Re: [Hipsec] WGLC: draft-ietf-hip-cert-06

Samu Varjonen <samu.varjonen@hiit.fi> Wed, 12 January 2011 12:30 UTC

Return-Path: <samu.varjonen@hiit.fi>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C0023A6B15 for <hipsec@core3.amsl.com>; Wed, 12 Jan 2011 04:30:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2jDN3f90BB91 for <hipsec@core3.amsl.com>; Wed, 12 Jan 2011 04:30:31 -0800 (PST)
Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id D8F3A3A6B1B for <hipsec@ietf.org>; Wed, 12 Jan 2011 04:30:30 -0800 (PST)
Received: from [128.214.114.246] (wel-36.pc.hiit.fi [128.214.114.246]) by argo.otaverkko.fi (Postfix) with ESMTP id B016625ED11; Wed, 12 Jan 2011 14:32:48 +0200 (EET)
Message-ID: <4D2D9F70.8080802@hiit.fi>
Date: Wed, 12 Jan 2011 14:32:48 +0200
From: Samu Varjonen <samu.varjonen@hiit.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
References: <4CFBB4EE.1020608@ericsson.com> <7CC566635CFE364D87DC5803D4712A6C4CED25ABC1@XCH-NW-10V.nw.nos.boeing.com> <4D0F35AE.3030908@hiit.fi> <4D2C9F04.9040305@ericsson.com>
In-Reply-To: <4D2C9F04.9040305@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: HIP <hipsec@ietf.org>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-cert-06
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jan 2011 12:30:32 -0000

On 11/01/11 20:18, Gonzalo Camarillo wrote:
> Hi Samu,
>
> when do you intend to submit a new revision of this draft including the
> changes that have been agreed?

Uploaded it a minute ago.

BR,
Samu

>
> Thanks,
>
> Gonzalo
>
> On 20/12/2010 12:53 PM, Samu Varjonen wrote:
>> On 20/12/10 06:01, Henderson, Thomas R wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: hipsec-bounces@ietf.org
>>>> [mailto:hipsec-bounces@ietf.org] On Behalf Of Gonzalo Camarillo
>>>> Sent: Sunday, December 05, 2010 7:51 AM
>>>> To: HIP
>>>> Subject: [Hipsec] WGLC: draft-ietf-hip-cert-06
>>>>
>>>> Folks,
>>>>
>>>> we hereby start the WGLC on the following draft. This WGLC will end on
>>>> December 20th.
>>>>
>>>> https://datatracker.ietf.org/doc/draft-ietf-hip-cert/
>>>>
>>>> Please, send your comments to this list.
>>>>
>>>> Thanks,
>>>>
>>>
>>> Gonzalo, I reread this draft and feel that it is ready to publish, modulo the resolution of a couple of comments below.
>>>
>>> At the top of page 6, I believe that the line
>>>       Subject: CN=hit-of-issuer
>>> should read
>>>       Subject: CN=hit-of-subject
>>>
>>
>> OK, fixed
>>
>>> In section 8, the second paragraph recommends to not use grouping or hash and URL encodings when HIP aware middleboxes are anticipated to be on the path.  First of all, it is not really clear how a HIP host may know about these boxes except via side information.  If the HIP host does know about them, then presumably it could also know (via side information) whether they can support grouping and hash formats, and the host could act accordingly.  Second, it is not clear whether the use of these options by a well-behaved host would make these devices more prone to attacks, or whether it is rather the use of these options by other malicious hosts that is the real problem.  It seems to me that it may be better to defer this issue to a future HIP-aware middlebox draft, where it could be specified, for instance, how a middlebox that does not want to support these formats may signal to a host that it requires "full credentials" to proceed.  So, I would like to suggest for your co

> ns
>> id
>>>    eration to remove this paragraph.
>>>
>>
>> I agree with the comment and agree on leaving the subject to a future draft on
>> HIP-aware middleboxes. Anyone against the removal of the paragraph? If not
>> consider it removed.
>>
>>> - Tom
>>> _______________________________________________
>>> Hipsec mailing list
>>> Hipsec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/hipsec
>>
>