Re: [Hipsec] WGLC: draft-ietf-hip-cert-06

Samu Varjonen <samu.varjonen@hiit.fi> Mon, 20 December 2010 10:51 UTC

Return-Path: <samu.varjonen@hiit.fi>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3BBCC3A6813 for <hipsec@core3.amsl.com>; Mon, 20 Dec 2010 02:51:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTx3JsNEjHfU for <hipsec@core3.amsl.com>; Mon, 20 Dec 2010 02:51:45 -0800 (PST)
Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 1D4E53A67B4 for <hipsec@ietf.org>; Mon, 20 Dec 2010 02:51:44 -0800 (PST)
Received: from [128.214.114.246] (wel-36.pc.hiit.fi [128.214.114.246]) by argo.otaverkko.fi (Postfix) with ESMTP id A0D9725ED18; Mon, 20 Dec 2010 12:53:34 +0200 (EET)
Message-ID: <4D0F35AE.3030908@hiit.fi>
Date: Mon, 20 Dec 2010 12:53:34 +0200
From: Samu Varjonen <samu.varjonen@hiit.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
References: <4CFBB4EE.1020608@ericsson.com> <7CC566635CFE364D87DC5803D4712A6C4CED25ABC1@XCH-NW-10V.nw.nos.boeing.com>
In-Reply-To: <7CC566635CFE364D87DC5803D4712A6C4CED25ABC1@XCH-NW-10V.nw.nos.boeing.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: HIP <hipsec@ietf.org>
Subject: Re: [Hipsec] WGLC: draft-ietf-hip-cert-06
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Dec 2010 10:51:46 -0000

On 20/12/10 06:01, Henderson, Thomas R wrote:
>
>
>> -----Original Message-----
>> From: hipsec-bounces@ietf.org
>> [mailto:hipsec-bounces@ietf.org] On Behalf Of Gonzalo Camarillo
>> Sent: Sunday, December 05, 2010 7:51 AM
>> To: HIP
>> Subject: [Hipsec] WGLC: draft-ietf-hip-cert-06
>>
>> Folks,
>>
>> we hereby start the WGLC on the following draft. This WGLC will end on
>> December 20th.
>>
>> https://datatracker.ietf.org/doc/draft-ietf-hip-cert/
>>
>> Please, send your comments to this list.
>>
>> Thanks,
>>
>
> Gonzalo, I reread this draft and feel that it is ready to publish, modulo the resolution of a couple of comments below.
>
> At the top of page 6, I believe that the line
>      Subject: CN=hit-of-issuer
> should read
>      Subject: CN=hit-of-subject
>

OK, fixed

> In section 8, the second paragraph recommends to not use grouping or hash and URL encodings when HIP aware middleboxes are anticipated to be on the path.  First of all, it is not really clear how a HIP host may know about these boxes except via side information.  If the HIP host does know about them, then presumably it could also know (via side information) whether they can support grouping and hash formats, and the host could act accordingly.  Second, it is not clear whether the use of these options by a well-behaved host would make these devices more prone to attacks, or whether it is rather the use of these options by other malicious hosts that is the real problem.  It seems to me that it may be better to defer this issue to a future HIP-aware middlebox draft, where it could be specified, for instance, how a middlebox that does not want to support these formats may signal to a host that it requires "full credentials" to proceed.  So, I would like to suggest for your cons
id
>   eration to remove this paragraph.
>

I agree with the comment and agree on leaving the subject to a future draft on 
HIP-aware middleboxes. Anyone against the removal of the paragraph? If not 
consider it removed.

> - Tom
> _______________________________________________
> Hipsec mailing list
> Hipsec@ietf.org
> https://www.ietf.org/mailman/listinfo/hipsec