RE: GenART LC review of draft-ietf-nea-pt-tls-05

"Roni Even" <> Tue, 19 June 2012 09:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 03CDD21F8618; Tue, 19 Jun 2012 02:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IGQ-RRkv8ry0; Tue, 19 Jun 2012 02:19:11 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D027421F860F; Tue, 19 Jun 2012 02:19:10 -0700 (PDT)
Received: by wibhn6 with SMTP id hn6so2235993wib.13 for <multiple recipients>; Tue, 19 Jun 2012 02:19:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:x-mailer:thread-index:content-language; bh=g0EcFfQrBnG3uPD774u0vmT2+lvD4+Ub2zDnXbZEWyk=; b=iltcSzC0ZYmpgYPjctDBqhtmvi+bvhCuU5eOlJPDEd8/+TQg7F5SwXAdcV6Mte0D7U FVN19SQdvjkbCXzyfGquOY122IShx42yO23NvLZgZCs4W3XCmUpgBSZFWQ2JrBtVCm2K HGLJHjK/HXJYa6o8KKSURBewhaQxlwyAT3b7foh9aIiX0yU8swHNumgg9BpisGWtepKx tDnMHDxpxiKZ5jo1jAryFZxQIs7nCPZOXLLbxx/ycKDy+LVgbr2o4jw5sLCiDUbHIZwt HPkUU4bW245HwqhGgu36mtgUN6SPGznwD4htBZ8rUUmT3JIKKgNVCHeC16ExZX4OAd5i Z7WQ==
Received: by with SMTP id r2mr1643274wiz.15.1340097549696; Tue, 19 Jun 2012 02:19:09 -0700 (PDT)
Received: from windows8d787f9 ( []) by with ESMTPS id bn9sm31214527wib.5.2012. (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Jun 2012 02:19:07 -0700 (PDT)
From: Roni Even <>
To: 'Paul Sangster' <>,
References: <> <6E79D623502C70419A9EAB18E4D274252B8B06102F@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
In-Reply-To: <6E79D623502C70419A9EAB18E4D274252B8B06102F@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
Subject: RE: GenART LC review of draft-ietf-nea-pt-tls-05
Date: Tue, 19 Jun 2012 12:16:19 +0300
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0223_01CD4E15.57B56D80"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac1Cl9xExNAkih6WSYeHA9SkXDOg7gG388dgASA4xdA=
Content-Language: en-us
Cc:,, 'IETF' <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jun 2012 09:19:16 -0000


I am OK with your responses. The only thing I am not sure is about using PEN
0 defined in the registry.



| Organization

| | Contact

| | | Email

| | | |



    Internet Assigned Numbers Authority



I was wondering how this enterprise number should be specified since it
appears as "Reserved" in the registry. I have no specific suggestion




From: Paul Sangster [] 
Sent: Wednesday, June 13, 2012 7:56 PM
To: Roni Even;
Cc: 'IETF';;
Subject: RE: GenART LC review of draft-ietf-nea-pt-tls-05


Thanks for the detailed review, comments are in-lined.


From: Roni Even [] 
Sent: Monday, June 04, 2012 2:20 PM
Cc: 'IETF';
Subject: GenART LC review of draft-ietf-nea-pt-tls-05


I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at


Please resolve these comments along with any other Last Call comments you
may receive.


Document: draft-ietf-nea-pt-tls-05

Reviewer: Roni Even

Review Date:2012-6-4

IETF LC End Date: 2012-6-13

IESG Telechat date:


Summary: This draft is almost ready for publication as a standard track RFC.


Major issues:


Minor issues:

1.       In section 3.2 "Therefore, this specification requests the IANA
reserve a TCP port number for use with the PT-TLS protocol upon publication
of this specification as an Internet standard RFC." I think it will  be
better to have here the assigned port number and instruct the RFC editor to
put the correct value.


[PS:] Ok, we can reword this in hopes of getting a particular value (race
condition with other upcoming RFCs).


2.       In section last paragraph you summarize the text from
section 3.8 while in the paragraph above you provide the reference. Why do
you need the last paragraph if 3.8 is referenced.


[PS:] The goal of this section is to introduce and summarize the different
phases of PT-TLS.  We felt a brief discussion of the general message flow
was helpful to the reader to understand what occurs during this phase
(similar to what we did in the other sub-sections).  Your correct that this
information is covered later in more detail.


3.       In various places you refer to SMI 0 as IETF SMI number while
according to the table it is IANA SMI number.


[PS:] I presume this is about the PEN 0 being for the IETF.  Correct, it's
the IETF's name space that administered by the IANA.  What text would you
like to see to make this more clear?  Can we do it in one place, for example
stating that the IETF name space is administered by the IANA?


4.       I assume that all implementations MUST support message type vendor
ID 0. Is this mentioned?


[PS:] The purpose of this section was just to summarize and enumerate the
message types for vendor id 0.   I don't think it's a general rule that any
message type defined in the IETF (IANA J) name space must (or should be)
supported by all implementations.  It will vary depending on the purpose of
the message so that normative language is included in the descriptions of
the message.


5.       In section 3.5 and 6.1 you propose a policy of "Expert Review with
Specification Required ". I think that according to RFC5226 expert review is
implied if you select a specification required policy.


[PS:] I agree, it says "Specification Required also implies use of a
Designated Expert".  The policy is just "Specification Required" so we could
remove the "Expert Review with" and make it clear it's the Specification
Required IANA policy. 


6.       In section 3.6 on 9+ "Recipients of messages   of type 9 or higher
that do not support the PT-TLS Message Type Vendor ID and PT-TLS Message
Type of a received PT-TLS message MUST respond with a Type Not Supported
PT-TLS error code in a PT-TLS Error message." I think this is true only for
Message Type Vendor ID 0.


[PS:] Thanks will reword this section to make it more clear.


7.       In 3.7.1 for Max vers and prefs ver you say that they MUST be set
to 1. I think it will be more correct here to say SHOULD since you explain
afterwards that they may have other values.


[PS:] I think this is a MUST.  The next sentence just points out that this
normative text might change in a future revision (which is not currently


8.       In section 3.7.2 "the recipient SHOULD send". Why not make it a
MUST here.


[PS:] I ok with making this change, let's see what others think .


9.       In section 3.7.2 "The version selected MUST be within the Min Vers
to Max Vers inclusive range sent in the Version Request   Message" I was
expecting to see pref ver here.


[PS:] Perf is just an informational (hint) preference.


10.   In section 3.8.3 " The SASL client authentication starts when the NEA
Server  enters the PT-TLS Negotiation phase and its policy indicates  that
an authentication of the NEA Client is necessary but was not performed
during the TLS handshake protocol " my read of  section 3.8 second paragraph
is that it can be done even if was done in the TLS handshake so the last
part of the sentence is not correct, if there is a policy you do it anyhow.
This comment is also for the third paragraph.


[PS:] Thanks, this was supposed to be an example.  Will fix these.


11.   In section 3.9 I noticed that you propose to send the entire original
message. Isn't it enough to send only the message identifier. This is based
on the last sentence of this section.


[PS:] Not "the entire original message" as its at most the first 1024 bytes
of the offending message.  This allows the recipient to either caches
recently sent messages and/or message identifiers when determining what
caused the error.  We thought this flexibility was useful and had very
little cost.


12.   Most of the text in section 6.1 repeats RFC5226 but in your words. Are
you trying to change some of RFC5226 text if not why write it in different


[PS:] We were hoping to emphasize the aspects of 5226 that are most
important to this specification.  We weren't trying to change how the IANA
policy was interpreted.  Did you think we did so?  Is there a portion of
this text that is most troubling or was this just a question?





Nits/editorial comments: