Re: [pkix] FW: New Version Notification for draft-wallace-est-alt-challenge-00.txt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 08 February 2016 13:17 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7E501B2AA4 for <pkix@ietfa.amsl.com>; Mon, 8 Feb 2016 05:17:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iayd_065z7yH for <pkix@ietfa.amsl.com>; Mon, 8 Feb 2016 05:17:28 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E223E1B2A9E for <pkix@ietf.org>; Mon, 8 Feb 2016 05:17:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 94D9EBE88; Mon, 8 Feb 2016 13:17:26 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOyDS7KWA_Ea; Mon, 8 Feb 2016 13:17:26 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 274F9BE5D; Mon, 8 Feb 2016 13:17:26 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1454937446; bh=QatciqDyUKGBAEv8jTSXxw0XPxlVRrTP80xJJcFZoGc=; h=Subject:To:References:From:Date:In-Reply-To:From; b=VZvF9Cru/3yCJR+MaIZml2tu0sB0uTy56lJ11NOIC1im/cyWEKtOSXUdTtxqbLpQ2 mZXjxHwylv0WlZgXQnH7TE1XyWM/iArQ9qXBz4LdbI23Mr33bzfKHcXLfyUtfheQUi a/W2UEu8SgHHC8k8p5d236WzUnysOzECC02+80sc=
To: Carl Wallace <carl@redhoundsoftware.com>, PKIX <pkix@ietf.org>
References: <20150803183532.30514.2647.idtracker@ietfa.amsl.com> <D1E61A8A.3B3AA%carl@redhoundsoftware.com> <560BBDAE.9070606@cs.tcd.ie> <56211D5C.8050105@cs.tcd.ie> <56B5E9D9.6090106@cs.tcd.ie> <D2DB774A.4B795%carl@redhoundsoftware.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56B89566.2020700@cs.tcd.ie>
Date: Mon, 8 Feb 2016 13:17:26 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <D2DB774A.4B795%carl@redhoundsoftware.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/P2sQCPk8Oku_wf7z1AfJ_uwFjrk>
Subject: Re: [pkix] FW: New Version Notification for draft-wallace-est-alt-challenge-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2016 13:17:30 -0000


On 06/02/16 15:19, Carl Wallace wrote:
> 
> 
> On 2/6/16, 7:40 AM, "pkix on behalf of Stephen Farrell"
> <pkix-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
> 
>>
>> Well, it still is "after IETF94" I guess, but with apologies
>> to the authors for dropping this ball...
>>
>> I've given this a read and have a question and a comment:
>>
>> Question:
>>
>> 3.1: There are many OTP schemes in real use, and some CA might
>> someday support >1 - why don't you need a mechanism-id or
>> similar? (And section 5 here even calls out two different
>> schemes that are documented in RFCs.) If you tell me that you
>> think this isn't really needed (and if nobody else argues
>> for it, that'll be fine but I wanted to ask.)
> 
> I don't think it's really needed. Even with a mechanism ID for either of
> those referenced RFCs, context may dictate validator behavior in ways not
> reflected by a mechanism ID. Tying OTP generator/validator behavior to
> this attribute would be a big increase in scope. Were a mechanism ID ever
> needed, it could be added as a peer attribute without requiring change to
> a widely used structure.

Fair enough.

> 
>>
>> Comment:
>>
>> intro: Editorial suggestion: maybe list the existing uses of
>> the field in a numbered list and refer back to that when
>> necessary. I think that might help the reader to keep the
>> different uses clear as they read.
> 
> Can this be handled as a last call comment?

Absolutely, it's just a nit really.

> 
>>
>> Once the authors have responded to the question above, I'll
>> start IETF LC for this one.

I've asked for IETF LC now, you should see the message in a
while,

Cheers,
S.


>>
>> Cheers,
>> S.
>>
>> PS: This was one of the drafts that prompted me to ask about
>> forming a new wg, but since I'd already said I'd AD sponsor
>> this on the list back in October, in fairness to the authors,
>> I'm gonna just go ahead for this one while we see how the
>> new-wg discussion pans out.
>>
>> On 16/10/15 16:53, Stephen Farrell wrote:
>>>
>>> So on the basis of a little positive feedback and it being
>>> fairly obvious I'll AD sponsor this one. I'll be working
>>> with the authors on that and an IETF LC should ensue in the
>>> not too distant (maybe just after IETF94). I'll send a mail
>>> here when that starts.
>>>
>>> Cheers,
>>> S.
>>>
>>> On 30/09/15 11:47, Stephen Farrell wrote:
>>>>
>>>> Folks,
>>>>
>>>> Carl and Max have asked me to AD sponsor this draft. Since it
>>>> seems like it's almost a bug fix, I'll probably go ahead and
>>>> do that if there are no significant objections here in the next
>>>> couple of weeks (say by Oct 15).
>>>>
>>>> So if you care about EST, please take a look (it's only 8 pages)
>>>> and say what you think.
>>>>
>>>> Thanks,
>>>> Stephen.
>>>>
>>>> On 04/08/15 12:34, Carl Wallace wrote:
>>>>> The draft referenced below may be of interest to some on this list. It
>>>>> defines some new OIDs to disambiguate existing EST challengePassword
>>>>> attribute usage from PKCS #9/legacy usage and defines a new OID to
>>>>> convey
>>>>> a one-time password as an additional value or alternative to the
>>>>> tls-unique mechanism defined in EST.
>>>>>
>>>>> On 8/3/15, 2:35 PM, "internet-drafts@ietf.org"
>>>>> <internet-drafts@ietf.org>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> A new version of I-D, draft-wallace-est-alt-challenge-00.txt
>>>>>> has been successfully submitted by Carl Wallace and posted to the
>>>>>> IETF repository.
>>>>>>
>>>>>> Name:		draft-wallace-est-alt-challenge
>>>>>> Revision:	00
>>>>>> Title:		Alternative Challenge Password Attributes for Enrollment over
>>>>>> Secure Transport
>>>>>> Document date:	2015-08-03
>>>>>> Group:		Individual Submission
>>>>>> Pages:		9
>>>>>> URL:         
>>>>>>
>>>>>> https://www.ietf.org/internet-drafts/draft-wallace-est-alt-challenge-0
>>>>>> 0.tx
>>>>>> t
>>>>>> Status:      
>>>>>> https://datatracker.ietf.org/doc/draft-wallace-est-alt-challenge/
>>>>>> Htmlized:    
>>>>>> https://tools.ietf.org/html/draft-wallace-est-alt-challenge-00
>>>>>>
>>>>>>
>>>>>> Abstract:
>>>>>>   This document defines a set of new Certificate Signing Request
>>>>>>   attributes for use with the Enrollment over Secure Transport (EST)
>>>>>>   protocol.  These attributes provide disambiguation of the existing
>>>>>>   overloaded uses for the PKCS #9 challengePassword attribute.  Uses
>>>>>>   include the original certificate revocation password, common
>>>>>>   authentication password uses, and EST defined linking of transport
>>>>>>   security identity.
>>>>>>
>>>>>>              
>>>>>>        
>>>>>>
>>>>>>
>>>>>> Please note that it may take a couple of minutes from the time of
>>>>>> submission
>>>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>>>
>>>>>> The IETF Secretariat
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> pkix mailing list
>>>> pkix@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/pkix
>>>>
>>>
>>> _______________________________________________
>>> pkix mailing list
>>> pkix@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pkix
>>>
>>
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
> 
> 
>