Re: [Gen-art] Genart last call review of draft-ietf-tls-exported-authenticator-09
Nick Sullivan <nick@cloudflare.com> Mon, 15 July 2019 20:45 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DA66120123 for <gen-art@ietfa.amsl.com>; Mon, 15 Jul 2019 13:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKHBdkdiOAo9 for <gen-art@ietfa.amsl.com>; Mon, 15 Jul 2019 13:45:36 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 739D6120129 for <gen-art@ietf.org>; Mon, 15 Jul 2019 13:45:33 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id 2so12334638vso.8 for <gen-art@ietf.org>; Mon, 15 Jul 2019 13:45:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M4kFpiJpKz2gH8PJb9CrDRXSmbJcZfytwCYxV65exk4=; b=xeDMRtmpU1bb0ptg155PsEVGN6mY6h076DSNsZRkw6peo29NmVLBkvcHLUOyPAcSmr 5kSPMT1dMbso4A8S/BEqfTSoF4OTNyLdk1WrkjxUgkjkQoaqKfoGLG76uhxL+eUuyhh/ d6wLsAW8zz+v69tWq8mCBEPtpuHAYuWC6f7Qg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M4kFpiJpKz2gH8PJb9CrDRXSmbJcZfytwCYxV65exk4=; b=sUeGDQlN5xeqGTQjAGNtXWxErQYe7gXK7Oy/DoOu1pojwRlH6ecBWqq6uCLn3bOgUv sZ4en0r5cTUec7pWOTBfQWCzGJRB5sUgiMelsTDrapVtjxtPENZzeQw+GBmvGmvFTkV6 Phlii9DWrbm20rKcWbe4YRZ1G4cZ0/BDWxI/CMsIf0Avv9a0Ywvzu8uHQ9G7G4WnPvpW Nr4lUw3xGRT5LkFiQZ8YC66IfFD/zG8R4lHLk0KOjbkBOGDZhOygm0nBLKR/imZhs8uz t0mCLqbEdsScCcp/MHykaeMH1yCwIG2DVUYit4f4gCe262+9RdUOQEagMOstGKwwh63n hjRw==
X-Gm-Message-State: APjAAAUvPXlACxwUQGxYKBNGQIu6w6xlKuVD4ZgJjGaqKtMUEA2vo2xG KxFDYGxLXYa/PffWwQP4C4HsXmSSLYPn71Qt0/Y9GA==
X-Google-Smtp-Source: APXvYqw0TOVjtGw+jDa20rpE/o7RaRS3S1Kyexu3PDQkVbDCXj0P/vF26NClIkMLJ6E+bwFV71vbHtd6UjikdGHNGLg=
X-Received: by 2002:a05:6102:252:: with SMTP id a18mr15733524vsq.53.1563223532188; Mon, 15 Jul 2019 13:45:32 -0700 (PDT)
MIME-Version: 1.0
References: <156249708979.14501.13745976049183757305@ietfa.amsl.com>
In-Reply-To: <156249708979.14501.13745976049183757305@ietfa.amsl.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Mon, 15 Jul 2019 13:45:16 -0700
Message-ID: <CAFDDyk91yL7CHjWbjtkZ1poJ3=GHQZmUO3t1hnESKdN5NejMMw@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: gen-art@ietf.org, draft-ietf-tls-exported-authenticator.all@ietf.org, ietf@ietf.org, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000057768f058dbe5741"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/fKbMjLPa-q-r7wa2-79tab9AF2Y>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-tls-exported-authenticator-09
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 20:45:38 -0000
Christer, Thank you for the review. I'll attempt to address these in time for the submission window to open up again. Best, Nick On Sun, Jul 7, 2019 at 3:58 AM Christer Holmberg via Datatracker < noreply@ietf.org> wrote: > Reviewer: Christer Holmberg > Review result: Ready with Issues > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-tls-exported-authenticator-09 > Reviewer: Christer Holmberg > Review Date: 2019-07-07 > IETF LC End Date: 2019-07-16 > IESG Telechat date: Not scheduled for a telechat > > Summary: The document is well written. However, I have found some issues > that > the author may want to consider clarifying in the document. > > Major issues: N/A > > Minor issues: > > MIN_1: > The last sentence of Section 1 says that the mechanism requires TLS > version 1.2 > or later. Would it be useful to state that in a dedicated Applicability > section? > > MIN_2: > Can the mechanism be used also for DTLS? > > MIN_3: > The documents talk about additional certificates. If I only have one > additional > certificate, can I use that for multiple authenticators throughout the TLS > session? > > MIN_4: > Section 3 and 4 say that the authenticator request and authenticator > SHOULD be > sent using TLS, and Section 1 says that the proof of authentication can be > sent > out-of-band. I think it would be useful to clarify whether both the > authenticator request and authenticator can be sent out-of-band ( i.e., not > using the TLS connection that the additional authentication is associated > with), and also to state whether it IS allowed to send the authenticator > request and authenticator on the TLS connection they are associated with. > > MIN_5: > Section 5 talks about an endpoint sending an empty authenticator. But, > what if > the sender of the authenticator request does not receive anything? Does it > simply move on? Does it terminate the TLS session? Is the action based on > local > policy? > > MIN_6: > Related to MIN_5, I can't find text about how endpoints inform each other > about > the support of the mechanism, so maybe a few words about that would be > useful. > And some words about backward compatibility with endpoints that don't > support > the mechanism. > > MIN_7: > What happens if the validation of an authenticator fails? Does the > requester > simply move on? Does it terminate the TLS session? Is the action based on > local > policy? > > Nits/editorial comments: > > ED_1: > The document uses "session", "TLS connection" and "TLS communication" > terminology. Is that intentional, or wouuld it be possible to use > consistent > terminology? > > ED_2: > Section 3 says: "The authenticator request is a structured message that > can be > created..." Section 4 says: "The authenticator is a structured message > that can > be exported..." > > In the 2nd paragraph of Section 4 it is stated that "authenticator" is sent > based on an "authenticator request". I wonder if that could be stated > already > in the beginning of Section 4, to further clarify the difference between > them. > E.g., > > "The authenticator is a structured message, triggered by an authenticator > request, that can be exported from either party of a TLS connection." > > >
- [Gen-art] Genart last call review of draft-ietf-t… Christer Holmberg via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… Nick Sullivan
- Re: [Gen-art] Genart last call review of draft-ie… Nick Sullivan
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Nick Sullivan
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg
- Re: [Gen-art] Genart last call review of draft-ie… Nick Sullivan
- Re: [Gen-art] Genart last call review of draft-ie… Christer Holmberg