Re: [Gen-art] Genart last call review of draft-ietf-stir-certificates-15
Sean Turner <sean@sn3rd.com> Tue, 21 November 2017 15:19 UTC
Return-Path: <sean@sn3rd.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470D11294B2 for <gen-art@ietfa.amsl.com>; Tue, 21 Nov 2017 07:19:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mc0X82PY_yAl for <gen-art@ietfa.amsl.com>; Tue, 21 Nov 2017 07:19:17 -0800 (PST)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A64161243F6 for <gen-art@ietf.org>; Tue, 21 Nov 2017 07:19:15 -0800 (PST)
Received: by mail-qt0-x229.google.com with SMTP id 31so19591122qtz.9 for <gen-art@ietf.org>; Tue, 21 Nov 2017 07:19:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wdfq8VECaJiXJAC6DQrG5cU2aOJLrDv7GpabiriqxLI=; b=IvZPq0SQpmW3vR24xSd4WrskNz/Cxbx1rKlE95c3MbuPFp9gMgyCYLL5dYYAxbWsjj kPKWiPcbkvWYxvkQRkhmt0HZU0+hGQ6fkaOTzdX4d9GyXm7ZoDa97+SoRoGpjk+/vo9X DzRORZ9ue8ebHENiVzBhRXmbUo3P8l3cxh3Ec=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=wdfq8VECaJiXJAC6DQrG5cU2aOJLrDv7GpabiriqxLI=; b=dN4mrVFlXh3CO7UZBiYFfQ4dDW6MvT0zW4pcZ2jIkyH3H4UD2Ka868R/FlLEvPnPC/ KmFjWQXFvVIpLEgYsBji699FaJYj4nXXbpBFh5EtiQPgQ6ByOM/kJITNghnSHIW03zAN zy4SpZHIVuBhHwrAwdhMtmxP55akhJ72ox5Vvn4Mry2Vivz52ePY+tzFqHNfbcmfgH5y Mh1p4yFjcgg30S5FJq+clnnd8t5drAiTJhNCQfr1727Xg6yEyjIOx+qCBGhoph5JAhWG Zm2Ji7aoKlEAbH2xJl+rxJ3/BUV7POAyDapiKpgDfZzl+0UXHJzJhk29QXF4onEJ9BqG Ewtw==
X-Gm-Message-State: AJaThX7kHEwhJ5d4rEy6fgVpJrrykv3Nqx+CDRHYDe8I8Lfu1ugAhq/b pLEjwtFhtmDzUiarbHPNWanzBg==
X-Google-Smtp-Source: AGs4zMY0gMngoQnXbootTJLn25w+Ido0C3vzFMRBhLIjrlbfHshVpzqv+cijgcQV1qnzzKPLsXpGfw==
X-Received: by 10.237.37.162 with SMTP id x31mr28424033qtc.58.1511277554641; Tue, 21 Nov 2017 07:19:14 -0800 (PST)
Received: from [172.16.0.18] ([96.231.220.27]) by smtp.gmail.com with ESMTPSA id w23sm8898246qtj.35.2017.11.21.07.19.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Nov 2017 07:19:13 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <151090177468.22136.5281729043778955691@ietfa.amsl.com>
Date: Tue, 21 Nov 2017 10:19:12 -0500
Cc: gen-art@ietf.org, draft-ietf-stir-certificates.all@ietf.org, stir@ietf.org, ietf@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3A0F58AA-1397-445F-AD99-CED165E4EAE4@sn3rd.com>
References: <151090177468.22136.5281729043778955691@ietfa.amsl.com>
To: Joel Halpern <jmh@joelhalpern.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/eWTPF_aazCJ7PsEOorOTocxb__A>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-stir-certificates-15
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2017 15:19:18 -0000
> On Nov 17, 2017, at 14:56, Joel Halpern <jmh@joelhalpern.com> wrote: > > Reviewer: Joel Halpern > Review result: Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-stir-certificates-15 > Reviewer: Joel Halpern > Review Date: 2017-11-16 > IETF LC End Date: 2017-11-30 > IESG Telechat date: 2017-12-14 > > Summary: > > Major issues: > > Minor issues: > Section 4 bullet 4 in naming the crypto algorithms refers quite clearly to > 2 algorithms. It then references one of them as RS256. I assume those > versed in the field will know which one is meant. But it would be better > if the abbreviation RS256 appeared next to the first reference to whichever > algorithm it means. Ah okay I see what’s going on, the two algorithms are introduced in the previous sentence but we use the registered value as opposed to the name in the next sentence. How about I replace “RS256" with the “latter” as it is the 2nd algorithm discussed in the previous sentence. > The security considerations section points to RFC 5280 security > considerations for most issues. I presume that the intention is to use > that section regarding trusting CAs. However, it seems that there is an > issue here much like that of classic web CAs. The number of CAs that must > be trusted seems to be on the order of the number of countries in the > world. That seems to leave a large window for false or misleading > certifications, as I can see nothing which restricts what numbers for which > those top level CAs can provide attestation. I presume we do not want to > go down the path of requiring an uber-CA for all national authorities. I > would expect some explicit recognition of this issue in this document. Two points intertwined here: - uber-CA: The WG explicitly agreed to say nothing about this topic. I agree with you that we should not add any text concerning this point. - Trust Anchor/Delegation: RFC5280’s SecCons already state that determining the Trusted CA (aka Trust Anchor) is out of scope. The same is true here and I guess I could copy that text over, but it seems unnecessary in my mind given that a) half the time I get chastised for copying forward SecCons, and more importantly b) there’s are more specifications required to implement this including but not limited to a CP (Certification Policy) and CPS (Certification Practice Statement); these additional specifications get written/approved/published by National Numbering Authorities. spt
- [Gen-art] Genart last call review of draft-ietf-s… Joel Halpern
- Re: [Gen-art] Genart last call review of draft-ie… Sean Turner
- Re: [Gen-art] Genart last call review of draft-ie… Joel Halpern Direct
- Re: [Gen-art] [stir] Genart last call review of d… Gorman, Pierce A [CTO]
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper