Re: [Gen-art] Genart last call review of draft-ietf-tls-exported-authenticator-09

Nick Sullivan <nick@cloudflare.com> Mon, 15 July 2019 20:45 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DA66120123 for <gen-art@ietfa.amsl.com>; Mon, 15 Jul 2019 13:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKHBdkdiOAo9 for <gen-art@ietfa.amsl.com>; Mon, 15 Jul 2019 13:45:36 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 739D6120129 for <gen-art@ietf.org>; Mon, 15 Jul 2019 13:45:33 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id 2so12334638vso.8 for <gen-art@ietf.org>; Mon, 15 Jul 2019 13:45:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M4kFpiJpKz2gH8PJb9CrDRXSmbJcZfytwCYxV65exk4=; b=xeDMRtmpU1bb0ptg155PsEVGN6mY6h076DSNsZRkw6peo29NmVLBkvcHLUOyPAcSmr 5kSPMT1dMbso4A8S/BEqfTSoF4OTNyLdk1WrkjxUgkjkQoaqKfoGLG76uhxL+eUuyhh/ d6wLsAW8zz+v69tWq8mCBEPtpuHAYuWC6f7Qg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M4kFpiJpKz2gH8PJb9CrDRXSmbJcZfytwCYxV65exk4=; b=sUeGDQlN5xeqGTQjAGNtXWxErQYe7gXK7Oy/DoOu1pojwRlH6ecBWqq6uCLn3bOgUv sZ4en0r5cTUec7pWOTBfQWCzGJRB5sUgiMelsTDrapVtjxtPENZzeQw+GBmvGmvFTkV6 Phlii9DWrbm20rKcWbe4YRZ1G4cZ0/BDWxI/CMsIf0Avv9a0Ywvzu8uHQ9G7G4WnPvpW Nr4lUw3xGRT5LkFiQZ8YC66IfFD/zG8R4lHLk0KOjbkBOGDZhOygm0nBLKR/imZhs8uz t0mCLqbEdsScCcp/MHykaeMH1yCwIG2DVUYit4f4gCe262+9RdUOQEagMOstGKwwh63n hjRw==
X-Gm-Message-State: APjAAAUvPXlACxwUQGxYKBNGQIu6w6xlKuVD4ZgJjGaqKtMUEA2vo2xG KxFDYGxLXYa/PffWwQP4C4HsXmSSLYPn71Qt0/Y9GA==
X-Google-Smtp-Source: APXvYqw0TOVjtGw+jDa20rpE/o7RaRS3S1Kyexu3PDQkVbDCXj0P/vF26NClIkMLJ6E+bwFV71vbHtd6UjikdGHNGLg=
X-Received: by 2002:a05:6102:252:: with SMTP id a18mr15733524vsq.53.1563223532188; Mon, 15 Jul 2019 13:45:32 -0700 (PDT)
MIME-Version: 1.0
References: <156249708979.14501.13745976049183757305@ietfa.amsl.com>
In-Reply-To: <156249708979.14501.13745976049183757305@ietfa.amsl.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Mon, 15 Jul 2019 13:45:16 -0700
Message-ID: <CAFDDyk91yL7CHjWbjtkZ1poJ3=GHQZmUO3t1hnESKdN5NejMMw@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: gen-art@ietf.org, draft-ietf-tls-exported-authenticator.all@ietf.org, ietf@ietf.org, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000057768f058dbe5741"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/fKbMjLPa-q-r7wa2-79tab9AF2Y>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-tls-exported-authenticator-09
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 20:45:38 -0000

Christer,

Thank you for the review. I'll attempt to address these in time for the
submission window to open up again.

Best,
Nick

On Sun, Jul 7, 2019 at 3:58 AM Christer Holmberg via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Christer Holmberg
> Review result: Ready with Issues
>
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
>
> For more information, please see the FAQ at
>
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
>
> Document: draft-ietf-tls-exported-authenticator-09
> Reviewer: Christer Holmberg
> Review Date: 2019-07-07
> IETF LC End Date: 2019-07-16
> IESG Telechat date: Not scheduled for a telechat
>
> Summary: The document is well written. However, I have found some issues
> that
> the author may want to consider clarifying in the document.
>
> Major issues: N/A
>
> Minor issues:
>
> MIN_1:
> The last sentence of Section 1 says that the mechanism requires TLS
> version 1.2
> or later. Would it be useful to state that in a dedicated Applicability
> section?
>
> MIN_2:
> Can the mechanism be used also for DTLS?
>
> MIN_3:
> The documents talk about additional certificates. If I only have one
> additional
> certificate, can I use that for multiple authenticators throughout the TLS
> session?
>
> MIN_4:
> Section 3 and 4 say that the authenticator request and authenticator
> SHOULD be
> sent using TLS, and Section 1 says that the proof of authentication can be
> sent
> out-of-band. I think it would be useful to clarify whether both the
> authenticator request and authenticator can be sent out-of-band ( i.e., not
> using the TLS connection that the additional authentication is associated
> with), and also to state whether it IS allowed to send the authenticator
> request and authenticator on the TLS connection they are associated with.
>
> MIN_5:
> Section 5 talks about an endpoint sending an empty authenticator. But,
> what if
> the sender of the authenticator request does not receive anything?  Does it
> simply move on? Does it terminate the TLS session? Is the action based on
> local
> policy?
>
> MIN_6:
> Related to MIN_5, I can't find text about how endpoints inform each other
> about
> the support of the mechanism, so maybe a few words about that would be
> useful.
> And some words about backward compatibility with endpoints that don't
> support
> the mechanism.
>
> MIN_7:
> What happens if the validation of an authenticator fails? Does the
> requester
> simply move on? Does it terminate the TLS session? Is the action based on
> local
> policy?
>
> Nits/editorial comments:
>
> ED_1:
> The document uses "session", "TLS connection" and "TLS communication"
> terminology. Is that intentional, or wouuld it be possible to use
> consistent
> terminology?
>
> ED_2:
> Section 3 says: "The authenticator request is a structured message that
> can be
> created..." Section 4 says: "The authenticator is a structured message
> that can
> be exported..."
>
> In the 2nd paragraph of Section 4 it is stated that "authenticator" is sent
> based on an "authenticator request". I wonder if that could be stated
> already
> in the beginning of Section 4, to further clarify the difference between
> them.
> E.g.,
>
> "The authenticator is a structured message, triggered by an authenticator
> request, that can be exported from either party of a TLS connection."
>
>
>