Re: [kitten] Opsdir last call review of draft-ietf-kitten-pkinit-alg-agility-04

Benjamin Kaduk <kaduk@mit.edu> Tue, 26 February 2019 21:48 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0D6F12D7F8; Tue, 26 Feb 2019 13:48:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqwJfo79gwbU; Tue, 26 Feb 2019 13:47:59 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-eopbgr770127.outbound.protection.outlook.com [40.107.77.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE1B912D7EA; Tue, 26 Feb 2019 13:47:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hPJbPl5hHAWGHf5ZeqK/FviPmerWWKOE3h8sjAFVAVk=; b=nwMi22kaFSt5xF4HWGGjZ+NVb123ltd2yvUA2AdrVFFOd0wa1N3+IPLA1Nk4Vf/ZRy3ZMvlrbA8IIHOIgpcoIhLsGFsZlkxgX01S+g0FWEUmXa3jjD/WktIvnNNAjusKGcSDtBcADnU4f1v0vUvz1l2oLmtlnmqzwkJUDDDlR7c=
Received: from SN6PR01CA0026.prod.exchangelabs.com (2603:10b6:805:b6::39) by BYAPR01MB5605.prod.exchangelabs.com (2603:10b6:a03:127::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.18; Tue, 26 Feb 2019 21:47:57 +0000
Received: from CO1NAM03FT058.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::208) by SN6PR01CA0026.outlook.office365.com (2603:10b6:805:b6::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.18 via Frontend Transport; Tue, 26 Feb 2019 21:47:57 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by CO1NAM03FT058.mail.protection.outlook.com (10.152.81.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Tue, 26 Feb 2019 21:47:56 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x1QLhocj009889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Feb 2019 16:43:52 -0500
Date: Tue, 26 Feb 2019 15:43:50 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Scott Bradner <sob@sobco.com>
CC: ops-dir@ietf.org, kitten@ietf.org, ietf@ietf.org, draft-ietf-kitten-pkinit-alg-agility.all@ietf.org
Message-ID: <20190226214349.GA53396@kduck.mit.edu>
References: <155043488911.4083.7977373920397028733@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <155043488911.4083.7977373920397028733@ietfa.amsl.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(396003)(39860400002)(136003)(376002)(346002)(2980300002)(51914003)(189003)(199004)(6916009)(88552002)(956004)(33656002)(97756001)(426003)(446003)(11346002)(336012)(2906002)(126002)(476003)(486006)(50466002)(23726003)(26826003)(478600001)(4326008)(75432002)(55016002)(104016004)(6246003)(76176011)(7696005)(786003)(316002)(36906005)(46406003)(26005)(16586007)(186003)(58126008)(54906003)(47776003)(229853002)(106002)(1076003)(53416004)(246002)(106466001)(305945005)(356004)(5660300002)(86362001)(8936002)(8676002)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR01MB5605; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d0c2a47b-20b1-4131-9993-08d69c3411b4
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:BYAPR01MB5605;
X-MS-TrafficTypeDiagnostic: BYAPR01MB5605:
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB5605; 20:87XlWICkaLMaLtSqVI6Ic261k01pCqGs4debr9KTda0Z9zxyAB7jnnuvxy+xafHNdqt+mr6d1+AbYakRts+nBL/qI5sS7YB/S0ybUbL0BnpVPDJjMnvjEwI4X4Ln4fnsvbzM/bPYh8PZa4ED7fT3V3Lqd+6tejhVb6GDid2uT/8YhdSKPD+c8QPc7Z89rbBQ2g/I5kZazUlx+wXubt3yrBzrwsKfCRbPxnO05sv90RDMw1CcvVUYbHz3k+K3ZWjdfr4SUk0lCgxA8fsXlPWEQ2Ilrz922LAgPuzYSBSrXglTy49irn8b9VxHTt0duhURrxrzD69jcUiEEkfohBsvYhwHrERowhQojYs4IZmBhngVJB9xQAfo/0lskP60dYs1T4r7By2yE7q1YjkmKOyHrg+q5g2WkwrTOt6iRBa0Pz7eFez7w7rfIbtI5lhHXeIJMINRi9wevkp06nrsrkRP4ZDnotdQ+F6i1SfnP0HNcau+rxC3PtGTnT8pkMRH84ctySQTQdKB6o/NJ0vBtwDrjHDJgT6pWN//tG8guwwzxTFkkUvjcBdxd92UypIJA+zMC1u38LNbusNBg22vbiFVw/VLxDj8hYYiCiAl5GoxXGc=
X-Microsoft-Antispam-PRVS: <BYAPR01MB5605054783786209E4324E78A07B0@BYAPR01MB5605.prod.exchangelabs.com>
X-Forefront-PRVS: 096029FF66
X-Microsoft-Exchange-Diagnostics: 1; BYAPR01MB5605; 23:YXBygQe/1pdRvIDHlRtOilxEoV6+mY6ZB320Mt+TnLm3IfuKjIz0nlgxRtNfL9DbgJaFIDpD02NmuLU1qng8Vo257MC62fepyzFZjrwthajRFQQzsI7wXl+turijCl/lTq2o56dvsHwgalwEIhHtGirMLKbppaNLfMrFrzq45EKfpH5e0sX6thOcKf2sAIUDNTtBPgIut6gvb+EDw70X2MGnBSJIIV9/50ULyqy2b6NanmNBmEYZ3SXPg51qhyN1hqA/apZdAccEIp3JcLq9cEhKr4qVUhAoYN4uwihWhQcUzuebRr+tto01uLp2QKWELzxrXozLjwNL1fA5z4jJkkBWJcC7sBbYj09vHA9Jr2t9E1lxlumAEuwARvH4J/A8N3vldlNBU2yIHZITKnEVXnSS6I70m5GzI04eUI9a+nBTdkvOEv3/x7enyUvUiED3R32mZoUUTy4plwc1yGA4cEJbNQuC4EHEYSaDTYYtHJe8kD0iQXpNnFWS95SDy/NwoUFDUnbUAkkm+mphZyXIS8YsrbqQvh0QoCD5CvakAGXSsloRNb6i3HidjIyH6Qq9R8wdx65jiL8yvSkx/Q3MEvxRI1o+KM7rh8dqBEU1qOlanCK9Bq6+CwQu+RtLMnQXDOkO/9cxs0UE13wnu8faQ+PPKSAx6W1QyqnEU7yhP3dogvhljSZ1VEXVcXDcEBuCG9DJB2uL9CYUoxOHfnbShj4cQdeTcZSgnSHp1txURPCb0GThsXhn204Jjehi2XKWn0L/FoNLAhE8xg5Yha/A8O3ZZ4BSVgsis9JX0EShpV2glf8u/dsAe+TSaeyr5Pwwpo2oHjvJnnVx0/JUE3mM6vw5HWDbuhm/Qh3VZqURjRAx3K9icgYSICVcpYXzzY9TYz9PIJAU0MPa4mblSmbZ07nTsrXtLOgKPGwLtFFFBLeixRBbDJzQEZ7URGqfIy7SSWQ7K6mu7v/zlYKgwWdTxDYj2NXP5Ng1MoQm0pnT+fSd2kgA+Q9P49o51uy/0HOJf2gxCmp7cMw/09gEDyW25dtIOgSaYuc6NeEzjZWtKjtOQs+h8v8NCYnLI+AKOREibZV0m6c5NXcU89ssdllB9xlrGxWYc8PeT5dujaFexXmW+WOk7/9hFoccOVdB/PMtQNzPOZhblo1x8HNCKplIJGemxUkP4+U6Pzf55Aru6oF30uEUbmzMqsqetRqSYsaPztjXK7oe3Yce0Rzsxgi8jg==
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: g1jWr67flTBl9lcO0Hrq+VnMQ0i4OkTsoRJ9LWGe8RKcnl44n0GJYuDFH35uf3FlqTJ1XUrVNgO4hgIEdzhLBtw+4ewmVDQWNaJHR6c3iStAkEhO1BrsOHvde7Z62M/+ZE5q9qBZZLCWo//IwymAkbInoPo4YxGedPhjNxvTDozjx8u73Ky6su6Q1a6M3whDI/vpLRSGm3ujlaFcXuLFTkJQ3mZToMRgMdVRIwE8ONcdtdvs/9TJCLGIhBAr8JnM8qGq6ZzbXaJJdI7XLw0R0LzVjCRf8CbVvV+tVVHvICS+xm6wJghVJ7x8lZQyhurG5q1jtKL5mfOtdeTruQV3FdC5Ki1qI3khuROyVca2kZSzPkxzxgfet/rSHof6ya1odPbY6Ys1JMFULxcksmYvcLa5a6qCChjbBYq6/pLwXT4=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Feb 2019 21:47:56.5542 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d0c2a47b-20b1-4131-9993-08d69c3411b4
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB5605
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/AOVU57fDrEpnUFA6Ic64PluwMY4>
Subject: Re: [kitten] Opsdir last call review of draft-ietf-kitten-pkinit-alg-agility-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 21:48:02 -0000

Hi Scott,

On Sun, Feb 17, 2019 at 12:21:29PM -0800, Scott Bradner wrote:
> Reviewer: Scott Bradner
> Review result: Has Nits
> 
> This is an OPS-DIR review of PKINIT Algorithm Agility
> (draft-ietf-kitten-pkinit-alg-agility).  This ID updates PKINIT following the
> guidelines in BCP 201 to make it algorithm agile and to expose acceptable
> algorithms.
> 
> This is a very well written clear document.  I do not find any operational
> issues with the document except that the document could use a section on
> interoperability (old server-new client, new server-old client).
> 
> There are a few words about the topic deep in section 6 about the supportedKDFs
> field but I do not see a general discussion or a discussion about the kdf
> field. The text about the supportedKDFs field could be moved to a new section
> and each of the old/new combinations could be addressed.  I see this as an
> operational issue because compatibility issues are a frequent source of
> operational headaches.

Thanks for the review.  The authors have posted an -05 that appears to
address your concerns.

Thanks to the authors for the updates!

-Ben