[Gen-art] Genart last call review of draft-ietf-lamps-5480-ku-clarifications-00
Dale Worley via Datatracker <noreply@ietf.org> Wed, 19 February 2020 03:07 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: gen-art@ietf.org
Delivered-To: gen-art@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A18E312089A; Tue, 18 Feb 2020 19:07:50 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Dale Worley via Datatracker <noreply@ietf.org>
To: gen-art@ietf.org
Cc: draft-ietf-lamps-5480-ku-clarifications.all@ietf.org, last-call@ietf.org, spasm@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.118.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Dale Worley <worley@ariadne.com>
Message-ID: <158208167058.19287.14585229025387805615@ietfa.amsl.com>
Date: Tue, 18 Feb 2020 19:07:50 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/xaB2AJGIkwOSYAzgjRq7WVwk9XU>
Subject: [Gen-art] Genart last call review of draft-ietf-lamps-5480-ku-clarifications-00
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 03:07:51 -0000
Reviewer: Dale Worley
Review result: Ready with Issues
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed by
the IESG for the IETF Chair. Please treat these comments just like
any other last call comments.
For more information, please see the FAQ at
<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
Document: draft-ietf-lamps-5480-ku-clarifications-00
Reviewer: Dale R. Worley
Review Date: 2020-02-18
IETF LC End Date: 2020-02-07
IESG Telechat date: [unknown]
Summary:
This draft is on the right track but has open issues, described
in the review.
The text is difficult to follow in places. I believe that the WG has
a clear understanding of what is intended, but a few small editorial
errors have unfortunately rendered the text incorrect and
contradictory to RFC 5480.
Note that I am unfamiliar with the details of PKI certificates; this
review is based largely on what I have learned from RFC 5480 and this
I-D.
>From the discussion it appears that id-ecDH and id-ecMQV are "key
agreement algorithms" and that, as such, they should not be used with
keyEncipherment or dataEncipherment. [this draft, section 3]
Conversely, id-ecPublicKey is not a "key agreement algorithm". [RFC
5480, section 2.1.2, para. 1, sentence 1]
1. Introduction
This document corrects this omission, by updating Section 3 of
[RFC5480] to make it clear that neither keyEncipherment nor the
dataEncipherment key usage bits are set for key agreement algorithms.
This could be clearer by replacing or augmenting "key agreement
algorithms" with a description of which of these algorithms are key
agreement algorithms, viz., id-ecDH and id-ecMQV. Otherwise, one must
first have read RFC 5480 to understand this introduction correctly.
3. Updates to Section 3
If the keyUsage extension is present in a certificate that indicates
id-ecPublicKey as algorithm of AlgorithmIdentifier [RFC2986] in
SubjectPublicKeyInfo, then following values MUST NOT be present:
keyEncipherment; and
dataEncipherment.
If the keyUsage extension is present in a certificate that indicates
id-ecDH or id-ecMQV in SubjectPublicKeyInfo, then the following
values also MUST NOT be present:
keyEncipherment; and
dataEncipherment.
The structure of this section is peculiar, since it presents almost
the same text about "id-ecPublicKey" and about "id-ecDH or id-ecMQV".
If the intention is to say the same thing about all three, these
should be folded together.
It is also not clear why the first paragraph refers to
AlgorithmIdentifier but the second paragraph uses SubjectPublicKeyInfo
to refer to essentially the same thing.
But this text appears to contradict the statement in [RFC 5480] that
the usage of id-ecPublicKey is "unrestricted" and is not a key
agreement algorithm, in which case the first paragraph should say "the
following values MAY be present". (In which case, the "also" in the
2nd paragraph should be omitted.)
[END]
- [Gen-art] Genart last call review of draft-ietf-l… Dale Worley via Datatracker
- Re: [Gen-art] Genart last call review of draft-ie… Sean Turner
- Re: [Gen-art] Genart last call review of draft-ie… Tadahiko Ito
- Re: [Gen-art] Genart last call review of draft-ie… Dale R. Worley
- Re: [Gen-art] Genart last call review of draft-ie… Sean Turner
- Re: [Gen-art] Genart last call review of draft-ie… worley
- [Gen-art] draft-ietf-lamps-5480-ku-clarifications… worley
- Re: [Gen-art] draft-ietf-lamps-5480-ku-clarificat… Alissa Cooper
- Re: [Gen-art] draft-ietf-lamps-5480-ku-clarificat… Sean Turner
- Re: [Gen-art] draft-ietf-lamps-5480-ku-clarificat… Benjamin Kaduk
- Re: [Gen-art] draft-ietf-lamps-5480-ku-clarificat… Russ Housley