Re: [HOKEY] AD review of draft-ietf-hokey-rfc5296bis
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 09 February 2012 10:01 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F90121F86D0 for <hokey@ietfa.amsl.com>; Thu, 9 Feb 2012 02:01:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.149
X-Spam-Level:
X-Spam-Status: No, score=-101.149 tagged_above=-999 required=5 tests=[AWL=-1.450, BAYES_00=-2.599, J_CHICKENPOX_73=0.6, MANGLED_LIST=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dG2SFce+h2L for <hokey@ietfa.amsl.com>; Thu, 9 Feb 2012 02:01:14 -0800 (PST)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 5814021F86C4 for <hokey@ietf.org>; Thu, 9 Feb 2012 02:01:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id BD7B9171D0B; Thu, 9 Feb 2012 10:01:13 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1328781673; bh=pNiNmKm+4EgqpQ DxIRqHHJzgikZ20XpBc9GuJ9zlCek=; b=WAXzxECOAH/wIB/UiY72EYPb3isF3+ PrtZ17ofPP0f3usdQaGl/jgfYvz0rq5DHRNkpg9xWaEfJHTWaSBcQ2lbwz9mUKXE 4swB3Dqf8I1GTKqcoV6SQ6Js+l7U//yVPQWfV3hw60gmZltnIQqAroVAcet4noig pDScnegs3lkCLhi9xC0kA94Fdk8RAyU/qBj30zF6Wo4E3TJEMGIUVoasIeDJHIE0 Z/uYZ5s//Er/aGwyBFDh/D2cJ+cc7duS+kmrpJ4ue6VSGVhzFnBQnXjN348O158/ fr00BYg1t5ANeifwEOJzjzZwmstnoPI/T3M/pWB2j2ZHRu07h8AcYYzQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id N+oyJvJPiNFU; Thu, 9 Feb 2012 10:01:13 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c] (unknown [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 26463171C71; Thu, 9 Feb 2012 10:01:13 +0000 (GMT)
Message-ID: <4F33995F.10106@cs.tcd.ie>
Date: Thu, 09 Feb 2012 10:01:03 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Glen Zorn <glenzorn@gmail.com>
References: <4F32C244.3020202@cs.tcd.ie> <4F3395DD.4070300@gmail.com>
In-Reply-To: <4F3395DD.4070300@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] AD review of draft-ietf-hokey-rfc5296bis
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2012 10:01:15 -0000
Hi Glen, On 02/09/2012 09:46 AM, Glen Zorn wrote: > On 2/9/2012 1:43 AM, Stephen Farrell wrote: >> >> Hi all, >> >> My review on this is below. All of those comments >> can be handled along with any other IETF LC comments >> received and none is a big deal. However there is one >> thing to sort out before we go ahead. >> >> There is an IPR declaration for 5296 but none for this >> document, which is very similar. >> >> We should get that sorted out before IETF LC one way or >> another. Best is to get a new declaration from the folks >> who declared about 5296. >> >> It may be that an additional short WGLC just to check >> this would be useful for the record once the chairs >> find out if a new IPR declaration will be forthcoming >> in the near future. (I've asked Tina as shepherd to >> handle this.) >> >> Thanks, >> S. >> >> - Some references need updating, check ID-nits. > > OK. > >> >> http://tools.ietf.org/idnits?url=http://tools.ietf.org/id/draft-ietf-hokey-rfc5296bis-06.txt >> >> >> The next three comments are about stuff that didn't really >> change since 5296, so consider them suggestions (i.e. >> I won't insist on any changes being made). >> >> - 3.2, 1st para: "The peer uses the domain name..." is that >> the home or visited domain name? Same thing in the 3rd last >> para of 3.2 and various other places. Which domain name >> is used when could be clearer throughout I think. > > Just looking at 3.2, it really seems that the domain name in question is > quite clear from the context(and the fact that the name is used in the > computation of a DSRK, which only used in a roaming situation). If you say so, I believe you. Maybe I needed to read it again (or better:-) but I found it a bit confusing. I guess if I were paying enough attention to write code it might be fine. I could also buy an argument that specifying home/visited appropriately every time you say "domain name" might end up worse as well. >> - p18, last bullet is not quite clear on when a message is >> considered fresh. I think it means that any sequence number >> greater than the last one used is ok, and any less is >> considered a replay but I'm not 100% sure from this text, but >> 5.4 does seem to say that. Be good to be as clear here too. > > Sorry, but again I'm just not getting it :(. The start of the bullet in > question reads: > > Upon receipt of an EAP-Initiate/Re-auth message, the home ER > server verifies whether the message is fresh or is a replay by > evaluating whether the received sequence number is equal to or > greater than the expected sequence number for that rIK. > > Whats not clear? On p18, the expected sequence number is not (yet) explained. It is later though, in 5.4, so this is just me being v. picky. >> - 8, "confidentiality of identity" - does the use of some of >> the channel bindings not expose identity? If so, noting that >> here would be good. > > Excellent point! How's this? > > Confidentiality of identity > > Deployments where privacy is a concern may find the use of > rIKname-NAI to route ERP messages serves their privacy > requirements. Note that it is plausible to associate multiple > runs of ERP messages since the rIKname is not changed as part > of the ERP protocol. There was no consensus for that > requirement at the time of development of this specification. > If the rIKname is not used and the Peer-ID is used instead, the > ERP exchange will reveal the Peer-ID over the wire. The use of > channel bindings may compromise identity confidentiality, as > well, for example, if the Calling-Station-ID AVP is used and > contains a value that can be linked to a user (e.g., a > telephone number). Lovely. >> nits: >> >> - DSRK is not expanded before 1st use in section 2. > > True; neither is 'EMSK'. That is because the acronyms are defined in > RFC 5295 and RFC 3748, respectively, which are normative references > cited before the first usage of either term. Fair enough. Cheers, S. >> - DS-rIK and DS-rRK are used with out expansion or >> explanation. (last para before 3.1) > > OK. > >> >> - 3.2, 1st para: s/out of home domain/out of the home domain/ > > OK. > >> >> - 5.1, 1st para: s/If ER capable.../If an ER capable.../ > > OK, probably needs a hyphen, too. > >> >> - 3.2 s/Figure 5shows/Figure 5 shows/ > > OK. > >> >> _______________________________________________ >> HOKEY mailing list >> HOKEY@ietf.org >> https://www.ietf.org/mailman/listinfo/hokey > >
- [HOKEY] AD review of draft-ietf-hokey-rfc5296bis Stephen Farrell
- Re: [HOKEY] AD review of draft-ietf-hokey-rfc5296… Glen Zorn
- Re: [HOKEY] AD review of draft-ietf-hokey-rfc5296… Stephen Farrell