IETF Logo Mail Archive

Re: [Hipsec] I-D Action: draft-ietf-hip-rfc6253-bis-00.txt

Samu Varjonen <samu.varjonen@helsinki.fi> Tue, 27 August 2013 08:36 UTC

Return-Path: <samu.varjonen@helsinki.fi>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6008511E816D for <hipsec@ietfa.amsl.com>; Tue, 27 Aug 2013 01:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-KlCMIsTPgA for <hipsec@ietfa.amsl.com>; Tue, 27 Aug 2013 01:36:13 -0700 (PDT)
Received: from argo.otaverkko.fi (argo.ipv6.otaverkko.fi [IPv6:2a02:4880:10:1000::2:25]) by ietfa.amsl.com (Postfix) with ESMTP id C64E811E8155 for <hipsec@ietf.org>; Tue, 27 Aug 2013 01:36:11 -0700 (PDT)
Received: from [128.214.114.189] (whx-12.pc.hiit.fi [128.214.114.189]) by argo.otaverkko.fi (Postfix) with ESMTPSA id 72CB521F3A; Tue, 27 Aug 2013 11:36:09 +0300 (EEST)
Message-ID: <521C64F9.2010109@helsinki.fi>
Date: Tue, 27 Aug 2013 11:36:09 +0300
From: Samu Varjonen <samu.varjonen@helsinki.fi>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: David Mattes <mattes@asguardnetworks.com>
References: <20130401183023.13191.54752.idtracker@ietfa.amsl.com> <515BE4B3.5070302@helsinki.fi> <CAB3Psq0ziThFrP_3Br4Eo5WtVvG48SFFV2QcA-eLbiujPSUN9g@mail.gmail.com>
In-Reply-To: <CAB3Psq0ziThFrP_3Br4Eo5WtVvG48SFFV2QcA-eLbiujPSUN9g@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hipsec@ietf.org
Subject: Re: [Hipsec] I-D Action: draft-ietf-hip-rfc6253-bis-00.txt
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 08:36:13 -0000

On 02/07/13 02:05, David Mattes wrote:
> Hi Samu,
>
> I have reviewed the draft as well.  I just have a couple
> questions/comments about Section 3.  Other than this I think this is
> ready to move forward.
>
> Section 3, Paragraph 1:
> Why do you use normative MUSTs for the Issuer and Subject Alternative
> Names?  Is it because these certificates would not otherwise have
> Distinguished Names?  If you could add a sentence about the rationale
> behind these MUSTs, that would be helpful.

These MUSTs should be SHOULDs in my opinion. Other fields can be used to convey 
the HITs but the rationale for recommending IAN and SAN is that the information 
would always be in the same place.

  It is not clear why I
> might have the situation described in paragraph 1 versus paragraph 2.
>

HIP aware PKI vs. not HIP aware PKI

> Section 3, Paragraph 3:
> Can the MUST be changed to a SHOULD?  I ask because a remote peer may
> be pre-configured with the CA chain, and is therefore unnecessary to
> send the intermediate CAs.

I agree this can be relaxed to SHOULD as it may be the case that it is 
unnecessary to include the whole chain.

BR,
Samu

>
> Thank you,
> David

v2.23.0 | Report a Bug | By Email