RE: APPSDIR review of draft-ietf-nea-pt-tls-04
Paul Sangster <Paul_Sangster@symantec.com> Thu, 14 June 2012 04:00 UTC
Return-Path: <Paul_Sangster@symantec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A75A11E80F6; Wed, 13 Jun 2012 21:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnuNO5KNDGsO; Wed, 13 Jun 2012 21:00:16 -0700 (PDT)
Received: from ecl1mtaoutpex02.symantec.com (ecl1mtaoutpex02.symantec.com [166.98.1.210]) by ietfa.amsl.com (Postfix) with ESMTP id 8425111E80EB; Wed, 13 Jun 2012 21:00:16 -0700 (PDT)
X-AuditID: a66201d2-b7f756d000004ee0-14-4fd961cf045d
Received: from tus1opsmtapin02.ges.symantec.com (tus1opsmtapin02.ges.symantec.com [192.168.214.44]) by ecl1mtaoutpex02.symantec.com (Symantec Messaging Gateway) with SMTP id 65.F2.20192.FC169DF4; Thu, 14 Jun 2012 04:00:15 +0000 (GMT)
Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by tus1opsmtapin02.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Paul_Sangster@symantec.com>) id 1Sf1EE-0004Cu-Uu; Thu, 14 Jun 2012 04:00:14 +0000
Received: from TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM ([155.64.220.150]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([172.24.185.246]) with mapi; Wed, 13 Jun 2012 21:00:15 -0700
From: Paul Sangster <Paul_Sangster@symantec.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "draft-ietf-nea-pt-tls.all@tools.ietf.org" <draft-ietf-nea-pt-tls.all@tools.ietf.org>, "nea@ietf.org" <nea@ietf.org>
Date: Wed, 13 Jun 2012 21:02:31 -0700
Subject: RE: APPSDIR review of draft-ietf-nea-pt-tls-04
Thread-Topic: APPSDIR review of draft-ietf-nea-pt-tls-04
Thread-Index: Ac1ChIONzSZhkDZ1SQ2GmKWHIfcYdgHWLbtQ
Message-ID: <6E79D623502C70419A9EAB18E4D274252B8B061618@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
References: <4FCD0614.5050902@isode.com>
In-Reply-To: <4FCD0614.5050902@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOIsWRmVeSWpSXmKPExsVyYMU1Hd3ziTf9Df5NULaYsbrIYu7FCewW zzbOZ7H4/LbCgcVjyZKfTB6nmg09vlz+zBbAHMVlk5Kak1mWWqRvl8CVMfvdecaCPr2Knztn sjUwvlLpYuTgkBAwkXi6sryLkRPIFJO4cG89WxcjF4eQwGtGiX235jDBOWuXrGMHqRISWMUo cXmOIojNJmAgsfPIKbC4iMBKRom9f7NAbGYBZYmnm0CaOTlYBFQlDvfdZgSxhQXMJdqmXmaB qLeQOHygjRXCNpJ43beGDcTmFYiSODD7HdQuDYmjc1cyg9icApoS2482gs1kBLr0+6k1TBC7 xCVuPZnPBPGBgMSSPeeZIWxRiZeP/7FC1ItK3GlfzwhRryOxYPcnNghbW2LZwtfMEHsFJU7O fMIygVF8FpKxs5C0zELSMgtJywJGllWMMqnJOYa5JYn5pSUFqRUGRnrFlbmJwMhL1kvOz93E CIy+ZUmMl3Yw3j+se4hRgINRiYd3YthNfyHWxDKgykOMEhzMSiK8zxSAQrwpiZVVqUX58UWl OanFhxilOViUxHkv7NrqLySQnliSmp2aWpBaBJNl4uCUamDMuL/A5LPQLkcH2dOXds5ffmv7 4wlvPGdnMDufdDj8W6vdYQGfg+1LS/MJ/2/cKe1UvpY3vYEr03nihgc7Dktrf5zJaNOxTj7P QKd247mCqMknCx5Zdnr6b567dh6j15r3HitqC9fePcf6+FGjvnYI27Ovi+Iv5Km8Cah49fto +PsjqeIL+r5nKbEUZyQaajEXFScCAAyyTZ26AgAA
X-Mailman-Approved-At: Thu, 14 Jun 2012 09:11:48 -0700
Cc: "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 04:00:21 -0000
> -----Original Message----- > From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] > Sent: Monday, June 04, 2012 12:02 PM > To: apps-discuss@ietf.org; draft-ietf-nea-pt-tls.all@tools.ietf.org > Cc: ietf@ietf.org > Subject: APPSDIR review of draft-ietf-nea-pt-tls-04 > > I have been selected as the Applications Area Directorate reviewer for > this draft (for background on APPSDIR, please see > http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectora > te ). > > Please resolve these comments along with any other Last Call comments > you may receive. Please wait for direction from your document shepherd > or AD before posting a new version of the draft. The review is not > copied to the IESG as the Last Call has not been announced yet. > > Document: draft-ietf-nea-pt-tls-04 > Title: PT-TLS: A TCP-based Posture Transport (PT) Protocol > Reviewer: Alexey Melnikov > Review Date: June 4, 2012 > > Summary: This document is almost ready for publication as a Proposed > Standard, although some [mostly] SASL related issues remain. > > This document specifies PT-TLS, a TCP-based Posture Transport (PT) > protocol. The PT-TLS protocol carries the Network Endpoint > Assessment (NEA) message exchange under the protection of a Transport > Layer Security (TLS) secured tunnel. > > (Note, I've reviewed -04, but I think all of this still applies to - > 05.) > > > Major: > > In 3.4.2.1: RFC 6125 use details are missing. You need to describe > whether CN-IDs and SRV-IDs are allowed, whether wildcards are allowed, > etc. I can suggest some details. [PS:] Since you weren't happy with our first attempt to address this comment, we would like to take you up on your kind offer to provide suggestions. Maybe we could do this off-line and included the text in -06? > > > Minor: > > In Section 3.2: This document is not yet Internet Standard, it will be > Proposed Standard. Suggest saying "Publication on Standards Track" > instead instead of "Internet Standard". The same issue in the IANA > consideration section. [PS:] This sentence will be re-written to address the gen-art comment so the new text won't have this issue. > > In 3.8.1: I think one instance of "SASL authentication messages" --> > "SASL authentication mechanisms". Otherwise this sentence is out of > place, as you are not talking about SASL messages. [PS:] Will make it more clear the relationship between SASL messages in PT-TLS and the SASL mechanism exchanges inside the messages. The sentence mentioned is about the PT-TLS client authentication messages. > > In 3.8.4: in SASL the server doesn't return abort as an error code, it > just fails the authentication exchange. I suggest removing it as a > choice. [PS:] This text was attempting to support the abort as described in RFC4422 which says: 3.5. Aborting Authentication Exchanges A client or server may desire to abort an authentication exchange if it is unwilling or unable to continue (or enter into). A client may abort the authentication exchange by sending a message, the particulars of which are protocol specific, to the server, indicating that the exchange is aborted. The server may be required by the protocol to return a message in response to the client's abort message. Likewise, a server may abort the authentication exchange by sending a message, the particulars of which are protocol specific, to the client, indicating that the exchange is aborted. [PS]: Is this an unacceptable way to do this? > > In 3.8.7: you define the Reserved field which I assume is used for > padding? If yes, then you will not get proper alignment for the next > field, as SASL mechanism names are variable length. (If you intended > that they are always sent as 20 bytes, then this is missing from the > document.) [PS:] Sure, word alignment would have been a good reason for doing this but we thought more about byte alignment. We also thought having these bits available could be useful later (e.g. for indicating preference or some other semantic that could impact the mechanism selection). Since we didn't need an entire byte for the Mech Len we thought it made sense to at least byte align the Mechanism Name and the cost of 3 bits for some future purpose made sense. > > In 3.8.10: > > The Abort choice is really not needed (as per above). > > Also, can you give me an example of when the Mechanism Failure will be > returned instead of just Failure? [PS:] The document gives the example of authentication failure (incorrect credential) where mechanism failure is when the mechanism logic detects a failure in processing the authentication request that isn't related to the user's input (e.g. malloc error). > > In 3.9: Failed Authentication error code - how does this differ from > SASL Authentication result with Failure code? [PS:] Hmm, I'm going to have to look into this more. One way they are different is the fact that the NEA Client is not allowed to send the SASL Result TLV so can't use the Failure code but it could send a Failed Authentication error code in the PT-TLS Error Message. > > In 4.1.2, second block, the first bullet: I think you meant "client" > instead of the "server". [PS:] Thanks, good catch > > > Question (might not be an issue): > > In 6.2: is it possible to register a vendor specific value without a > specification? [PS:] In order to be placed in the IANA registry a permanent specification is required (as mentioned in section 6.1). Of course vendors are free to use values in their name space without registering them with the IANA. > > The same question for 6.3. > > > Nits: None
- APPSDIR review of draft-ietf-nea-pt-tls-04 Alexey Melnikov
- Re: [apps-discuss] APPSDIR review of draft-ietf-n… Alexey Melnikov
- RE: [apps-discuss] APPSDIR review of draft-ietf-n… Paul Sangster
- RE: APPSDIR review of draft-ietf-nea-pt-tls-04 Paul Sangster
- Re: APPSDIR review of draft-ietf-nea-pt-tls-04 Alexey Melnikov
- Re: [apps-discuss] APPSDIR review of draft-ietf-n… Alexey Melnikov