Re: [Gen-art] Re: Resolving the DISCUSS on draft-ietf-msec-policy-token-sec-05.txt (Summary)
Lakshminath Dondeti <ldondeti@qualcomm.com> Mon, 23 January 2006 22:06 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F19ph-0002Tl-Pv; Mon, 23 Jan 2006 17:06:41 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F19pf-0002Tb-SV for gen-art@megatron.ietf.org; Mon, 23 Jan 2006 17:06:40 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA26054 for <gen-art@ietf.org>; Mon, 23 Jan 2006 17:05:10 -0500 (EST)
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F19z2-00085O-37 for gen-art@ietf.org; Mon, 23 Jan 2006 17:16:21 -0500
Received: from neophyte.qualcomm.com (neophyte.qualcomm.com [129.46.61.149]) by numenor.qualcomm.com (8.12.10/8.12.5/1.0) with ESMTP id k0NM6O8r019499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 23 Jan 2006 14:06:24 -0800
Received: from LDONDETI.qualcomm.com (qconnect-10-50-68-214.qualcomm.com [10.50.68.214]) by neophyte.qualcomm.com (8.12.10/8.12.5/1.0) with ESMTP id k0NM6LFB023477 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 23 Jan 2006 14:06:22 -0800 (PST)
Message-Id: <6.2.5.6.2.20060123140444.03e6c878@qualcomm.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 23 Jan 2006 14:06:22 -0800
To: Brian E Carpenter <brc@zurich.ibm.com>, Scott W Brim <sbrim@cisco.com>, gen-art@ietf.org
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: [Gen-art] Re: Resolving the DISCUSS on draft-ietf-msec-policy-token-sec-05.txt (Summary)
In-Reply-To: <6.2.5.6.2.20060123135433.03b885d0@qualcomm.com>
References: <6.2.5.6.2.20060119135416.03d59288@qualcomm.com> <BFF579C3.DC2%Andrea.Colegrove@sparta.com> <6.2.5.6.2.20060123130749.038b9f98@qualcomm.com> <6.2.5.6.2.20060123135433.03b885d0@qualcomm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 22bbb45ef41b733eb2d03ee71ece8243
Cc: Hugh Harney <hh@sparta.com>, Andrea Colegrove <Andrea.Colegrove@sparta.com>, canetti <canetti@watson.ibm.com>, Russ Housley <housley@vigilsec.com>, uri.meth@sparta.com
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Sender: gen-art-bounces@ietf.org
Errors-To: gen-art-bounces@ietf.org
Just to clarify a bit further, issues 1 and 2 are on the use of ASN
and the proposed responses for (1) and (2) together address those issues.
Lakshminath
At 01:59 PM 1/23/2006, Lakshminath Dondeti wrote:
>Hi Brian and Scott,
>
>Please review the following notes to see if they address your
>concerns on the MSEC Policy Token draft. Thanks to Russ for helping
>Andrea and Uri craft some of the responses.
>
>Please look for <Res></Res> below (there is one <LD></LD> below,
>please ignore that for now; it is related to an IANA concern).
>
>thanks and regards,
>Lakshminath
>
>At 01:31 PM 1/23/2006, Lakshminath Dondeti wrote:
>
>
>
>
>>1) Misuse of ASN.1. The document cites the 1997 ASN.1, but has a
>>number of choices and structures that seem like they are intended to
>>be extended in the future. Without extensibility markers, a
>>conforming implementation will reject a sequence or choice with
>>elements not permitted by the abstract syntax.
>>
>><Res>
>>The EXPORTS statement is to be removed so that any structure def can be
>>exported.
>>
>></Res>
>>
>>
>>2) There is no extensibility or versioning strategy described in the
>>document. How do we add fields? What should recipients of a token do
>>if they do not understand part of it?
>>
>><Res>
>>A Policy Token version indicator is to be added to the TokenID.
>>
>></Res>
>>
>><Res>
>>Russ provided the following example that we might use:
>> TBSCertificate ::= SEQUENCE {
>> version [0] Version DEFAULT v1,
>> ....
>>
>> Version ::= INTEGER { v1(0), v2(1), v3(2) }
>>
>>
>></Res>
>>
>><Res>
>>"Implementations encountering unknown protocol identifiers MUST handle
>>this gracefully by providing indicators that an unknown protocol is among
>>the sequence of permissible protocols. If the unknown protocol is the only
>>allowable protocol in the sequence, then the implementation cannot support
>>that field and the member cannot join the group.
>>It is a matter of local policy whether a join is permitted when
>>an unknown protocol exists among other allowable, known protocols."
>>
>></Res>
>>The above will be added to provide
>>handling instructions when encountering unknown protocols.
>>
>>
>><Res>
>>Under the main token structure it will say that additional protocols
>>SHOULD NOT be added unless the MSEC architecture changes.
>>
>></Res>
>>
>>3) It's not clear that the GSAKMP document combined with this document
>>provides enough mandatory to implement features that any two
>>implementations of this specification will work together. The GSAKMP
>>document specifies mandatory to implement mechanisms for GSAKMP.
>>However the policy token allows for a wide variety of combinations of
>>protocols. For example, a policy token could specify one protocol for
>>registration, one protocol for rekey, and a completely different
>>protocol for de-registration. If only one of these is GSAKMP, what
>>happens? Where is it specified what combinations a GM, a GC/KS etc
>>must support in terms of policy token contents?
>>
>>
>><Res>I understand the issue, but the token's purpose is to tie the
>>abstract MSEC
>>architecture to a configurable system. The MSEC architecture allows for any
>>of these protocols for registration, de-registration, etc. and does not
>>specify what the mandatory to implement protocols are. To say that the
>>appendix B and appendix C protocols are the mandatory-to-implement protocols
>>would mean that the MSEC architecture now requires those protocols. This is
>>one case where I believe a mandatory to implement scheme would be a
>>disservice to the community.
>>
>>Interoperability testing for the token, really becomes system
>>interoperability testing vs. protocol interoperability testing.
>></Res>
>>
>>
>>4) IANA Comments:
>>The IANA Considerations section requests that 13 object identifiers
>>be assigned.
>>In which registry should these be assigned? IANA needs clarification.
>>
>>
>><Res>
>>Statement to IANA section will essentially say that the spec is extended
>>through specification. Those specifying new objects will register them with
>>IANA. Those that change the structure of the PT must change the version
>>indicator.
>>
>></Res>
>>
>><LD>
>>The resolution does not address the question on "which registry"
>>should be used. I think this requires a new registry, right?
>></LD>
>
>
>
>_______________________________________________
>Gen-art mailing list
>Gen-art@ietf.org
>https://www1.ietf.org/mailman/listinfo/gen-art
_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Re: Resolving the DISCUSS on draft-ietf… Lakshminath Dondeti
- Re: [Gen-art] Re: Resolving the DISCUSS on draft-… Lakshminath Dondeti