Re: [Gen-art] review of draft-ietf-msec-policy-token-sec-05.txt
Brian E Carpenter <brc@zurich.ibm.com> Thu, 19 January 2006 16:18 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EzcUI-00087P-Nt; Thu, 19 Jan 2006 11:18:14 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EzcUH-00085z-FH for gen-art@megatron.ietf.org; Thu, 19 Jan 2006 11:18:13 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA03977 for <gen-art@ietf.org>; Thu, 19 Jan 2006 11:16:44 -0500 (EST)
Received: from mtagate4.uk.ibm.com ([195.212.29.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ezccm-0004Ws-W5 for gen-art@ietf.org; Thu, 19 Jan 2006 11:27:02 -0500
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate4.uk.ibm.com (8.12.10/8.12.10) with ESMTP id k0JGHlfw145586 for <gen-art@ietf.org>; Thu, 19 Jan 2006 16:17:49 GMT
Received: from d12av02.megacenter.de.ibm.com (d12av02.megacenter.de.ibm.com [9.149.165.228]) by d12nrmr1607.megacenter.de.ibm.com (8.12.10/NCO/VERS6.8) with ESMTP id k0JGGreD131598 for <gen-art@ietf.org>; Thu, 19 Jan 2006 17:16:53 +0100
Received: from d12av02.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av02.megacenter.de.ibm.com (8.12.11/8.13.3) with ESMTP id k0JGGq8V005790 for <gen-art@ietf.org>; Thu, 19 Jan 2006 17:16:52 +0100
Received: from sihl.zurich.ibm.com (sihl.zurich.ibm.com [9.4.16.232]) by d12av02.megacenter.de.ibm.com (8.12.11/8.12.11) with ESMTP id k0JGGqvr005768; Thu, 19 Jan 2006 17:16:52 +0100
Received: from zurich.ibm.com (sig-9-146-218-37.de.ibm.com [9.146.218.37]) by sihl.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id RAA77376; Thu, 19 Jan 2006 17:16:50 +0100
Message-ID: <43CFBB6E.9060401@zurich.ibm.com>
Date: Thu, 19 Jan 2006 17:16:46 +0100
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en, fr, de
MIME-Version: 1.0
To: "Dondeti, Lakshminath" <ldondeti@qualcomm.com>
Subject: Re: [Gen-art] review of draft-ietf-msec-policy-token-sec-05.txt
References: <43CFAC3D.7060006@cisco.com> <992BC8ECDE438E4B8F5789A0FCCC92AD090BE4@NAEX05.na.qualcomm.com>
In-Reply-To: <992BC8ECDE438E4B8F5789A0FCCC92AD090BE4@NAEX05.na.qualcomm.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c83ccb5cc10e751496398f1233ca9c3a
Content-Transfer-Encoding: 7bit
Cc: canetti@watson.ibm.com, umeth@sparta.com, hh@sparta.com, gen-art@ietf.org, acc@sparta.com, housley@vigilsec.com
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Sender: gen-art-bounces@ietf.org
Errors-To: gen-art-bounces@ietf.org
Lakshimnath, Right now (11:15 a.m.) there isn't a DISCUSS at all. I want to hear more from Sam before I decide whether to follow Scott's advice... Please wait until after the telechat when I'm sure Russ will contact you. Brian Dondeti, Lakshminath wrote: > Thanks for the review Scott. I am one of the WG chairs of MSEC and I have answers to your questions below. > > > -----Original Message----- > From: gen-art-bounces@ietf.org on behalf of Scott W Brim > Sent: Thu 1/19/2006 7:11 AM > To: Brian E Carpenter > Cc: gen-art@ietf.org > Subject: [Gen-art] review of draft-ietf-msec-policy-token-sec-05.txt > > Summary: discuss, particularly adopt most of what Sam said. > > I am reading Sam's notes and I disagree with the first part of what he > says, on flexibility. I spent some time with some pioneers of msec so > I may be biased but there are only two flexibility mechanisms, applied > repeatedly. Also the design is for a very constrained multicast > environment: one-to-many with central registration. Therefore I don't > believe his comments about flexibility or multicast (as a whole) apply > here. > > On the other hand, everything he says in the middle is powerful > and blocks it in my mind. > > I don't believe he should have abstained, because I believe everything > listed can be fixed. Why allow for multiple protocols instead of > GSAKMP? First, perhaps the WG chairs have a good technical answer; > and if they don't, that can be fixed rather directly. > > <LD>MSEC group security policy token work is designed to be generic and is applicable to other group security protocols as well. I wish I could provide some existence proof, but there are plans to use the GSPT for GKDP, one of the other protocols being designed in MSEC. </ld> > > So it's just a significant discuss, with questions. > > Other medium-to-small nits: > > "registration provides a list of acceptable registration and > deregistration policy and mechanisms that may be used to manage > member-initiated joins and departures from a group. A NULL sequence > indicates that the group does not support registration and > deregistration of members. A member MUST be able to support at > least one set of Registration mechanisms in order to join the group. > When multiple mechanisms are present, a member MAY use any of the > listed methods. The list is ordered in terms of Group Owner > preference. A member MUST choose the highest listed mechanism that > local policy supports." > > First, I assume that a NULL sequence contains nothing -- there isn't a > sequence element that is an explicit null. If true, then when the > list is null a member CANNOT support at least one of the mechanisms -- > there aren't any. Prefix that sentence with "if the list is not null > ...", avoid complaints later. > > <LD>Editorial change? I think this is ok. </LD> > > Second, in the last sentence, change "highest" to something like > "first listed". Again, avoid ambiguity. > > Next paragraph, re "rekey": same comment about "highest". > > <LD>ok</LD> > > I don't see anywhere where the group owner is indicated in > signaling. How is it known? Say so explicitly. > > <LD>I will ask Hugh et. al. to add a sentence</LD> > > Finally, someone needs to examine the IANA considerations. Aha, I see > Mr Cotton said something along those lines. > > <LD>I have asked the authors to respond to the IANA concern</LD> > > <LD>The following are editorial, right? > A final question: Is the discuss based on whether the GSPT can be used with other protocols OR to resolve Sam's comments? Please let us know. > > Note: I will be offline for about the next 1 hr. > > </LD> > > Other smaller nits: > > "Also, the members may want to verify that the access control rules > are adequate to protect the data that the member is submitting to > the group." > > editorial: "a member may want". > > "tokenInfo provides information about the instance of the Policy > Token (PT)." > > Add something like "see Section 3.1". This sentence as it is makes me > wonder if that's all they are going to tell me. > > swb > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www1.ietf.org/mailman/listinfo/gen-art > > > > > _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] review of draft-ietf-msec-policy-token-… Scott W Brim
- RE: [Gen-art] review of draft-ietf-msec-policy-to… Dondeti, Lakshminath
- Re: [Gen-art] review of draft-ietf-msec-policy-to… Brian E Carpenter
- Re: [Gen-art] review of draft-ietf-msec-policy-to… Brian E Carpenter
- [Gen-art] Re: review of draft-ietf-msec-policy-to… Brian E Carpenter