Re: [Last-Call] [EXTERNAL] Secdir last call review of draft-ietf-lamps-ocsp-nonce-update-04
Himanshu Sharma <himanshu@netskope.com> Thu, 04 April 2024 18:58 UTC
Return-Path: <himanshu@netskope.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B237DC14F6BC for <last-call@ietfa.amsl.com>; Thu, 4 Apr 2024 11:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netskope.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6L7POYhVRs0U for <last-call@ietfa.amsl.com>; Thu, 4 Apr 2024 11:58:48 -0700 (PDT)
Received: from us-smtp-delivery-117.mimecast.com (us-smtp-delivery-117.mimecast.com [170.10.129.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57B6BC1519A0 for <last-call@ietf.org>; Thu, 4 Apr 2024 11:58:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netskope.com; s=mimecast20210603; t=1712257121; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=n1EQUfl8c6eqvBa0ncxcsGyeOPAlW2pYizwBhRXrAQw=; b=avYiS4UbdpzYbpoyoBPzmOk/v2Ifa6xRBLA/ItXWTL4QRvOW4c4Agt0k+dTeaYkhGU1juN TrDa5W7UyPZ41EYDdDJngdsjO5IxdABuMHhmvzPggx4epWjeUOibtflrlfj42epYwFQlNH 0veXp7L6MIapD20E/jWABcXCu8ebWDQ=
Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-301-0-_bjgZfPhyLoTqnHU1-JA-1; Thu, 04 Apr 2024 14:58:38 -0400
X-MC-Unique: 0-_bjgZfPhyLoTqnHU1-JA-1
Received: by mail-io1-f69.google.com with SMTP id ca18e2360f4ac-7cbfd9f04e3so97038139f.0 for <last-call@ietf.org>; Thu, 04 Apr 2024 11:58:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712257117; x=1712861917; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=LEa47kLoANlRxNPdMHHUJtPgYPIwdLD2+tM2q4I9Ics=; b=vpQ7+C3jjUlujvTAvY01EEWBQeQByi2ZuGGNReDbp8lhq7dMrUBQPze0Wx9TZx9+oO avdyxM+gETLAQelhryi+9ulJ0TxNXY54cGV7hJcFBgRGBcKGc3zOGNKIsVChUn914LWL 4G6fJyR2pJAWbBUw1Y+dsjgOUIzC0cBDWPgUgjsgvRTZq1bVj1oD5sDcYeBiV3HUlRl8 W0H7mjkzwlQtNYIJe43TD0OwZKHZRQw+r/fvvRlb1knEyBBExAFez8lUydPcs8AMDxoh RCpBfLJjI1tPfpjpREqXAdoDTQ96QKX3rnb7FzTw1VDfSj4ucRKlR2hyXgKLFAvEmPdY /4vg==
X-Forwarded-Encrypted: i=1; AJvYcCUSUsV5+5vMudI/fbFiw8zJuKrJd5PEYmaORX3RffDQQEiGBK4M15/jwlbeH+NVrzXwQ0MC3PrlLLQaI09Wu1Lc64Y=
X-Gm-Message-State: AOJu0YxNkhqE+Ynzm2UpqhOgCDS+t7slxokrDNRN6+hF7UEqwL85EUiA /csLQlq9Ucj7N6ac85hOR0Uo7iChoe37BUYyhdnFZXgwLqgTXhYdxwzHA/PbsY5LWZ/PpqgxRVp smfQUvX1+OvtSeuiihm7Adf4k/smIQskccM05RIQ4m8ycKzleMTId2PuDyGQassINfFNDmDCeGz n4UK1lq9hb0WxrDxrG9NTbZFHu
X-Received: by 2002:a5d:8550:0:b0:7d3:3e0d:69e2 with SMTP id b16-20020a5d8550000000b007d33e0d69e2mr344675ios.7.1712257117278; Thu, 04 Apr 2024 11:58:37 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFZCdKHZAoCIx/aaQoKMJaPryIPiSEP98texuDlvts1jevh+7LLP2ZuvgxToCLW8WUFJ3D9qVvzLt/6
X-Received: by 2002:a5d:8550:0:b0:7d3:3e0d:69e2 with SMTP id b16-20020a5d8550000000b007d33e0d69e2mr344657ios.7.1712257116970; Thu, 04 Apr 2024 11:58:36 -0700 (PDT)
Received: from netskope.com ([163.116.131.244]) by smtp-relay.gmail.com with ESMTPS id n4-20020a056602340400b007d0cd2520a4sm4620ioz.19.2024.04.04.11.58.36 for <last-call@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:58:36 -0700 (PDT)
X-Relaying-Domain: netskope.com
Received: by mail-pg1-f200.google.com with SMTP id 41be03b00d2f7-5e4df21f22dso929011a12.0 for <last-call@ietf.org>; Thu, 04 Apr 2024 11:58:36 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCUThjKXQFCJdH/pYdCq2qDyx0Ux3B5gUZII60qYAHlF5L3VDbgM4+uRsoNSI3bdYaPvrqt5yDVjAZJoihSXJa0KdkY=
X-Received: by 2002:a17:902:d344:b0:1de:f0f0:90ac with SMTP id l4-20020a170902d34400b001def0f090acmr441297plk.11.1712257115176; Thu, 04 Apr 2024 11:58:35 -0700 (PDT)
X-Received: by 2002:a17:902:d344:b0:1de:f0f0:90ac with SMTP id l4-20020a170902d34400b001def0f090acmr441271plk.11.1712257114749; Thu, 04 Apr 2024 11:58:34 -0700 (PDT)
MIME-Version: 1.0
References: <171191291059.15585.6093566049458714751@ietfa.amsl.com>
In-Reply-To: <171191291059.15585.6093566049458714751@ietfa.amsl.com>
From: Himanshu Sharma <himanshu@netskope.com>
Date: Thu, 04 Apr 2024 11:58:23 -0700
Message-ID: <CAL9pJ7m=FWWwmXt0qBE_EAYtj19HRBDpnUdgq1rvOBpw37xJeg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: secdir@ietf.org, draft-ietf-lamps-ocsp-nonce-update.all@ietf.org, last-call@ietf.org, spasm@ietf.org
x-netskope-inspected: true
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: netskope.com
Content-Type: multipart/alternative; boundary="000000000000173d80061549edcd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/QfHfqzOw-IMjRpr7H_LMeqqBGXU>
Subject: Re: [Last-Call] [EXTERNAL] Secdir last call review of draft-ietf-lamps-ocsp-nonce-update-04
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 18:58:52 -0000
Hi Joseph, As discussed offline, explained and agreed upon the reason for choosing the 32 bytes primarily for backward compatibility, and explained about the behavior of ocsp client in case of response that doesn't contain nonce from responder. I have updated the ID ( https://datatracker.ietf.org/doc/draft-ietf-lamps-ocsp-nonce-update/05/) according to your and other reviewr's suggestions. Russ helped in verification of ASN.1 modules and it compiles fine. I believe it satisfies all the outstanding questions. Please let me know if there are still any outstanding questions that I can answer in order to get the approval. Thanks Himanshu On Sun, Mar 31, 2024 at 12:21 PM Joseph Salowey via Datatracker < noreply@ietf.org> wrote: > Reviewer: Joseph Salowey > Review result: Has Issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The summary of the review is has issues. I'm probably just missing some > history/context, here are the items that stood out. > > 1. The document states "An OCSP client that implements this document > SHOULD use > a minimum length of 32 octets for Nonce octets in the Nonce extension." > How > was the minimum of 32 bytes chosen? This seems like it might be longer than > necessary. Is there a security reason for this or a different reason? > Later in > the document it states receiver MUST accept at least 16 octets. > > 2. In addition, the SHOULD should say when it is acceptable not to follow > it. > When is it OK for an implementation to send less than 32 bytes? For > example, > you could rephrase this as "clients MUST use a minimum length of 32 octets > unless they are configured to interoperate with a OCSP responder that > requires > a shorter nonce length or ... ". Also if a client uses more than 32 bytes > their request may be ignored. > > 3. An 8954 server will respond to greater than 32 octet nonce with a > malformedRequest. The client can report this and indicate that perhaps it > needs > to be configured to talk to an 8954 server. The text goes further to say > that > the server MAY ignore nonces greater than 32 and less than 16 octets. Does > this > mean that the response does not contain the nonce? What should the client > do in > this case? Why even allow responders to ignore a nonce that is greater > than 32 > octets? > > 4. I took a look at the ASN.1, it looks OK to me, but I'm a bit rusty. I > assume > that it was reviewed by the working group, it not then someone with more > recent > ASN.1 experience should look at it. > > >
- [Last-Call] Secdir last call review of draft-ietf… Joseph Salowey via Datatracker
- Re: [Last-Call] [EXTERNAL] Secdir last call revie… Himanshu Sharma
- Re: [Last-Call] [EXTERNAL] Secdir last call revie… Himanshu Sharma
- Re: [Last-Call] [EXTERNAL] Secdir last call revie… Joseph Salowey