Re: [saag] AD review of draft-moskowitz-ipsecme-ipseckey-eddsa-02
Robert Moskowitz <rgm@labs.htt-consult.com> Sun, 06 November 2022 14:56 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B49CEC14F72A; Sun, 6 Nov 2022 06:56:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLrEaGNY6dp4; Sun, 6 Nov 2022 06:56:33 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABAC2C14F72B; Sun, 6 Nov 2022 06:56:32 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id CB719624D4; Sun, 6 Nov 2022 09:55:56 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id HaQ7RXCd1U5r; Sun, 6 Nov 2022 09:55:47 -0500 (EST)
Received: from [31.133.132.136] (dhcp-8488.meeting.ietf.org [31.133.132.136]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 06C1C6247F; Sun, 6 Nov 2022 09:55:46 -0500 (EST)
Message-ID: <bce9e0aa-96c4-04d1-d97e-0c326eb046e0@labs.htt-consult.com>
Date: Sun, 06 Nov 2022 09:56:17 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1
Content-Language: en-US
To: Roman Danyliw <rdd@cert.org>, "draft-moskowitz-ipsecme-ipseckey-eddsa@ietf.org" <draft-moskowitz-ipsecme-ipseckey-eddsa@ietf.org>
Cc: "saag@ietf.org" <saag@ietf.org>
References: <BN2P110MB1107D01D9A810DB0F5E3D853DC349@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
From: Robert Moskowitz <rgm@labs.htt-consult.com>
In-Reply-To: <BN2P110MB1107D01D9A810DB0F5E3D853DC349@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Gut6pYANvKqcu_OK7uMoDUyBWtU>
Subject: Re: [saag] AD review of draft-moskowitz-ipsecme-ipseckey-eddsa-02
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Nov 2022 14:56:36 -0000
On 10/30/22 08:36, Roman Danyliw wrote: > Hi SAAG: as a reminder, I agreed to AD sponsor this document per https://mailarchive.ietf.org/arch/msg/saag/2JJo0lzaVlfFcBKJNfbXBLS5L44/. > > Hi Bob and Tero! > > I performed an AD review of draft-moskowitz-ipsecme-ipseckey-eddsa-02. My feedback is as follows: > > > ** Section 1. Editorial. Please introduce the protocol, provide pointers and expand names/use the formal names. > OLD > The IPSECKEY IANA Registry specifically enumerates the various > Algorithm Types used. This document adds support for the EdDSA > algorithm's Public Keys in IPSECKEY. > > The IPSECKEY RR [RFC4025] defines the 'Algorithm Type' for specifying > the PK Algorithm. Herein we are adding the EdDSA algorithm. > > NEW > IPSECKEY [RFC4025) is a resource record (RR) for the Domain Name System (DNS) that is used to store public keys for use in IP security (IPsec) systems. The IPSECKEY RR relies on the IPSECKEY Algorithm Type Field registry [IANA-IPSECKEY] to enumerate the permissible formats for the public keys. > > This documents adds support for Edwards-Curve Digital Security Algorithm (EdDSA) public keys in the format defined in [RFC8080] to the IPSECKEY RR. done > ** Section 2. Please remove this section as there aren't an RFC2119 key words used. I guess I had it in as a place holder just in case. Well time to.. Cut > ** Section 3. Editorial. > > OLD > The new EdDSA value uses [RFC8080] for the IPSECKEY encoding: > > NEW > Use of an EdDSA public key encoded in the format specified in [RFC8080] in an IPSECKEY RR is indicated as follows: > > ** Section 4. Editorial > > OLD > This document requests IANA to clarify the text in the "Algorithm > Type Field" subregistry of the "IPSECKEY Resource Record Parameters" > [IANA-IPSECKEY] registry to explicitly state this is for "Public" > keys: > > NEW > This document requests IANA to the "Description" field in existing entries of the "Algorithm Type Field" registry of the "IPSECKEY Resource Record Parameters" [IANA-IPSECKEY] to explicitly state that these keys are "public keys." ...to update the "Description"... ??? Anyway I think that is what you wanted. > ** Section 4. Do you want to also s/0, No key is present/0, No Public Key is present/? If no public key is present, this RR will not be present! By definition this is a RR for public keys. No public keys, no RR so no defining a value of 0. Or that is the way I see it. > ** Section 4. The proposed update to values 1 - 3 is too long and generates errors. But it does produce a draft with the list with no indent. > OLD > Value Description Reference > > 1 A DSA Public Key is present, in the format defined in [RFC2536] [RFC4025] > 2 A RSA Public Key is present, in the format defined in [RFC3110] [RFC4025] > 3 An ECDSA Public Key is present, in the format defined in [RFC6605] [RFC8005] > > > NEW > Value Description > > 1 A DSA Public Key is present, in the format defined in [RFC2536] > 2 A RSA Public Key is present, in the format defined in [RFC3110] > 3 An ECDSA Public Key is present, in the format defined in [RFC6605] I can remove the reference column? It seems this is always called for. So either we accept the build errors that still result in a usable draft, or we make these entries two lines like: Value Description Reference 1 A DSA Public Key is present, in the format defined in [RFC2536] [RFC4025] 2 A RSA Public Key is present, in the format defined in [RFC3110] [RFC4025] 3 An ECDSA Public Key is present, in the format defined in [RFC6605] [RFC8005] Please advise. > ** Section 4. Typo. s/Futher/Further/ done > ** Section 4. Drop the following redundant text: > > IPSECKEY: > This document defines the new IPSECKEY value TBD1 (suggested: 4) > (Section 3) in the "Algorithm Type Field" subregistry of the > "IPSECKEY Resource Record Parameters" registry. How is this redundant? Sec 3 (now 2) is the general description. Here it is instructions to IANA. I had been "told" to use this format in ietf-drip-rid as it follows that used in other drafts/rfcs. > ** Section 4. s/[This]/[ThisRFC]/ and say somewhere what [ThisRFC] is. Again, [This] seems to be the "accepted" method in drafts and then the RFC Editor replaces it with the actually assigned rfc number. I can find for you a number of drafts that used [This] as the instruction to the RFC Editor. How should I proceed? Continue as past drafts have done: [This]? Introduce: [ThisRFC]? > ** Section 6. Please make [IANA-IPSECKEY] and [RFC8080] normative references. Interesting. I have not made IANA reference normative elsewhere, but will move it. OK with 8080. > Please drop [RFC2119] and [RFC8174]. And 4025 which results in no Informative references. OK. What should I do about Security Considerations section? I really don't have anything to say here. Should not leave it TBD. Drop it or say "No security considerations"? > Regards, > Roman I have -03 ready pending any additions you recommend in response to this message. Bob
- [saag] AD review of draft-moskowitz-ipsecme-ipsec… Roman Danyliw
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Robert Moskowitz
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Robert Moskowitz
- [saag] 1 comment - Re: AD review of draft-moskowi… Robert Moskowitz
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Tero Kivinen
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Robert Moskowitz
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Tero Kivinen
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Michael Richardson
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Robert Moskowitz
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Robert Moskowitz
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Michael Richardson
- Re: [saag] AD review of draft-moskowitz-ipsecme-i… Michael Richardson