Re: [Hipsec] Stephen Farrell's Discuss on draft-ietf-hip-rfc5203-bis-10: (with DISCUSS and COMMENT)

Julien Laganier <> Wed, 20 July 2016 15:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E31D712D8F7; Wed, 20 Jul 2016 08:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 46BQVawtgqjO; Wed, 20 Jul 2016 08:11:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 66C5312D8C1; Wed, 20 Jul 2016 08:11:05 -0700 (PDT)
Received: by with SMTP id l72so75677403oig.2; Wed, 20 Jul 2016 08:11:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/PXIWcNh0HAEnmvSI49cBXuE1BoGPlPmd/Of61j+PLY=; b=JOWs1/ZuIre/K6FnR7f9qD8F6ZJTZfY4+w2ZVUAKS9jAO6VVXNOnvNSJ79Ga9KFmtl CP/pHmbQmbbS9HkQQ82R6jC+S+xgmCnhhFTeY5RCtjMDcp0ZALkxq/YdVPrus9ibvuRM isrmlGBOH8Q+U5DwS11yZeKVNwydo1UALAJv92SJMfbf/xyO0UxHyzuNMp+7vCQqBvAh j2cTUgRhxkxAlrgYtYs6LQAdZJLIvB5CxpDsWqGOKm+KjEKJ1MGhfRItgeB6ebNIN0m/ nulqg1XGI3gmazK7QE1PElvdfKpa1fnTfM+6td+F7dJZ5A7BoUT7N6JYlHZ+kovtl3v8 bEbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/PXIWcNh0HAEnmvSI49cBXuE1BoGPlPmd/Of61j+PLY=; b=KSoQPhy5Gw9yCr5R9X9qCrTrGd6YG9fXumFNYoOpt8DGVK3HR4lJ7e/cB5deLJDAou cihNeIc4Te/eQZngg4e4J37OknTyK1gNuXd62Ll2a1Yyt39q4yOcZiiAylo9pk9Cj28r IaQx/2TDWN9L/Jd1C5Oou8udTXCQ+rURdao+IQXMGohSZQwTk6emtyfSY2d5OQoH1N1G y67WgmIOovpHlJEaYjZvikSSv8W0sfBTDAxtrTeXhQZRYLlt3XGfW55wlBdx1o1lPuAV OH2eEHhrsk1HsrncTEjx2Ck1aN/UqlxqTBg24HkA6dBaRkPLt/USOI5/w8WvlZtV/fDm QiJg==
X-Gm-Message-State: ALyK8tL8NgRAV72dmqEUIgCHdDBjBkviOoCmJw8dVkgCTlV3Kuf1KZbBN6jvHXFgWI3XnKDUfyxDNcYkIS9E2A==
X-Received: by with SMTP id 6mr26506752otx.186.1469027464683; Wed, 20 Jul 2016 08:11:04 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 20 Jul 2016 08:11:04 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Julien Laganier <>
Date: Wed, 20 Jul 2016 08:11:04 -0700
Message-ID: <>
To: Stephen Farrell <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc:, HIP <>,, The IESG <>
Subject: Re: [Hipsec] Stephen Farrell's Discuss on draft-ietf-hip-rfc5203-bis-10: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jul 2016 15:11:09 -0000

Hi Stephen,

Thanks for reviewing the document.

I think there would be value in making the cause of certificate error
explicit. Would the following change be acceptable?


   If the certificate in the parameter is not accepted, the registrar
   MUST reject the corresponding registrations with Failure Type [IANA
   TBD] (Invalid certificate).


   If the certificate in the parameter is not accepted, the registrar
   MUST reject the corresponding registrations with the appropriate
   Failure Type:
   [IANA TBD] (Bad certificate): The certificate is corrupt, contains
invalid signatures, etc.
   [IANA TBD] (Unsupported certificate): The certificate is of an
unsupported type.
   [IANA TBD] (Certificate expired): The certificate is no longer valid.
   [IANA TBD] (Certificate other): The certificate could not be
validated for some unspecified reason.
   [IANA TBD] (Unknown CA): The issuing CA certificate could not be
located or is not trusted.

Please let us know.



On Tue, Jul 5, 2016 at 7:01 AM, Stephen Farrell
<> wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-hip-rfc5203-bis-10: Discuss
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> 3.3 - This fails to distinguish between an invalid
> certificate (e.g. bad signature, unknown signer) and one
> that is valid, but is not acceptable for this purpose.  I
> don't get why that is ok for HIP, can you explain?  If it
> is ok, I think you need to say so. If it is not ok (as I'd
> suspect) then you appear to need to change text or one more
> new error code.
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Section 7 - I'm fine that this doesn't repeat stuff
> from 5203, but a sentence saying to go look there too
> would maybe be good. (I'm not sure if that would fix
> Alexey's discuss or not. If not, then ignore me and
> just talk to him about his discuss.)