Re: [Gen-art] Gen-art last call review of draft-ietf-tls-multiple-cert-status-extension-04
Elwyn Davies <elwynd@dial.pipex.com> Sat, 23 March 2013 12:51 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9594821F8A84 for <gen-art@ietfa.amsl.com>; Sat, 23 Mar 2013 05:51:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O+Ga8VB8PbGc for <gen-art@ietfa.amsl.com>; Sat, 23 Mar 2013 05:51:53 -0700 (PDT)
Received: from b.painless.aa.net.uk (b.painless.aa.net.uk [IPv6:2001:8b0:0:30::51bb:1e34]) by ietfa.amsl.com (Postfix) with ESMTP id 9B70821F8A4A for <gen-art@ietf.org>; Sat, 23 Mar 2013 05:51:53 -0700 (PDT)
Received: from mightyatom.folly.org.uk ([81.187.254.250]) by b.painless.aa.net.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <elwynd@dial.pipex.com>) id 1UJNvJ-0002ri-7W; Sat, 23 Mar 2013 12:51:49 +0000
From: Elwyn Davies <elwynd@dial.pipex.com>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
In-Reply-To: <op.wuebbulj3dfyax@killashandra.invalid.invalid>
References: <514BA8CC.5000700@dial.pipex.com> <op.wuebbulj3dfyax@killashandra.invalid.invalid>
Content-Type: text/plain
Date: Sat, 23 Mar 2013 12:48:30 +0000
Message-Id: <1364042911.23866.4628.camel@mightyatom>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.3
Content-Transfer-Encoding: 7bit
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-tls-multiple-cert-status-extension.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-art last call review of draft-ietf-tls-multiple-cert-status-extension-04
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2013 12:51:54 -0000
Hi. On Sat, 2013-03-23 at 11:56 +0100, Yngve N. Pettersen wrote: > Hi, > > Thanks for the review .. and thanks for the rapid response! Couple of comments in line below.. I've snipped the agreed stuff. Regards, Elwyn > > On Fri, 22 Mar 2013 01:41:48 +0100, Elwyn Davies <elwynd@dial.pipex.com> > wrote: > > > I am the assigned Gen-ART reviewer for this draft. For background on > > Gen-ART, please see the FAQ at > > > > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > > > Please resolve these comments along with any other Last Call comments > > you may receive. > > > > Document: draft-ietf-tls-multiple-cert-status-extension-04.txt > > Reviewer: Elwyn Davies > > Review Date: 22 March 2013 > > IETF LC End Date: 29 March 2013 > > IESG Telechat date: (if known) - > > > > Summary: Almost ready for IESG - one possible minor issue relating to > > the alleged criterion for ordering CertificateStatusRequestItems plus a > > number of nits that are mainly missing cross references and notes for > > clarity about updates of RFC 6066 items. > > > > Major issues: > > None > > > > Minor issues: > > s2.2: > >> The list of CertificateStatusRequestItem entries MUST be in order of > >> preference. > > Having thought a bit about this, I cannot identify what the preference > > criterion is - this may be because I don't understand the problem, but I > > think you need to explain what the criterion is if there really is one. > > If there *is* a criterion, it must be clear whether the order is most > > preferred first or least preferred first. Since I don't know what the > > criterion is, I can't tell if there are any security implications from > > the ordering: no chance of downgrade attacks? > > The list is ordered by the client, based on whatever criteria its > developer uses. These criteria can be based on objective evaluation of > each available method, or personal opinions about them. > > I have now clarified this sentence to be similar to the ciphersuite list > language in RFC 5246 > > New text: "The list of CertificateStatusRequestItem entries MUST be in > order of the client's preference (favorite choice first)." > > The server could still ignore that ordering when it picks the method to > use (for the ones it knows). OK that explains the criterion. However, as in the cipher suite list in RFC 5246, using a requirements MUST is inappropriate as it is not a testable protocol condition. I think what you are trying to get over is that the *server* SHOULD work from beginning to end of the list giving higher priority to items earlier in the list so that the client's desires are satisfied as far as possible. > For example if there is only one OCSP > response available for a chain, e.g because there is no intermediate or > the intermediate does not have an OCSP responder assigned, then it would > be overkill to use the multiple OCSP variant, so the single response > version would be used instead. Does this need some words then? > > > Nits/editorial comments: <<snip>> > > s2.2, para 4 on page 5: > >> In the case of the "id-pkix-ocsp-nonce" OCSP extension, [RFC2560 > >> <http://tools.ietf.org/html/rfc2560>] is > >> unclear about its encoding; for clarification,..... > > This probably needs to be flagged up in the IANA considerations so that > > an additional reference is added to the registry. > > ALSO I subsequently noted that this same caveat is already in RFC 6066. > > Consider referring to the caveat there rather than duplicating it. > > This language is, as you mention, a copy of the RFC 6066 note about this > problem. > > I think it is better to duplicate it, since it is so small. A longer and > more complex section would probably have been referenced, but adding such > references for small informational text would IMO make the document less > readable. Fair enough - and I realize this isn't an IANA matter. However, if this is an issue for RFC 2560, shouldn't somebody file an erratum? I couldn't see anything about this in the current set of errata. <<snip>>
- [Gen-art] Gen-art last call review of draft-ietf-… Elwyn Davies
- Re: [Gen-art] Gen-art last call review of draft-i… Yngve N. Pettersen
- Re: [Gen-art] Gen-art last call review of draft-i… Elwyn Davies
- Re: [Gen-art] Gen-art last call review of draft-i… Yngve N. Pettersen
- Re: [Gen-art] Gen-art last call review of draft-i… Elwyn Davies
- Re: [Gen-art] Gen-art last call review of draft-i… Yngve N. Pettersen