Re: [Last-Call] [Teep] Artart last call review of draft-ietf-teep-architecture-16
Mingliang Pei <mingliang.pei@broadcom.com> Mon, 11 April 2022 19:23 UTC
Return-Path: <mingliang.pei@broadcom.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 601723A064F
for <last-call@ietfa.amsl.com>; Mon, 11 Apr 2022 12:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=broadcom.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 6yaxA5dysaF9 for <last-call@ietfa.amsl.com>;
Mon, 11 Apr 2022 12:23:17 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com
[IPv6:2607:f8b0:4864:20::330])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 7F4153A05AC
for <last-call@ietf.org>; Mon, 11 Apr 2022 12:23:17 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id
i11-20020a9d4a8b000000b005cda3b9754aso11939252otf.12
for <last-call@ietf.org>; Mon, 11 Apr 2022 12:23:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=yVC8n/pXLixdTGnnE23KDYJVIKw+0ETN0u+XJjEzF8w=;
b=LoCkY8BaXdxHYEhT/p58HOdCZKaZc3pH6Ko/SUhR29y0LKWwmlnsRaG+QSXhf2gT3y
wIQljNmOTzDWsxSGUGdx7s70WaSg3AzjGTxHDxNBtMYkZqNxy1T44iksW7L/no1TKrny
Xg+laQyMBXwxtG46Mm48EJpK2UZmch4tEn2gM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=yVC8n/pXLixdTGnnE23KDYJVIKw+0ETN0u+XJjEzF8w=;
b=qNtz4OPyGGuRfVNptkXDHWxMexxa/TFZfhgdWHYdd64xUV5d5+tDLCH0Yf/OzvFRW/
U/DcatdmbrkKKsyrhXwJPOVvgBP5n/xnLu6rUIuZ4DvY+L3vWLLEww9sMaDhZTXpCGHQ
H7LgcOZo43ZRVShqyke4sliIAUv29Kimtibsdc1t73hTO7DQwvAcxrYs+jT1Dnw1IfjO
08ECZjoRK8U0cuHcu99dTjOJlxAb9wT3GdrBiV4uWQe35lXJsLZuzC7HWCAd9V74gZq4
T0iKGsomFjWmt0QzkdGIY8di2JFFzoynELDGtWkNQMJmxlqlpWjtjo45eP43qlRNddaD
g2vQ==
X-Gm-Message-State: AOAM530c6dwfgEyXqVEUoi612JEaWboU1kd42SazUHv3m4zseQrb8jRz
5zF/nmEhq0JI/kU2Sg8w4GHv+H4d2ghNO/LHTzq6wLKBcD5Bh3chZZWAzSuhtMlWBBlznPW7hd/
T93Ci7p0Q88yEHRC40lszjS7FPA==
X-Google-Smtp-Source: ABdhPJyIgg23Lk9Nt6K+Ghlztvc9Qm0o8OunDljqd1wYhgA8WPw6NwEbu8/oZRSj8qPi+HqAERs5otKoRwJgp9I8dhY=
X-Received: by 2002:a9d:73c5:0:b0:5b2:2ce1:b204 with SMTP id
m5-20020a9d73c5000000b005b22ce1b204mr11428661otk.211.1649704996221; Mon, 11
Apr 2022 12:23:16 -0700 (PDT)
MIME-Version: 1.0
References: <164850526406.21554.6982960206540476351@ietfa.amsl.com>
<DBBPR08MB5915B3398715EE22DF06BEBFFA1E9@DBBPR08MB5915.eurprd08.prod.outlook.com>
<CABDGos6QOEabsz1YfQ_X2uQkQm+9L1WdynksTsTD+T26y_UNXQ@mail.gmail.com>
<F88F6DC2-B2AE-45AF-B68E-1A1C75C575EA@vigilsec.com>
<CABDGos4QOf+GS5JFbK50D6PORFb=UqpfAzjxSp5xcQLCSoub6Q@mail.gmail.com>
<CABDGos5fBpe8eLNB1xtZM_qo4gxkUQMBiFNqFh=ag+tvW2gOkw@mail.gmail.com>
<05D72290-98A8-4DA9-9E90-88AC12E76D63@redhoundsoftware.com>
<CABDGos7mcpK212tHZRUZ7dQOdJiN5d+74voiM3LzYFdjTHXHTA@mail.gmail.com>
In-Reply-To: <CABDGos7mcpK212tHZRUZ7dQOdJiN5d+74voiM3LzYFdjTHXHTA@mail.gmail.com>
From: Mingliang Pei <mingliang.pei@broadcom.com>
Date: Mon, 11 Apr 2022 12:23:05 -0700
Message-ID: <CABDGos7ww9tPdsr-TZ7rxsWeHNgPPmEFsTqGcUcY-JU95UtPwg@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: Russ Housley <housley@vigilsec.com>, "art@ietf.org" <art@ietf.org>,
"last-call@ietf.org" <last-call@ietf.org>, "teep@ietf.org" <teep@ietf.org>,
"draft-ietf-teep-architecture.all@ietf.org"
<draft-ietf-teep-architecture.all@ietf.org>,
Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="0000000000004d909305dc65e0dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/aLKc4SNEmhOwX4R7J2VimxyVZT0>
Subject: Re: [Last-Call] [Teep] Artart last call review of
draft-ietf-teep-architecture-16
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>,
<mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>,
<mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 19:23:23 -0000
Hi Carl,
Considering "associated data" is already described in the first part of the
definition for "used to constraint the types", I think your wording is fine.
The revised full definition will look as follows.
*Trust Anchor*: As defined in {{RFC6024}} and
{{I-D.ietf-suit-architecture}},
"A trust anchor represents an authoritative entity via a public
key and associated data. The public key is used to verify digital
signatures, and the associated data is used to constrain the types
of information for which the trust anchor is authoritative.
The Trust Anchor may be a certificate, a raw public key or other
structure,
as appropriate. It can be a non-root certificate when it is a
certificate.
I made this to the PR now. Please review.
Thanks,
Ming
On Mon, Apr 11, 2022 at 11:29 AM Mingliang Pei <mingliang.pei@broadcom.com>
wrote:
> Hi Carl,
>
> Good point, thanks. A trust anchor intends to allow associated constraint
> information, which is implementation specific, along with the main
> underlying key material being a public key or a certificate. For the
> revised definition, instead of allowing "other structure as appropriate",
> how about we still call out the core key material being a "certificate or
> public key", and other information along with them as appropriate? In other
> words, how about the following?
>
> The Trust Anchor may be a certificate or a raw public key with optionally
> other constraint information or extensions. The structure of Trust Anchors
> is implementation specific."
>
> Thanks,
>
> Ming
>
>
> On Mon, Apr 11, 2022 at 6:08 AM Carl Wallace <carl@redhoundsoftware.com>
> wrote:
>
>>
>>
>> *From: *TEEP <teep-bounces@ietf.org> on behalf of Mingliang Pei
>> <mingliang.pei=40broadcom.com@dmarc.ietf.org>
>> *Date: *Thursday, April 7, 2022 at 8:40 PM
>> *To: *Russ Housley <housley@vigilsec.com>
>> *Cc: *Mingliang Pei <mingliang.pei=40broadcom.com@dmarc.ietf.org>rg>, "
>> art@ietf.org" <art@ietf.org>rg>, "last-call@ietf.org" <last-call@ietf.org>rg>,
>> "teep@ietf.org" <teep@ietf.org>rg>, "
>> draft-ietf-teep-architecture.all@ietf.org" <
>> draft-ietf-teep-architecture.all@ietf.org>gt;, Hannes Tschofenig <
>> Hannes.Tschofenig@arm.com>
>> *Subject: *Re: [Teep] [Last-Call] Artart last call review of
>> draft-ietf-teep-architecture-16
>>
>>
>>
>> See PR: https://github.com/ietf-teep/architecture/pull/236, thanks, Ming
>>
>>
>>
>> [CW] Is it a certainty that constraints will not be needed for trust
>> anchors? The trust anchor definition references “associated data”, which
>> would be used constrain use of the trust anchor. An option other than
>> certificate or public key may would be needed if constraints may be defined
>> (because constraints can’t be added to the certificate without breaking the
>> signature and a raw public key has no means to express constraints).
>> Perhaps, "The Trust Anchor may be a certificate, a raw public key or other
>> structure, as appropriate." might be better to leave open the possibility
>> of constraining a trust anchor. RFC5914 defines syntax that allows for
>> associated data to be packaged alongside a public key or a certificate, as
>> an example of an alternative.
>>
>>
>>
>> <snip>
>>
>
--
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for
the use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are
not the intended recipient or the person responsible for delivering the
e-mail to the intended recipient, you are hereby notified that any use,
copying, distributing, dissemination, forwarding, printing, or copying of
this e-mail is strictly prohibited. If you received this e-mail in error,
please return the e-mail to the sender, delete it from your computer, and
destroy any printed copy of it.
- [Last-Call] Artart last call review of draft-ietf… Russ Housley via Datatracker
- Re: [Last-Call] Artart last call review of draft-… Hannes Tschofenig
- Re: [Last-Call] Artart last call review of draft-… Mingliang Pei
- Re: [Last-Call] Artart last call review of draft-… Russ Housley
- Re: [Last-Call] Artart last call review of draft-… Mingliang Pei
- Re: [Last-Call] Artart last call review of draft-… Mingliang Pei
- Re: [Last-Call] [Teep] Artart last call review of… Carl Wallace
- Re: [Last-Call] [Teep] Artart last call review of… Mingliang Pei
- Re: [Last-Call] [Teep] Artart last call review of… Mingliang Pei
- Re: [Last-Call] [Teep] Artart last call review of… Carl Wallace
- Re: [Last-Call] [Teep] Artart last call review of… Carl Wallace