Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.txt
Warren Kumari <warren@kumari.net> Fri, 06 March 2020 17:09 UTC
Return-Path: <warren@kumari.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F0923A0B03 for <gen-art@ietfa.amsl.com>; Fri, 6 Mar 2020 09:09:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0iaiiFzAwNiW for <gen-art@ietfa.amsl.com>; Fri, 6 Mar 2020 09:09:49 -0800 (PST)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18C443A0AC3 for <gen-art@ietf.org>; Fri, 6 Mar 2020 09:09:49 -0800 (PST)
Received: by mail-lj1-x234.google.com with SMTP id q19so2967670ljp.9 for <gen-art@ietf.org>; Fri, 06 Mar 2020 09:09:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0jS2jzAmIhh6FNH8I4x21jT422Pk/r6eR0RrMbXUGZI=; b=UN75/vKbGq9vSzI/TNu76A2ROxZAql8rMUNeQ+QgZdJ9tIboJdSVTfbF4jSak5r2Q0 12tJ14EC0ddE+a2UvkavtpSc9rc8owJc1JLe9hr7atzh5cEuvcGAvX84CkLGGU5CdnFt WTnNywsith6bU87BgOCQZROuS0q5AC2T4hpigRBpJt8l3+hJ3c+lyw4wipUo9YADeoZy BxyEVXrPHBf7brUEdZiC7hJbVfLXoTVtp2Gz/cHzMQNTgmT+3SBWy04HuyRODZsOH7eV eiYBIV/XG7l4zfmd2NBuEZiXmNycwbawgyxJ9mOsm74pZN76zcP9SnmV1g0I3z1IeM8q LoEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0jS2jzAmIhh6FNH8I4x21jT422Pk/r6eR0RrMbXUGZI=; b=XJ0/kuWtcOFgUZjSZTitn4dvqSNwccoJIfbmg9VHhA8/5kcfM1X0ZGEcZs0HHftJ/7 Lb+T5nG6IhlTUabePk0HEVGVrQ8Qb00h1YOJl6wLuCDMD2LgvDCiFgnaL/15CqOxrgc2 zwwYzJWUuiJK8fp7humeS3mcYjlBvcIBgV7DDMRpIMXN46Fl71qDQb1ZUdJ0tL8YU1pJ lDTJPZ87Uhsu83LV80ThvGYXsx32bfKQVg/Hp4FYKOHN2FVYpGJ9Xx0JZR6nM0Pfz+dX eb9LFgWsBUVNlGecPxP5BUbQgx4V+N68L89Jn21JLiB8x4oqis3ZKD1Ms33XtXKSFwTL bl1g==
X-Gm-Message-State: ANhLgQ2XnMBR3a0IP+syrxrXgCkyyYWruEckAphf/jTiZmaZXPtAykaB PbPReq60iGP1/ZA3Z8YntCiYHUWH4mwAkQyPT0UgIHkI1Sw=
X-Google-Smtp-Source: ADFU+vuYScRM24Qfiq6Y16JNPy+3knxFImQkDIEBTAKPlG1JW7MdWx2AzeYjZKmmvLg7tbSYRxUgD1fka/jjrsrSacY=
X-Received: by 2002:a2e:9a8c:: with SMTP id p12mr2655173lji.156.1583514586620; Fri, 06 Mar 2020 09:09:46 -0800 (PST)
MIME-Version: 1.0
References: <202002181502.01IF253D063816@givry.fdupont.fr>
In-Reply-To: <202002181502.01IF253D063816@givry.fdupont.fr>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 06 Mar 2020 12:09:08 -0500
Message-ID: <CAHw9_iKCKc9T9rQNfi2LVa_NiA-LRQPjJuO7BPGrUjVeji6A0w@mail.gmail.com>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-opsawg-sdi.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/f0V9L4yjRFHS3V75f7p8M_sjg5E>
Subject: Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 17:09:52 -0000
Wow, apologies, I had completely missed this email -- I have a complex set of filtering rules to allow me to focus on drafts on the upcoming telechats, and this fell into the cracks. On Tue, Feb 18, 2020 at 10:57 AM Francis Dupont <Francis.Dupont@fdupont.fr> wrote: > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-opsawg-sdi-02.txt > Reviewer: Francis Dupont > Review Date: 20200212 > IETF LC End Date: 20200218 > IESG Telechat date: unknown > > Summary: Almost Ready > > Major issues: None > > Minor issues: crypto use details are missing. IMHO it is a problem of > presentation, I propose: > - make only requirements in the first/normative part > - put all details in the appendix/demo part Thank you. I have attempted to do this - where I have crypto discussion I am clarifying that this is just illustrative, and that the vendor should figure out what is best for their environment. I also suggest vendors may want to consider draft-gutmann-scep. > > Nits/editorial comments: > - ToC page 2 and 8 page 11: Acknowledgements -> Acknowledgments Thank you, done. > > - 2 page 4: there are two kinds of certificates so I suggest at the > first occurrence to put "public key certificate". Done. Thank you. > > - 2 page 5, 2.2 page 5, 4.2 page 6, 5.3 page 10, 7 page 11: e.g -> e.g., Done (x8!) Thank you. > > - 3.1 page 5: as an example of something which could be specified but > IMHO should not be: the certificate has (extended) key usages and > other policy parameters. I added: :The vendor's Certificate Publication Server should only accept certificates from the manufacturing facility, and which match vendor defined policies (for example, extended key usage, extensions, etc.)" Does this address your concern? I suspect that this section (and others :-)) will get a fair but of discussion / feedback during IETF LC, and SecDir / IESG review :-) > > - 4.2 page 6: in "The operator will then encrypt the > initial configuration to the key in the certifcate" > * the "to" seems a bit strange to me (I expected "with" but I am > not a native English speaker) > * public key crypto does not provide a way to directly encrypt > a large amount of data. IMHO it is not a real problem: just > require the key is used to protect the initial configuration > * it will be fine to have a bit more than confidentiality, for > instance to protect integrity or at least the data length. > Last both points are handled by SMIME so again it is only a > presentation problem. Thank you -- the example uses SMIME specifically for this reason. I was trying to word it in a way that was neither too prescriptive, nor too convoluted. How is: "The operator will then encrypt the initial configuration (for example, using SMIME) using the key in the certificate, and place it on their TFTP server. " > > - 4.3 page 7: Add that DHCP option 66 is TFTP server name and > option 150 is TFTP server address. Oooh, thank you. Done. > > - 5.1 page 10: I've checked (googled it) the TPM abbrev and it seems > the common usage in the context is the expected one (BTW it is > not in the RFC editor abbrev table). Thank you - I expanded it. > > - B.1.1 page 13: IMHO it is a good diea to give the OpenSSL command > line (OpenSSL man pages are more than cryptic :-). Thank you - OpenSSL CLI processing is indeed, um, cryptic. I somewhat think that this is by design - if someone accidentally publishes their key, it doesn't actually matter, because no-one will figure out how to invoke OpenSSL to *do* anything with it :-P > > - B.2.2 page 14: I support the choice of S/MIME: it does the job > (including length check) and it is commonly available. > Of course there should be better ways but it is clearly far > better than a home made solution. BTW as it is encoded ASN.1 it > is trivial to recognize (i.e., no ambiguity with ASCII text). Thank you! > > - B.3 page 15: then then -> then Oooh, good catch, fixed, thank you. W > Regards > > Francis.Dupont@fdupont.fr > > PS: I removed spelling errors which were fixed in version 03. -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [Gen-art] review of draft-ietf-opsawg-sdi-02.txt Francis Dupont
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Joe Clarke (jclarke)
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Warren Kumari
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Warren Kumari
- Re: [Gen-art] review of draft-ietf-opsawg-sdi-02.… Alissa Cooper