Re: [Gen-art] Genart last call review of draft-ietf-anima-voucher-05
Alissa Cooper <alissa@cooperw.in> Wed, 13 December 2017 20:21 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FFA12009C; Wed, 13 Dec 2017 12:21:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=TP7PxlN9; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jqm7EqS3
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nc8XvR90ull3; Wed, 13 Dec 2017 12:21:43 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F837126FDC; Wed, 13 Dec 2017 12:21:37 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id AA12D20BB9; Wed, 13 Dec 2017 15:21:36 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute7.internal (MEProxy); Wed, 13 Dec 2017 15:21:36 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=gHscJTDDRMtC3UVQWI+aEqmF6y7wP K/pjUsiwvM6r9E=; b=TP7PxlN94+yXYmcKabEGIdfymZ9BmoBDg8nBnd2ikIAMm ZL7ePyg47IPbMFzYVM2XzoEc7YPXI7DBj/cXXp6rf1f4GiMw2TudTe24+AFX273w p6vXrFG1KvPKSEr07EtCmPrSdGmhzDcA21YG+H+H1cz4XrIIr/ettgT+Q7iOJJhB CVAW2pRLNpmX8gVrVfhOS96aVMpW6K+VzgbEc6GRp/LLATuV5zYul7poLR6mfVbu 2wX0dpNE4yeoPkcanIvKsnCBEhYk2gqMsIYi8C3XjJwHVm1ISzm7HtPEXxkmInqP gwjk/UOHqz56JL6HVkw7ukZm5Q+PNee8NvsGul6Zg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=gHscJT DDRMtC3UVQWI+aEqmF6y7wPK/pjUsiwvM6r9E=; b=jqm7EqS32ewkrDovuAsG0D musOnj8Ks4/y4uahovcL1T25xSw1cXjSPn+ATQ0B9pOAocfBRCCsMY8L86hdeBP3 6/2kYx3R5N9WxnmEag0OvQ9s6MeMGnE18cpDd4IjjxOJJ+PHwWzWR6iL9LzgLzWj x6ZvO4QimzwGGbNNM/SmvETW6sM5XL6w+bjbmmTTa8skQSvS8d+UcM0IXNWEMLJd awz4vKfVrYnw6bcTz41Bzw0gG/27ZJujDn41IW89CiVfaRmKw6JIQgqIyE6RfM0H y3rfQ8JWypbO2HA93Qwc4aXNMZvWn2XBkmn9aI+/QYnWYROuGygVypU6sS9TSPXA ==
X-ME-Sender: <xms:0IsxWuocPaX7yJsFtA5V_sJy8mZpVjDn05CFtkdHsDj7T912buv_bQ>
Received: from sjc-alcoop-8816.cisco.com (unknown [128.107.241.187]) by mail.messagingengine.com (Postfix) with ESMTPA id 9600324009; Wed, 13 Dec 2017 15:21:35 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <150704985762.30710.15389510349503177651@ietfa.amsl.com>
Date: Wed, 13 Dec 2017 15:21:34 -0500
Cc: gen-art <gen-art@ietf.org>, draft-ietf-anima-voucher.all@ietf.org, anima@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <EE4D54FD-A39E-4979-99B7-D5CD706AC7A3@cooperw.in>
References: <150704985762.30710.15389510349503177651@ietfa.amsl.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/wQcoBKT1uaa0YcdQBTtQt1Xs0gE>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-anima-voucher-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 20:21:45 -0000
Russ, thanks for your review. Michael, thanks for addressing Russ’s comments. I have entered a No Objection ballot. Alissa > On Oct 3, 2017, at 12:57 PM, Russ Housley <housley@vigilsec.com> wrote: > > Reviewer: Russ Housley > Review result: Not Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please wait for direction from your > document shepherd or AD before posting a new version of the draft. > > For more information, please see the FAQ at > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Document: draft-ietf-anima-voucher-05 > Reviewer: Russ Housley > Review Date: 2017-10-03 > IETF LC End Date: 2017-10-112 > IESG Telechat date: unknown > > Summary: Not Ready > > Major Concerns: > > Please do not reference RFC 2315. The is a full Internet Standard that > should be used instead. Please reference RFC 5652, which goes back to > PKCS#7 as follows: > > PKCS#7 --> RFC 2315 --> RFC 2630 --> RFC 3369 --> RFC 3852 --> RFC 5652 > > RFC 2315 only support signatures with the RSA algorithm. The signature > value is the "result of encrypting the message digest and associated > information with the signer's private key." RFC 5652 will support any > known digital signature algorithm. Please reference it. > > In Section 6, the document says: > > The PKCS#7 structure SHOULD also contain all the certificates leading > up to and including the signer's trust anchor certificate known to > the recipient. > > Normally, the signer does not include the trust anchor certificate, so > a bit of rationale is needed here. There are clearly situations where > the trust anchor will not be known in advance, so that the the reason to > include it. > > In Section 6, the document also says: > > The PKCS#7 structure MAY also contain revocation objects for any > intermediate certificate authorities (CAs) between the voucher-issuer > and the trust anchor known to the recipient. > > This is another place where RFC 5256 offers an improvement over PKCS#7. > See Section 10.2.1 in RFC 5652, and see RFC 5940 for the information on > OCSP responses. You might want to include CRLs or OCSP responses in a > short-lived voucher so that the recipient does not need to fetch any > revocation information to process the voucher. > > Section 6 needs to specify the content type that will be carried in > SignedData. I believe that a new object identifier (OID) needs to be > assigned. I'm not sure whether you want to assign an OID for JSON > object or YANG structure. I can see where either one would work. > > Section 9 should be expanded to assign the OID for the content type: > www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1. > > > Minor Concerns: > > I think it would be very helpful to include a diagram something like > this in Section 6. Perhaps all of the CMS discussion belongs in a > separate subsection. I did this to see if everything that is needed > was specified, and I learned that the eContentType was not defined. > > ContentInfo { > contentType id-signedData, -- (1.2.840.113549.1.7.2) > content SignedData > } > > SignedData { > version CMSVersion, -- always set to 3 > digestAlgorithms DigestAlgorithmIdentifiers, -- Only one > encapContentInfo EncapsulatedContentInfo, > certificates CertificateSet, -- Signer cert. path > crls CertificateRevocationLists, -- Optional > signerInfos SET OF SignerInfo -- Only one > } > > SignerInfo { > version CMSVersion, -- always set to 3 > sid SignerIdentifier, > digestAlgorithm DigestAlgorithmIdentifier, > signedAttrs SignedAttributes, -- Required > signatureAlgorithm SignatureAlgorithmIdentifier, > signature SignatureValue, > unsignedAttrs UnsignedAttributes -- Optional > } > > EncapsulatedContentInfo { > eContentType !!! NOT SPECIFIED YET !!! > eContent OCTET STRING -- the ietf-voucher > } > > It would be very helpful to the implementer to say how each CMS field > is used. You can copy that vast bulk of the information that you need > from RFC 4108. In particular: > > - See RFC 4180, Section 2.1.1 for ContentInfo. > - See RFC 4180, Section 2.1.2 for SignedData. > - See RFC 4180, Section 2.1.2.1 for SignerInfo. > - See RFC 4180, Section 2.1.2.2 for EncapsulatedContentInfo. > > > Nits: > > In section 2: > s/autonomically/automatically/ > s/Registrar See/Registrar: See/ > s/entity it is contacted by/entity to make contact/ > > In Section 6.1: > s/in Section 4)./in Section 4./ > > In Section 8.1: > s/no understand of time/no understanding of clock time/ > s/clock accuracy then vouchers/clock accuracy, then vouchers/ > > I think the table in Section 5 could be more readable. I suggest: > > +-------------------+-------------------+-------------+ > | Assertion | Registrar ID | Validity | > +--------+----------+--------+----------+-----+-------+ > Voucher | | | Trust | CN-ID or | | | > Type | Logged | Verified | Anchor | DNS-ID | RTC | Nonce | > +-------------+--------+----------+--------+----------+-----+-------+ > |Audit | X | | X | | | X | > +-------------+--------+----------+--------+----------+-----+-------+ > |Nonceless | X | | X | | X | | > |Audit | | | | | | | > +-------------+--------+----------+--------+----------+-----+-------+ > |Owner Audit | X | X | X | | X | X | > +-------------+--------+----------+--------+----------+-----+-------+ > |Owner ID | | X | X | X | X | | > +-------------+--------+----------+--------+----------+-----+-------+ > |Bearer | X | | wildcard | optional | > |out-of-scope | | | | | > +-------------+--------+----------+--------+----------+-----+-------+ > > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Genart last call review of draft-ietf-a… Russ Housley
- Re: [Gen-art] Genart last call review of draft-ie… Alissa Cooper
- Re: [Gen-art] Genart last call review of draft-ie… Kent Watsen
- Re: [Gen-art] Genart last call review of draft-ie… Toerless Eckert