Re: [Gen-art] Genart telechat review of draft-gutmann-scep-08
Christer Holmberg <christer.holmberg@ericsson.com> Sun, 04 February 2018 16:52 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42786127419 for <gen-art@ietfa.amsl.com>; Sun, 4 Feb 2018 08:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.321
X-Spam-Level:
X-Spam-Status: No, score=-4.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8-BwD0HUcp4 for <gen-art@ietfa.amsl.com>; Sun, 4 Feb 2018 08:52:11 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E36F6127369 for <gen-art@ietf.org>; Sun, 4 Feb 2018 08:52:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1517763126; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=EccWz2KpusB7touPRaAD8F5xCdUkoIOtd997c3oKUU0=; b=ZYaK2dahWa/DWQQtKiePJLVR3bU8e4MqOIryhXbgvYocJATThYR1S6+ZFAtI4i7q X67bkXbc3s4GAxTG4VelIkNT8HE5DkQ0gW6VpvEP83l+vNKlTqrCKXNMN7oz1lMe 9WYMupoRcCb6kI7k+1qpeAO3fIIrUr+B/VbXaVj0/rI=;
X-AuditID: c1b4fb30-399ff70000004778-0b-5a773a36ea38
Received: from ESESSHC010.ericsson.se (Unknown_Domain [153.88.183.48]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 41.0A.18296.63A377A5; Sun, 4 Feb 2018 17:52:06 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.195]) by ESESSHC010.ericsson.se ([153.88.183.48]) with mapi id 14.03.0352.000; Sun, 4 Feb 2018 17:52:06 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "gen-art@ietf.org" <gen-art@ietf.org>, "pgut001@DOMAIN.HIDDEN" <pgut001@DOMAIN.HIDDEN>
CC: "draft-gutmann-scep.all@ietf.org" <draft-gutmann-scep.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [Gen-art] Genart telechat review of draft-gutmann-scep-08
Thread-Index: AQHTlgkCELmr+HoHm0eiD/BWeQTXJKOPrNqAgASiXwCAADFJIA==
Date: Sun, 04 Feb 2018 16:52:05 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B6C1539D9@ESESSMB109.ericsson.se>
References: <151690435171.8462.17376545317175159264@ietfa.amsl.com>, <D698E1C1.2A474%christer.holmberg@ericsson.com> <1517755227267.36393@cs.auckland.ac.nz>
In-Reply-To: <1517755227267.36393@cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.149]
Content-Type: text/plain; charset="windows-1257"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIIsWRmVeSWpSXmKPExsUyM2K7ga6ZVXmUwYv30hYzdv5nt7j66jOL xbON81ksXr57zmqx9vMKFgdWj4uNB5g8Phz8xeKxZMlPpgDmKC6blNSczLLUIn27BK6Mfwv3 MRacC6vY0TuLtYHxh0sXIyeHhICJxIKXh9lBbCGBw4wSXyfIdDFyAdmLGSXmz3oOlODgYBOw kOj+pw0SFxFoZ5Toe9DGBNLALJAlsaLlEpgtLOAm8efhT7BBIgLuEtt2PGaCsJ0kFh1/ygpi swioSJx685MRxOYV8JXY3DyDFWLZXEaJ9e0tbCAJTqCLtt5YwQxiMwqISXw/tQZqmbjErSfz mSCuFpBYsuc8M4QtKvHy8T9WCFtJYu3h7SwQ9QYSB84sZYSwtSWWLXzNDLFYUOLkzCcsExhF ZyEZOwtJyywkLbOQtCxgZFnFKFqcWpyUm25kpJdalJlcXJyfp5eXWrKJERhRB7f8NtjB+PK5 4yFGAQ5GJR7e3WrlUUKsiWXFlbmHGCU4mJVEeGdMKosS4k1JrKxKLcqPLyrNSS0+xCjNwaIk znvSkzdKSCA9sSQ1OzW1ILUIJsvEwSnVwKh8d5XUBN/3Nx99CHnrJSd2U3xqw+QzcubVHLVx fPnivT22KfJHWS/P6bt8Lfmj3abjWVmeV9/wSjZOuHXY1dd5eVeRl9i53Pur5dYEufHYLNY8 3X958fuXP64s+3xDgWHzLE5LNn37Fi6fSSe2fDnwLrvE/elKe6fc3jsL+Btvfam5xp+bKK/E UpyRaKjFXFScCAAWkPRTpAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/ey0CH7mj8SivOM0NX9Cv6XEWAsg>
Subject: Re: [Gen-art] Genart telechat review of draft-gutmann-scep-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Feb 2018 16:52:13 -0000
Hi, (I include your reply to yourself in this reply) Summary: All my issues have been addressed. >>Maybe some text about all that somewhere (e.g., in the Introduction >>section, or in a dedicated "History" section)? > > The "Background Notes" section already contains a pretty complete (without going overboard) history and notes > on what changed. What I can do if this will help is add a reference at the start: > > (see the <xref target="background">Background Notes</xref> section for more > on the history behind SCEP and the nearly two decade-long progress of this > standard) > > I think moving a large amount of text about the history of the draft into the introduction would make it a bit > messy, particularly since the Background Notes section contains extensive comments on how things have changed > over time, it's a couple of pages long. > > Replying to my own message: The proposed text would then read: > > This specification defines a protocol, Simple Certificate Enrolment Protocol (SCEP), for certificate management and > certificate and CRL queries. While widely deployed (see the <xref target="background">Background Notes</xref> section > for more on the history behind SCEP and the nearly two decade-long progress of this standard), this protocol ... > > which I think explains the nature of the "widely-deployed" comment while not overloading things with a huge load of historical commentary. Your suggestion above solves my issue. Thanks! >>Sure, but the text doesn't give any guidance on why it would reject the >>request. Since the sentence is in the same sentence talking about >>policies I assume the rejection would be if the policies are not fulfilled. > > It's up to the CA, thus the use of the catch-all "policies". It's meant to warn the client that a request won't automatically > result in a cert being issued, but doesn't constrain the CA in any way. The CA could reject or modify the request for any > reason, or perhaps for no reason, their HSM is offline, they're having a bad hair day, their network is down, ... it's just to > warn the client "don't automatically expect a cert back", but I can't really enumerate all the possible reasons why a rejection could happen. I think it's obvious (or, at least not specific to this mechanism) that a CA might reject a request (for whatever reason), but if you want to keep the text I won't argue :) >If you like I can change the text to: > > A CA MAY enforce any arbitrary policies and apply them to certificate > requests, and MAY reject a request for any reason. > >if that makes it clearer. It's better :) Not sure whether the MAYs should be with capital letters, though, as the draft doesn't define the procedures of the CA, but I'll leave that to others to comment on. >>>"It was like that when I got here". I can make it a non-subsection if >>>it reads better that way. >> >>I think it would be good. > >OK, fixed. Thanks! >>Since you use "SHOULD", it sounds more like just suggestions. > > OK, I've changed it to make the alternative explicit: > > After the client gets the CA certificate, it SHOULD authenticate the > certificate by comparing its fingerprint with the locally configured, out- > of-band distributed, identifying information, or by some equivalent means > such as a direct comparison with a locally-stored copy of the certificate. Looks good. >>I think it would be good to mention that. > > I've read through it again and I think a better solution is your original one, make it a MUST. If the CA indicates > it supports POST then there's no need to use GET, so it can be changed to a MUST: > > If the remote CA supports POST, the CMS-encoded SCEP messages MUST be sent > via HTTP POST instead of HTTP GET. Looks good. >> Couldn't the section simply be called "SCEP Transaction Examples", or something? > > Good idea, fixed. Thanks! Regards, Christer ________________________________________ From: Christer Holmberg <christer.holmberg@ericsson.com> Sent: Friday, 2 February 2018 02:42 To: gen-art@ietf.org; pgut001@DOMAIN.HIDDEN Cc: draft-gutmann-scep.all@ietf.org; ietf@ietf.org Subject: [FORGED] Re: [Gen-art] Genart telechat review of draft-gutmann-scep-08 Hi, >>However, there are some issues (mostly editorial) that I would like >>the authors to address. > > One comment on this, I didn't write the original text so I'll try and >accommodate as much as possible, but in some cases I've had to guess at >what the original authors intended. Also, the explanations for >several of the points raised in the questions is "it was like that >when I got here". >So in > the following, when I respond with another question, it's because I'm >not sure myself what should go in there, and I'm welcoming any >suggestions... > > Another general point, because this has spent close to twenty years in >draft status, it's been a de facto standard for most of that time so >there are "standards-compliant" implementations that have been in use >for more than a decade based on the draft. Because of this, I've had >to be very careful to avoid breaking things by introducing a MUST or >MUST NOT after nearly two decades of something not being a MUST. This >is why, in some places, there's a SHOULD with strong hints rather than >a MUST. > > The primary goal for this was to make it bits-on-the-wire compatible >(apart from the unavoidable single DES + MD5 -> AES + SHA-2), and to >minimise (ideally not to have any) breakage with deployed code. So >there are places where there are weasel-words ("we know you've been >doing this for fifteen years but you probably shouldn't any more"), >and others where I've retained text that I wouldn't have put in there >if I'd been the one writting the doc. Maybe some text about all that somewhere (e.g., in the Introduction section, or in a dedicated ³History² section)? >Q1: > >[Editing changes] > > I've had a go at changing this, but no matter what I do just ends up >as the same wording shuffled around, I end up just moving bits from >one location to another (it's already gone through a number of >re-wordings across different drafts). If there's a specific goal that >you're aiming for with the changes I can try and hit that, but I just >ended up saying more or less the same thing with different phrasing. I just think it sounds weird to talk about a widely deployed protocol that you are just about to publish. But, maybe with some history (see previous comment) it would become more clear. --- >>Q2: >> >>Doesn¹t the "While implementers are encouraged toŠ" sentence belong to >>the Security Considerations? > >It's not a security consideration, unless I'm missing something it only >discusses functionality and interoperability issues. Ok. --- >>Q3: >> >>The text says: >> >> "A CA MAY enforce any arbitrary policies and apply them to certificate >> requests, and MAY reject any request." >> >>The "MAY reject any request" parts sounds unfinished. I assume it¹s >>refers to cases where the client don¹t support such arbitrary >>policies? If so, I suggest to explicitly say so. >> >>Currently it sounds like a generic CA-may-reject-any-request >>statement, which I assume is not what you intend to say :) > > That's exactly what it's meant to say: "You can ask for anything you >want, but the CA isn't obligated to comply with your request". Sure, but the text doesn¹t give any guidance on why it would reject the request. Since the sentence is in the same sentence talking about policies I assume the rejection would be if the policies are not fulfilled. --- >>Q4: >> >>As the text talks about certificate distribution, is this really a >>subsection to section 2.1? > > "It was like that when I got here". I can make it a non-subsection if >it reads better that way. I think it would be good. The text itself doesn¹t change, soŠ --- >>Q5: >> >>The 4th paragraph contains a couple of SHOULDs. Is there a reason they >>can¹t be MUST? > >There are many ways to verify certs, those are just suggestions. For >example they may be hardcoded into the client (that's actually not >uncommon in SCADA use), in which case there's nothing to verify. Since you use ³SHOULD², it sounds more like just suggestions. --- >>Q6: >> >>The 5th paragraph talks about how early versions of the draft used GET >>messages for all communication. >> >>The text also says: >> >>³If the remote CA supports it, any of the CMS-encoded SCEP messages >>SHOULD be sent via HTTP POST instead of HTTP GET.² >> >>If the remove CA supports what? HTTP POST? > > Yes, fixed. > >>Why SHOULD, and not MUST? > > See the note about introducing breakage. > >>If the client understands to use POST if GET fails, why can¹t it use >>POST to begin with? > > It was meant to say (subtly) "if you're seeing these problems then >perhaps it's time you updated your code". I've changed the text to >make this more > explicit: > > The solution to this problem is to update the implementation to use > HTTP POST instead. Ok. >>In general, what is the reason for having this text about early >>versions of the draft? Backward compatibility with CAs that will only >>support GET? > >Yes. Not just CAs but major implementations like Microsoft's NDES. I think it would be good to mention that. --- >>Q7: >> >>The title of the section talks about state transitions, but then the >>text says that the section contains examples. >> >>Is there a reference to the state machine(s) that are represented in >>the examples? OR, does the section define the state machine(s)? > >"It was like that when I got here". It's supposed to illustrate state >transitions, so it's both a diagram and an example of what's supposed >to happen. I'm reluctant to start rewriting that to any extent >because, well, would you want to start poking around in there? I just think it¹s strange to talk about "state transitions" without any reference to a state machine (in fact, there seems to be two state machines - one for the client and one for the CA). Couldn¹t the section simply be called ³SCTP Transaction Examples², or something? --- >>Q8: >> >>The text says ³previous editors² and ³earlier editors². Please pick >>one and use it in both places :) > > It's actually "earlier authors", and it was deliberate, to distinguish >between the people who wrote it (authors) and those who came later and >merely edited the original authors' work (editors). Ok. Regards, Christer
- [Gen-art] Genart telechat review of draft-gutmann… Christer Holmberg
- Re: [Gen-art] [FORGED] Genart telechat review of … Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Christer Holmberg
- Re: [Gen-art] Genart telechat review of draft-gut… Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Peter Gutmann
- Re: [Gen-art] Genart telechat review of draft-gut… Christer Holmberg