Re: [Gen-art] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28

tom petch <daedulus@btconnect.com> Fri, 18 October 2019 12:13 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1EB1200B4; Fri, 18 Oct 2019 05:13:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.248
X-Spam-Level:
X-Spam-Status: No, score=0.248 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RATWARE_MS_HASH=2.148, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIqn_-FEUpUa; Fri, 18 Oct 2019 05:13:46 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80132.outbound.protection.outlook.com [40.107.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04C5B1200B3; Fri, 18 Oct 2019 05:13:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cv73SNsGF/SPqDx5c0di8CqA2ijbcKAnOIlj51rLy5eoMffBLL9QgSVRCWLB5kbC5mj4SqNpeTe1k/hdrMbk7uZvG9BuJskxICixx3Vx+JYvPTCPpgo/AkEw9pjrz1rlGIW0XnCQJJRC2SpbPewUA1HRgM952+FEbjxi5QkvpbwhVbEQeiA7l8Lj/Vei0rnGjQZ3nQOMckbwcZ8/u8jN8WN2N+ForUC9y8u1AMdAf5+f6fRe5zue25E2lG4OVCdQEJI2+6RXGdcrYgeNR89rfkCynr0rWPE4Y/1OBBsMGMoFW65XScEhp8TsFe/Bbkpwk6tUtjLO+P35RG8S7A6IjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h3N3kVpa98JmPCefCVvxZVemwtOrqky9deYnimYwFx4=; b=nhDZMdhUrqrFLQqd9zhTvvZmxk7ML1s9y1Xc/kMIGL8Lw5GTzTC0Dd0FfB4lnWSE7kwWvyaoMte2Nngk7+6H9kPmv5VVdXymXQLnSLrNZ0Z4qA8Q2BQ8LFTPw1IaC1wXkizSlzGR49enmCbv/py3L5ndTai3uwNaalHfZmoeg+9e1F0bZjD8aYHZXoRD1BUx/9+t1XBP1ByI1tcvFfqWts04lxn0SC45YpqxTZOgexCMkpnHblPTy9cyh/rLRa1yM8ZMOeuTN+XAtYEtxPSMihP43MBDJQfpuASnPM4O2fmS9tghdxdWBHB3AWpIzxeJsNVpZ8tjhm7t6McuCmnweQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h3N3kVpa98JmPCefCVvxZVemwtOrqky9deYnimYwFx4=; b=W04WtnhUoGqRawsLGR/ppomxu4ucCqdfj4lXyGAXewTHM1zQfjglM73asVjJ4qW2aodet9U+euVAf+DgvZTEovehGIM+xE0zIrFz1HEV0KRj9aboFyXkTesiaznrAWKDVkCQ67ScwG1xiHE2ePb2WxjtKov9M5U8eBxmoRAe8yo=
Received: from AM0PR07MB5716.eurprd07.prod.outlook.com (20.178.115.216) by AM0PR07MB6148.eurprd07.prod.outlook.com (20.178.115.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.13; Fri, 18 Oct 2019 12:13:42 +0000
Received: from AM0PR07MB5716.eurprd07.prod.outlook.com ([fe80::fc43:ed41:fb5:b5e3]) by AM0PR07MB5716.eurprd07.prod.outlook.com ([fe80::fc43:ed41:fb5:b5e3%3]) with mapi id 15.20.2347.021; Fri, 18 Oct 2019 12:13:42 +0000
From: tom petch <daedulus@btconnect.com>
To: Alissa Cooper <alissa@cooperw.in>, Dan Romascanu <dromasca@gmail.com>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Gen-art] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
Thread-Index: AQHVgzylZL/55Dso/kSfI5QixLQChA==
Date: Fri, 18 Oct 2019 12:13:42 +0000
Message-ID: <048901d585ad$25f8dac0$4001a8c0@gateway.2wire.net>
References: <157095596011.20750.2703747454081790983@ietfa.amsl.com> <00f001d5833c$52aacf60$4001a8c0@gateway.2wire.net> <6CF1EF8F-EE0D-4BE6-B2C2-4C91883A881B@cooperw.in>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P265CA0455.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:e::35) To AM0PR07MB5716.eurprd07.prod.outlook.com (2603:10a6:208:11e::24)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=daedulus@btconnect.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Microsoft Outlook Express 6.00.2800.1106
x-originating-ip: [86.139.211.103]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 83da6717-0faf-40fb-0583-08d753c49de4
x-ms-traffictypediagnostic: AM0PR07MB6148:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <AM0PR07MB6148556D06C3CF9C6691F6D8C66C0@AM0PR07MB6148.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3276;
x-forefront-prvs: 01949FE337
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(136003)(39860400002)(376002)(396003)(366004)(13464003)(189003)(199004)(50226002)(5660300002)(61296003)(71190400001)(186003)(26005)(52116002)(6116002)(71200400001)(81166006)(81156014)(3846002)(446003)(476003)(14496001)(486006)(966005)(478600001)(54906003)(110136005)(8676002)(8936002)(4720700003)(14454004)(316002)(44736005)(6486002)(99286004)(6436002)(229853002)(2906002)(1556002)(305945005)(256004)(66066001)(14444005)(7736002)(386003)(53546011)(25786009)(102836004)(6506007)(81686011)(81816011)(76176011)(4001150100001)(62236002)(44716002)(86362001)(66946007)(66476007)(66556008)(64756008)(66446008)(4326008)(6246003)(9686003)(6512007)(6306002)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM0PR07MB6148; H:AM0PR07MB5716.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: j4GdWIjzPGRnwtLX9xCUjsb+i849HSdWVRGlGjU8HgjlLXh5iMNY3ew+WtNWKAS54/Gqbq/8KpPMEPWPVJpmrvqnEu3tZg1LaACtjp+qbWA4aBf2FH38sxvFq7I7wK0U5nw7RtYqj/MSbV6usnn4rK21+P6hcEIUPEQ3rbc1AP2k+aq1lG8btB70Bnx7WlkJOlr5GyggMTM7FNu+gFyU3tX5Xc1HKyMDSm7QnC9dIGu06aSd5FZbWBr7jfysDlsXq/2v0pS7deTt3ieFNVf1CAUqAEWZZUFvgZfOVaxQSN0GOmR2TPOvvaYrxUdCtUL42VFVLlaXLwaHYFwTAIBiow6R2tcAgP20H9BraUEKX2yb4tCI271bW+YyPE4+3dKayleVAg3WRgiAPQO/SYxBS3aZFm5n3jm4EeRsR4ZapbIydAc1wr6LuR8THXGRjaKkj499w7Fuf9cuFCYTRCrswQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <7257EB86BF131C4D9125A6043516421A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 83da6717-0faf-40fb-0583-08d753c49de4
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2019 12:13:42.5735 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vu0snAt/i22mqRRr9emXqrGBs6oBB+B9z5IExzmGVmv8ZS6BqtEw5GqMgfeJNVamiLHVe3WPgzWXBSVIArblLw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6148
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/lF_aNThDpxCNE_a_dipZN_ahoSw>
Subject: Re: [Gen-art] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2019 12:13:49 -0000

Looking some more at this I-D, I have more concerns about the YANG
module. My review is informal - I recommend that the WG Chair request a
formal review because I may be missing something particularly in
connection with the 'refine' statements.

The I-D has
  namespace
    "urn:ietf:params:xml:ns:yang:ietf-voucher-request";
  prefix "vch";
whereas RFC8366, which it augments, has
  namespace "urn:ietf:params:xml:ns:yang:ietf-voucher";
  prefix vch;
Different module, same prefix; this contradicts a SHOULD NOT in RFC8407.

Further, this I-D defines
  import ietf-voucher {
    prefix v;
i.e. does not use the prefix defined in RFC8366.  This contradicts a
MUST in RFC8407.

There is a discrepancy between the e-mail addresses of the authors of
the YANG module and of the I-D, for
    Author:   Kent Watsen
    Author:   Toerless Eckert
I note that the e-mail addresses for the YANG module are the same as
those for the YANG module in RFC8366; I do not know which are correct.

  contact
   "WG Web:   <http://tools.ietf.org/wg/anima/>
should be https: and usually points to datatracker.ietf.org not tools

Tom Petch

----- Original Message -----
From: "Alissa Cooper" <alissa@cooperw.in>;
To: "tom petch" <daedulus@btconnect.com>;; "Dan Romascanu"
<dromasca@gmail.com>;
Cc: <gen-art@ietf.org>;;
<draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org>;; <ietf@ietf.org>;;
<anima@ietf.org>;
Sent: Wednesday, October 16, 2019 3:57 PM

Dan, thanks for your review. Tom, thanks for your response. I entered a
DISCUSS ballot to make sure the issues with the YANG modules get fixed.
I also noted the need for a response to the full Gen-ART review.

Alissa


> On Oct 15, 2019, at 5:40 AM, tom petch <daedulus@btconnect.com>; wrote:
>
> Dan
>
> I had a quick look at the YANG and it does indeed need some work IMHO.
> I have posted a separate e-mail listing what I saw.
>
> Tom Petch
>
>
> ----- Original Message -----
> From: "Dan Romascanu via Datatracker" <noreply@ietf.org>;
> Sent: Sunday, October 13, 2019 9:39 AM
>
>> Reviewer: Dan Romascanu
>> Review result: Ready with Issues
>>
>> I am the assigned Gen-ART reviewer for this draft. The General Area
>> Review Team (Gen-ART) reviews all IETF documents being processed
>> by the IESG for the IETF Chair. Please wait for direction from your
>> document shepherd or AD before posting a new version of the draft.
>>
>> For more information, please see the FAQ at
>>
>> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>;.
>>
>> Document: draft-ietf-anima-bootstrapping-keyinfra-??
>> Reviewer: Dan Romascanu
>> Review Date: 2019-10-13
>> IETF LC End Date: None
>> IESG Telechat date: 2019-10-17
>>
>> Summary: Ready with Issues
>>
>> This document specifies automated bootstrapping of an Autonomic
> Control Plane
>> by creating a Remote Secure Key Infrastructure (acronym BRSKI) using
>> manufacturer installed X.509 certificates, in combination with a
> manufacturer's
>> authorizing service, both online and offline.
>>
>> Christian Huitema and Jari Arkko have performed early reviews of
> previous
>> versions of the document for SecDir and Gen-ART. As far as I can
tell,
> most if
>> not all of their major concerns concerning applicability and security
> have been
>> addressed in the latest versions. A few more minor issues described
> below would
>> better be clarified before approval.
>>
>> I also observe that the document has consistent Operational
> implications but
>> there is no OPS-DIR review so far, as well as a YANG module and
> several other
>> references to YANG, but there is no YANG Doctors review. I hope that
> these will
>> be available prior to the IESG review.
>>
>> Major issues:
>>
>> Minor issues:
>>
>> 1. The Pledge definition in section 1.2:
>>
>>> Pledge:  The prospective device, which has an identity installed at
>>      the factory.
>>
>> while in the Introduction:
>>
>>> ... new (unconfigured) devices that are called pledges in this
>>   document.
>>
>> These two definitions seem different. The definition in 1.2 does not
> include
>> the fact that the device is 'new (unconfigured'. Also, arguably
> 'identity
>> installed at the factory' may be considered a form of configuration.
>>
>> 2. The document lacks an Operational Considerations section, which I
> believe is
>> needed, taking into consideration the length and complexity of the
> document.
>> There are many operational issues spread across the document
> concerning the
>> type and resources of devices, speed of the bootstrapping process,
> migration
>> pass, impact on network operation. I suggest to consider adding such
a
> section
>> pointing to the place where these issues are discussed and adding the
> necessary
>> information if missing. Appendix A.1 in RFC 5706 can be used as a
> checklist of
>> the issues to be discussed in such a section.
>>
>> 3. Section 5.4:
>>
>>> Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
>>   REQUIRED.
>>
>> What is the reason for using 'encouraged'? Why not RECOMMENDED?
>>
>> Nits/editorial comments:
>>
>> 1. The Abstract includes:
>>
>> 'To do this a Remote Secure Key Infrastructure (BRSKI) is created'
>>
>> Later in the document BRSKI is idefined as a protocol. It would be
> good to
>> clarify if BRSKI = BRSKI protocol
>>
>> 2. In Section 1 - Introduction, 3rd paragraph:
>>
>> s/it's default modes/its default modes/
>> s/it's strongest modes/its strongest modes/
>>
>> 3. Please expand non-obvious acronyms at first occurrence: EST
> protocol, LLNs,
>> REST interface, LDAP, GRASP, CDDL, CSR
>>
>> 4. I would suggest alphabetic order listing of the terms in section
> 1.2
>>
>> 5. Section 1.3.1 - a reference for LDevID would be useful
>>
>> 6. Section 7:
>>
>> s/Use of the suggested mechanism/Use of the suggested mechanisms/
>>
>>
>
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art