Re: [Last-Call] [Teep] Artart last call review of draft-ietf-teep-architecture-16

Mingliang Pei <mingliang.pei@broadcom.com> Mon, 11 April 2022 18:30 UTC

Return-Path: <mingliang.pei@broadcom.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ADF43A1976 for <last-call@ietfa.amsl.com>; Mon, 11 Apr 2022 11:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8oaeZj_zZrNb for <last-call@ietfa.amsl.com>; Mon, 11 Apr 2022 11:30:09 -0700 (PDT)
Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCEE23A1982 for <last-call@ietf.org>; Mon, 11 Apr 2022 11:30:08 -0700 (PDT)
Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-de48295467so18233484fac.2 for <last-call@ietf.org>; Mon, 11 Apr 2022 11:30:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q8Ke1OMpxAnF4CBlCizfF++7f7a4xdEtImyDj5apkaw=; b=EJEc5a8EidmWdy2RBuehsgIObH/CEtghWX8fMUgVf1YvZsrSyJTNyzjBwlW4AsRvl1 1bBDYXYYYKyU/GcvMmTVK9SF5qJkbfGn8eYge5FRRKEZg3BakbuWgzF0c9FF400tS2zN LSZDLXOLPpIBZxzsVNhbUPagZvQvql62LuevY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q8Ke1OMpxAnF4CBlCizfF++7f7a4xdEtImyDj5apkaw=; b=SsUbPidWFwpkNr0pj7mBoSrtz8HlQy0RGF8l/dtCR5+3JpXXKSVrSqRBfvHbZT1+/n jX18gEm5aRD80Hpi/aOZut2qa/pb7Pt8qJhClmjzpic7ZPSlaSJTpipzQ5PplZXW/gx+ 7yAQKxSbnTLJHJMLBmnBxwBOcx0jQHhbS4oSpHzabG1m6P5awYR2wkFSBgaXcJeb2e2k S0BkzS48JwBkyomqC4GLyOx2tR3cA24xQaYnoADTTsyLtGBv5rnRyubcZYpkKj+efI35 4mLN5o5L1Cky0YsxK0ABDA4izl3GbGZHDOVr5V1fxvPRxQsFvraqG2W/Tc73ug93moV0 arIw==
X-Gm-Message-State: AOAM532NiQTbajszn/vGZDzhj32vleRInCoNzraimsaNzTpw1i2YCwz6 j8qPaIE9sVC8HTIDXPlbOUiKyNjnOVW2XFolRCnY5Vr2kWnNpylqxXrmiGyh1YuPsY/nTl1vkdD hAcB6451X5rHzU2RnxQ==
X-Google-Smtp-Source: ABdhPJybRkpj0FBdR6D+Q4XYu42anVwC2DJV4MUWKRKavr9BD8FQB+aXnMYq9+1cJ0ThaTrzTFNwyTQaCrzQA4EzXQE=
X-Received: by 2002:a05:6871:68f:b0:e2:b7bb:6424 with SMTP id l15-20020a056871068f00b000e2b7bb6424mr287316oao.43.1649701806902; Mon, 11 Apr 2022 11:30:06 -0700 (PDT)
MIME-Version: 1.0
References: <164850526406.21554.6982960206540476351@ietfa.amsl.com> <DBBPR08MB5915B3398715EE22DF06BEBFFA1E9@DBBPR08MB5915.eurprd08.prod.outlook.com> <CABDGos6QOEabsz1YfQ_X2uQkQm+9L1WdynksTsTD+T26y_UNXQ@mail.gmail.com> <F88F6DC2-B2AE-45AF-B68E-1A1C75C575EA@vigilsec.com> <CABDGos4QOf+GS5JFbK50D6PORFb=UqpfAzjxSp5xcQLCSoub6Q@mail.gmail.com> <CABDGos5fBpe8eLNB1xtZM_qo4gxkUQMBiFNqFh=ag+tvW2gOkw@mail.gmail.com> <05D72290-98A8-4DA9-9E90-88AC12E76D63@redhoundsoftware.com>
In-Reply-To: <05D72290-98A8-4DA9-9E90-88AC12E76D63@redhoundsoftware.com>
From: Mingliang Pei <mingliang.pei@broadcom.com>
Date: Mon, 11 Apr 2022 11:29:56 -0700
Message-ID: <CABDGos7mcpK212tHZRUZ7dQOdJiN5d+74voiM3LzYFdjTHXHTA@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: Russ Housley <housley@vigilsec.com>, "art@ietf.org" <art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "teep@ietf.org" <teep@ietf.org>, "draft-ietf-teep-architecture.all@ietf.org" <draft-ietf-teep-architecture.all@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="00000000000034b7a505dc6522eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/jXry86bpVwrvCOyB4TB1DpcWW_g>
Subject: Re: [Last-Call] [Teep] Artart last call review of draft-ietf-teep-architecture-16
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 18:30:15 -0000

Hi Carl,

Good point, thanks. A trust anchor intends to allow associated constraint
information, which is implementation specific, along with the main
underlying key material being a public key or a certificate. For the
revised definition, instead of allowing "other structure as appropriate",
how about we still call out the core key material being a "certificate or
public key", and other information along with them as appropriate? In other
words, how about the following?

The Trust Anchor may be a certificate or a raw public key with optionally
other constraint information or extensions. The structure of Trust Anchors
is implementation specific."

Thanks,

Ming


On Mon, Apr 11, 2022 at 6:08 AM Carl Wallace <carl@redhoundsoftware.com>
wrote:

>
>
> *From: *TEEP <teep-bounces@ietf.org> on behalf of Mingliang Pei
> <mingliang.pei=40broadcom.com@dmarc.ietf.org>
> *Date: *Thursday, April 7, 2022 at 8:40 PM
> *To: *Russ Housley <housley@vigilsec.com>
> *Cc: *Mingliang Pei <mingliang.pei=40broadcom.com@dmarc.ietf.org>rg>, "
> art@ietf.org" <art@ietf.org>rg>, "last-call@ietf.org" <last-call@ietf.org>rg>, "
> teep@ietf.org" <teep@ietf.org>rg>, "draft-ietf-teep-architecture.all@ietf.org"
> <draft-ietf-teep-architecture.all@ietf.org>rg>, Hannes Tschofenig <
> Hannes.Tschofenig@arm.com>
> *Subject: *Re: [Teep] [Last-Call] Artart last call review of
> draft-ietf-teep-architecture-16
>
>
>
> See PR: https://github.com/ietf-teep/architecture/pull/236, thanks, Ming
>
>
>
> [CW] Is it a certainty that constraints will not be needed for trust
> anchors? The trust anchor definition references “associated data”, which
> would be used constrain use of the trust anchor. An option other than
> certificate or public key may would be needed if constraints may be defined
> (because constraints can’t be added to the certificate without breaking the
> signature and a raw public key has no means to express constraints).
> Perhaps, "The Trust Anchor may be a certificate, a raw public key or other
> structure, as appropriate." might be better to leave open the possibility
> of constraining a trust anchor. RFC5914 defines syntax that allows for
> associated data to be packaged alongside a public key or a certificate, as
> an example of an alternative.
>
>
>
> <snip>
>

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.