[Last-Call] SECDIR Review of draft-ietf-sidrops-rpki-rsc-10
Donald Eastlake <d3e3e3@gmail.com> Thu, 25 August 2022 23:04 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09494C15948F; Thu, 25 Aug 2022 16:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJv1Q-E3bhXt; Thu, 25 Aug 2022 16:04:23 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E58C14CF13; Thu, 25 Aug 2022 16:04:23 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id z25so30172984lfr.2; Thu, 25 Aug 2022 16:04:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc; bh=FKXFEhgR08nh0C8WSK10yWDWb7sYT0BejwDpLBXumdY=; b=QChTcxuU7/IYZXHjaDmmbThzjzuzT5Y4joQheiYsCQU/9EkI0M1N5guId94OSf3Xy+ MOFahDKbpcJC4p0AmjyQatJ6g10XBeGw7MC5d/Km66j+onYsv7DNtHivPePwm4Q5mi5V bUC7y9O3THj7xfx2PCGsw7adKWwvfByZ+fCWQKlW8fp0FptHKNG3vRkbfQI7RaZM4rR2 0U7Hk4pYNGR7H0gCV+DV6dG3+sGGpxF+hdnpASMW2bbx6URc/mYiUGz1VAaeCFTnax35 Y06CdpJK3ItAMS0GrxsqJa36VzkFCOBruXsxkSt8SOrutmVJ/0ZwpmPOlYP5fvVsF/Go n2aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc; bh=FKXFEhgR08nh0C8WSK10yWDWb7sYT0BejwDpLBXumdY=; b=5s0cc6pL4WHG2cD5gCGOLgvywS/ZyO9ConjCM9EhD5WDxqLqDuJ0f8lm0uhNJEd1LE xV8JpaWddG+lOU2pn14Sq0QTevXltB3V15YAo4NQZeIugu4Z/In63cMhQUTOi3Z5qli9 Bd9F0HH7z6879KW1nTm6vQiXX/sKFEi4beyFzN9Vqgb8p82tjizReyeEdbtm3/bducIe SeaOjyyIDOI/naXlQo/nBK4zjwaD0A4fVGNWlWYpWKd3/poEIQkimqS2qyLIMhG0obsa KwiFD1VWmVkkdzEG3fDOhzI8M2raoMkxcUX42HSDiRYFkaR3QlmttVNPMRgR2Av/blBz qsiw==
X-Gm-Message-State: ACgBeo24EdwMzamK2cs9YDld4SjGJWaEJSiZgefMJir0+j9Jur8DUOwD kNQQTJlkKAxLNCgaCd44aC0/7qZajuJvw+fL0z9DdouAVWg=
X-Google-Smtp-Source: AA6agR4KoS+84jdLHikY9WS/TVj7bFRmWD4ChW9aheUM9EwbXKfH74GWXDbcb7+gS4vsKpSDHIST3dRj32IKl5QRRNU=
X-Received: by 2002:a05:6512:3d1e:b0:48b:3f76:eff with SMTP id d30-20020a0565123d1e00b0048b3f760effmr1841441lfv.312.1661468660775; Thu, 25 Aug 2022 16:04:20 -0700 (PDT)
MIME-Version: 1.0
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Thu, 25 Aug 2022 19:04:08 -0400
Message-ID: <CAF4+nEGfh3R9K+NGa1TAVg-GJmrpzfOJnGT+=J=CRdA6XP6cEQ@mail.gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>
Cc: secdir <secdir@ietf.org>, draft-ietf-sidrops-rpki-rsc.all@ietf.org, Last Call <last-call@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/FYtI68D850BFRtetduXTdsNChTA>
Subject: [Last-Call] SECDIR Review of draft-ietf-sidrops-rpki-rsc-10
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2022 23:04:28 -0000
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
The summary of the review is Ready with nits.
The Security Considerations look OK.
I'm not that familiar with the corner of public key infrastructure
covered in this draft. However, my understanding is that signing a
strong hash of a digital object verifies the object to the extent that
the signature can be verified regardless of how the object is
obtained. So I found it curious that, in this case, if there is a
filename associated with the hash in the signed checklist but the
object was not from a file or from a file with a different name, then
verification is required to fail.
Nits/Trivia:
-------------
In Section 5, Page 8, the possible disadvantage of so specially
calling attention to Section 4.4.1 is that it implicitly reduces, even
if only a small amount, the emphasis on the rest of Section 4.
Possibly the following change which also has the advantage of being a
bit shorter:
OLD
1. The contents of the CMS eContent field MUST conform to the
constraints described in Section 4. In particular, for each
FileNameAndHash element in the checkList field, its contents MUST
conform to the constraints described in Section 4.4.1.
NEW
1. The contents of the CMS eContent field MUST conform to all of the
constraints described in Section 4 including the constraints
described in Section 4.4.1.
Section 7, first sentence, Grammer:
OLD
When creating digital objects of a plain-text nature (such as ASCII,
UTF-8, HTML, Javascript, XML, etc) it is RECOMMENDED to convert such
objects into a lossless compressed form.
NEW
When creating digital objects of a plain-text nature (such as ASCII,
UTF-8, HTML, Javascript, XML, etc) converting such
objects into a lossless compressed form is RECOMMENDED.
Section 8, Page 11 at beginning of last paragraph: "an one-time" -> "a one-time"
I notice that the IANA "SMI Security for S/MIME CMS Content Type
(1.2.480.113549.1.9.16.1
)" registry entry for id-ct-signedChecklist references an old version
of the draft. Presumably IANA will fix this as the document
progresses.
Thanks,
Donald
===============================
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
2386 Panoramic Circle, Apopka, FL 32703 USA
d3e3e3@gmail.com
- [Last-Call] SECDIR Review of draft-ietf-sidrops-r… Donald Eastlake
- Re: [Last-Call] SECDIR Review of draft-ietf-sidro… Job Snijders
- Re: [Last-Call] SECDIR Review of draft-ietf-sidro… Donald Eastlake