetti <canetti@watson.ibm.com>, Russ Housley <housley@vigilsec.com>, uri.meth@sparta.com
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Sender: gen-art-bounces@ietf.org
Errors-To: gen-art-bounces@ietf.org
Just to clarify a bit further, issues 1 and 2 are on the use of ASN and the proposed responses for (1) and (2) together address those issues. Lakshminath At 01:59 PM 1/23/2006, Lakshminath Dondeti wrote: >Hi Brian and Scott, > >Please review the following notes to see if they address your >concerns on the MSEC Policy Token draft. Thanks to Russ for helping >Andrea and Uri craft some of the responses. > >Please look for <Res></Res> below (there is one <LD></LD> below, >please ignore that for now; it is related to an IANA concern). > >thanks and regards, >Lakshminath > >At 01:31 PM 1/23/2006, Lakshminath Dondeti wrote: > > > > >>1) Misuse of ASN.1. The document cites the 1997 ASN.1, but has a >>number of choices and structures that seem like they are intended to >>be extended in the future. Without extensibility markers, a >>conforming implementation will reject a sequence or choice with >>elements not permitted by the abstract syntax. >> >><Res> >>The EXPORTS statement is to be removed so that any structure def can be >>exported. >> >></Res> >> >> >>2) There is no extensibility or versioning strategy described in the >>document. How do we add fields? What should recipients of a token do >>if they do not understand part of it? >> >><Res> >>A Policy Token version indicator is to be added to the TokenID. >> >></Res> >> >><Res> >>Russ provided the following example that we might use: >> TBSCertificate ::= SEQUENCE { >> version [0] Version DEFAULT v1, >> .... >> >> Version ::= INTEGER { v1(0), v2(1), v3(2) } >> >> >></Res> >> >><Res> >>"Implementations encountering unknown protocol identifiers MUST handle >>this gracefully by providing indicators that an unknown protocol is among >>the sequence of permissible protocols. If the unknown protocol is the only >>allowable protocol in the sequence, then the implementation cannot support >>that field and the member cannot join the group. >>It is a matter of local policy whether a join is permitted when >>an unknown protocol exists among other allowable, known protocols." >> >></Res> >>The above will be added to provide >>handling instructions when encountering unknown protocols. >> >> >><Res> >>Under the main token structure it will say that additional protocols >>SHOULD NOT be added unless the MSEC architecture changes. >> >></Res> >> >>3) It's not clear that the GSAKMP document combined with this document >>provides enough mandatory to implement features that any two >>implementations of this specification will work together. The GSAKMP >>document specifies mandatory to implement mechanisms for GSAKMP. >>However the policy token allows for a wide variety of combinations of >>protocols. For example, a policy token could specify one protocol for >>registration, one protocol for rekey, and a completely different >>protocol for de-registration. If only one of these is GSAKMP, what >>happens? Where is it specified what combinations a GM, a GC/KS etc >>must support in terms of policy token contents? >> >> >><Res>I understand the issue, but the token's purpose is to tie the >>abstract MSEC >>architecture to a configurable system. The MSEC architecture allows for any >>of these protocols for registration, de-registration, etc. and does not >>specify what the mandatory to implement protocols are. To say that the >>appendix B and appendix C protocols are the mandatory-to-implement protocols >>would mean that the MSEC architecture now requires those protocols. This is >>one case where I believe a mandatory to implement scheme would be a >>disservice to the community. >> >>Interoperability testing for the token, really becomes system >>interoperability testing vs. protocol interoperability testing. >></Res> >> >> >>4) IANA Comments: >>The IANA Considerations section requests that 13 object identifiers >>be assigned. >>In which registry should these be assigned? IANA needs clarification. >> >> >><Res> >>Statement to IANA section will essentially say that the spec is extended >>through specification. Those specifying new objects will register them with >>IANA. Those that change the structure of the PT must change the version >>indicator. >> >></Res> >> >><LD> >>The resolution does not address the question on "which registry" >>should be used. I think this requires a new registry, right? >></LD> > > > >_______________________________________________ >Gen-art mailing list >Gen-art@ietf.org >https://www1.ietf.org/mailman/listinfo/gen-art _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Re: Resolving the DISCUSS on draft-ietf… Lakshminath Dondeti
- Re: [Gen-art] Re: Resolving the DISCUSS on draft-… Lakshminath Dondeti