IETF Logo Mail Archive

Re: [Gen-art] Genart last call review of draft-ietf-anima-voucher-05

Alissa Cooper <alissa@cooperw.in> Wed, 13 December 2017 20:21 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FFA12009C; Wed, 13 Dec 2017 12:21:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=TP7PxlN9; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jqm7EqS3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nc8XvR90ull3; Wed, 13 Dec 2017 12:21:43 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F837126FDC; Wed, 13 Dec 2017 12:21:37 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id AA12D20BB9; Wed, 13 Dec 2017 15:21:36 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute7.internal (MEProxy); Wed, 13 Dec 2017 15:21:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=gHscJTDDRMtC3UVQWI+aEqmF6y7wP K/pjUsiwvM6r9E=; b=TP7PxlN94+yXYmcKabEGIdfymZ9BmoBDg8nBnd2ikIAMm ZL7ePyg47IPbMFzYVM2XzoEc7YPXI7DBj/cXXp6rf1f4GiMw2TudTe24+AFX273w p6vXrFG1KvPKSEr07EtCmPrSdGmhzDcA21YG+H+H1cz4XrIIr/ettgT+Q7iOJJhB CVAW2pRLNpmX8gVrVfhOS96aVMpW6K+VzgbEc6GRp/LLATuV5zYul7poLR6mfVbu 2wX0dpNE4yeoPkcanIvKsnCBEhYk2gqMsIYi8C3XjJwHVm1ISzm7HtPEXxkmInqP gwjk/UOHqz56JL6HVkw7ukZm5Q+PNee8NvsGul6Zg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=gHscJT DDRMtC3UVQWI+aEqmF6y7wPK/pjUsiwvM6r9E=; b=jqm7EqS32ewkrDovuAsG0D musOnj8Ks4/y4uahovcL1T25xSw1cXjSPn+ATQ0B9pOAocfBRCCsMY8L86hdeBP3 6/2kYx3R5N9WxnmEag0OvQ9s6MeMGnE18cpDd4IjjxOJJ+PHwWzWR6iL9LzgLzWj x6ZvO4QimzwGGbNNM/SmvETW6sM5XL6w+bjbmmTTa8skQSvS8d+UcM0IXNWEMLJd awz4vKfVrYnw6bcTz41Bzw0gG/27ZJujDn41IW89CiVfaRmKw6JIQgqIyE6RfM0H y3rfQ8JWypbO2HA93Qwc4aXNMZvWn2XBkmn9aI+/QYnWYROuGygVypU6sS9TSPXA ==
X-ME-Sender: <xms:0IsxWuocPaX7yJsFtA5V_sJy8mZpVjDn05CFtkdHsDj7T912buv_bQ>
Received: from sjc-alcoop-8816.cisco.com (unknown [128.107.241.187]) by mail.messagingengine.com (Postfix) with ESMTPA id 9600324009; Wed, 13 Dec 2017 15:21:35 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <150704985762.30710.15389510349503177651@ietfa.amsl.com>
Date: Wed, 13 Dec 2017 15:21:34 -0500
Cc: gen-art <gen-art@ietf.org>, draft-ietf-anima-voucher.all@ietf.org, anima@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <EE4D54FD-A39E-4979-99B7-D5CD706AC7A3@cooperw.in>
References: <150704985762.30710.15389510349503177651@ietfa.amsl.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/wQcoBKT1uaa0YcdQBTtQt1Xs0gE>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-anima-voucher-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 20:21:45 -0000

Russ, thanks for your review. Michael, thanks for addressing Russ’s comments. I have entered a No Objection ballot.

Alissa

> On Oct 3, 2017, at 12:57 PM, Russ Housley <housley@vigilsec.com> wrote:
> 
> Reviewer: Russ Housley
> Review result: Not Ready
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair. Please wait for direction from your
> document shepherd or AD before posting a new version of the draft.
> 
> For more information, please see the FAQ at
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> 
> Document: draft-ietf-anima-voucher-05
> Reviewer: Russ Housley
> Review Date: 2017-10-03
> IETF LC End Date: 2017-10-112
> IESG Telechat date: unknown
> 
> Summary: Not Ready
> 
> Major Concerns:
> 
> Please do not reference RFC 2315.  The is a full Internet Standard that
> should be used instead.  Please reference RFC 5652, which goes back to
> PKCS#7 as follows:
> 
> PKCS#7 --> RFC 2315 --> RFC 2630 --> RFC 3369 --> RFC 3852 --> RFC 5652
> 
> RFC 2315 only support signatures with the RSA algorithm.  The signature
> value is the "result of encrypting the message digest and associated
> information with the signer's private key."  RFC 5652 will support any
> known digital signature algorithm.  Please reference it.
> 
> In Section 6, the document says:
> 
>   The PKCS#7 structure SHOULD also contain all the certificates leading
>   up to and including the signer's trust anchor certificate known to
>   the recipient.
> 
> Normally, the signer does not include the trust anchor certificate, so
> a bit of rationale is needed here.  There are clearly situations where
> the trust anchor will not be known in advance, so that the the reason to
> include it.
> 
> In Section 6, the document also says:
> 
>   The PKCS#7 structure MAY also contain revocation objects for any
>   intermediate certificate authorities (CAs) between the voucher-issuer
>   and the trust anchor known to the recipient.
> 
> This is another place where RFC 5256 offers an improvement over PKCS#7.
> See Section 10.2.1 in RFC 5652, and see RFC 5940 for the information on
> OCSP responses.  You might want to include CRLs or OCSP responses in a
> short-lived voucher so that the recipient does not need to fetch any
> revocation information to process the voucher.
> 
> Section 6 needs to specify the content type that will be carried in
> SignedData.  I believe that a new object identifier (OID) needs to be
> assigned.  I'm not sure whether you want to assign an OID for JSON
> object or YANG structure.  I can see where either one would work.
> 
> Section 9 should be expanded to assign the OID for the content type:
> www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1.
> 
> 
> Minor Concerns:
> 
> I think it would be very helpful to include a diagram something like
> this in Section 6.  Perhaps all of the CMS discussion belongs in a
> separate subsection.  I did this to see if everything that is needed
> was specified, and I learned that the eContentType was not defined.
> 
>      ContentInfo {
>        contentType          id-signedData, -- (1.2.840.113549.1.7.2)
>        content              SignedData
>      }
> 
>      SignedData {
>        version              CMSVersion, -- always set to 3
>        digestAlgorithms     DigestAlgorithmIdentifiers, -- Only one
>        encapContentInfo     EncapsulatedContentInfo,
>        certificates         CertificateSet, -- Signer cert. path
>        crls                 CertificateRevocationLists, -- Optional
>        signerInfos          SET OF SignerInfo -- Only one
>      }
> 
>      SignerInfo {
>        version              CMSVersion, -- always set to 3
>        sid                  SignerIdentifier,
>        digestAlgorithm      DigestAlgorithmIdentifier,
>        signedAttrs          SignedAttributes, -- Required
>        signatureAlgorithm   SignatureAlgorithmIdentifier,
>        signature            SignatureValue,
>        unsignedAttrs        UnsignedAttributes -- Optional
>      }
> 
>      EncapsulatedContentInfo {
>        eContentType         !!! NOT SPECIFIED YET !!!
>        eContent             OCTET STRING -- the ietf-voucher
>      }
> 
> It would be very helpful to the implementer to say how each CMS field
> is used.  You can copy that vast bulk of the information that you need
> from RFC 4108.  In particular:
> 
>  - See RFC 4180, Section 2.1.1 for ContentInfo.
>  - See RFC 4180, Section 2.1.2 for SignedData.
>  - See RFC 4180, Section 2.1.2.1 for SignerInfo.
>  - See RFC 4180, Section 2.1.2.2 for EncapsulatedContentInfo.
> 
> 
> Nits:
> 
> In section 2:
>  s/autonomically/automatically/
>  s/Registrar  See/Registrar:  See/
>  s/entity it is contacted by/entity to make contact/
> 
> In Section 6.1:
>  s/in Section 4)./in Section 4./
> 
> In Section 8.1:
>  s/no understand of time/no understanding of clock time/
>  s/clock accuracy then vouchers/clock accuracy, then vouchers/
> 
> I think the table in Section 5 could be more readable.  I suggest:
> 
>                 +-------------------+-------------------+-------------+
>                 |     Assertion     |    Registrar ID   |   Validity  |
>                 +--------+----------+--------+----------+-----+-------+
>    Voucher      |        |          | Trust  | CN-ID or |     |       |
>    Type         | Logged | Verified | Anchor | DNS-ID   | RTC | Nonce |
>   +-------------+--------+----------+--------+----------+-----+-------+
>   |Audit        |   X    |          |   X    |          |     |   X   |
>   +-------------+--------+----------+--------+----------+-----+-------+
>   |Nonceless    |   X    |          |   X    |          |  X  |       |
>   |Audit        |        |          |        |          |     |       |
>   +-------------+--------+----------+--------+----------+-----+-------+
>   |Owner Audit  |   X    |    X     |   X    |          |  X  |   X   |
>   +-------------+--------+----------+--------+----------+-----+-------+
>   |Owner ID     |        |    X     |   X    |    X     |  X  |       |
>   +-------------+--------+----------+--------+----------+-----+-------+
>   |Bearer       |   X    |          |    wildcard       |   optional  |
>   |out-of-scope |        |          |                   |             |
>   +-------------+--------+----------+--------+----------+-----+-------+
> 
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email