Re: [saag] Comment added to draft-gutmann-scep history
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 30 April 2018 12:43 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E6E12DA01; Mon, 30 Apr 2018 05:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzyeCRh-ePUe; Mon, 30 Apr 2018 05:43:32 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97DA412DA45; Mon, 30 Apr 2018 05:43:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1525092210; x=1556628210; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=DW00sNhizpaL71tWnXLA7GwnfEJobmymynaCS9GCtKQ=; b=XqVhhqumNSHymydEw4DURcOA75+7OcWRTnO9RTrexzzUvdLJeh/ofheQ ZMOFr+czkCe7zV2Y8om65z8GQLj82lD7uM+eVhkPsgAXskC4YCApITA9x dBcRYWo7UHMOSg7BNLnj5tHH31zF3tUu02MYHpetCvFQkg0G+bCXqkSG5 igCC9H9PZyy4Cil75HUyXJlrNAldjGgI7jqgcN72z+3/h0p0GkaW3Byh2 JVC2xAm0b0Zc7m+0uxviZQI+rmT03sQkmlz0829TpDNUlmaorz3txD5mO myi1SQ3zZ4nu/zzcp0GdonP2bLLJr2PWPs9OCP48y8R0mP7TzA01TRQbP Q==;
X-IronPort-AV: E=Sophos;i="5.49,346,1520852400"; d="scan'208";a="8901832"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing
Received: from uxcn13-tdc-e.uoa.auckland.ac.nz ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 01 May 2018 00:43:10 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.9) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 1 May 2018 00:43:10 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::9f5:baf3:43e7:a6e6]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::9f5:baf3:43e7:a6e6%14]) with mapi id 15.00.1263.000; Tue, 1 May 2018 00:43:09 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "carl@redhoundsoftware.com" <carl@redhoundsoftware.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: Comment added to draft-gutmann-scep history
Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDw=
Date: Mon, 30 Apr 2018 12:43:09 +0000
Message-ID: <1525092187804.38190@cs.auckland.ac.nz>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com>, <1522887334433.4490@cs.auckland.ac.nz>
In-Reply-To: <1522887334433.4490@cs.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Llym2en1RnMzMUZoZ4zIQn6V-pI>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2018 12:43:43 -0000
Apologies for the long delay in responding, I've been buried in other work. Also, I'm not sure who to send this to, I got notified via a do-not-reply address, I assume it goes to the SAAG list? A general response to this, I didn't write this document so as with the previous review I'll have to say "it was like this when I got here" in several cases, I've left the original authors' text intact wherever possible but without rewriting half the doc in my own words I can't really defend a lot of the text because I didn't write it. Also, some of the comments apply to things that have already been picked over and corrected. What will happen if I start making alterations to the alterations? Will it go to publication after that, or will it reset the counter back to requiring further changes if people object to the changes? I'm concerned that I'm going to get caught between two lots of editing changes, I tried to change/fix everything that people pointed out last time, but if I make more changes now it may end up undoing or changing the things that people wanted the last time round. >1) In general, the document is using several unregistered MIME types with >"x-" prefix: > >application/x-x509-ca-cert >application/x-x509-ca-ra-cert >application/x-pki-message >application/x-x509-next-ca-cert > >These should be registered in the IANA Considerations as per Appendix A of >RFC 6838. Isn't the whole point of the x- type that it doesn't need to be, and indeed can't be, registered? RFC 6838 says: Types in this tree cannot be registered and are intended for use only with the active agreement of the parties exchanging them. >application/x-x509-ca-cert > > How is this different from application/pkix-cert registered in RFC 2585? No idea, it was like that when I got here. I assume one is a CA cert and the other isn't. > "GET" CGI-PATH CGI-PROG "?operation=GetCACaps" > >This is not a correct ABNF (in case you intended to define a formal syntax >here) and this is not a correct HTTP request line. Please make it one or >another, or clarify somewhere syntax that you use. What form should it be in? It's been like this for close to twenty years, I just left what the original authors had put there in place, I honestly don't know what else to put in there. >Also, I don't think CGI-PATH and CGI-PROG are significant for the request They aren't, that's why I updated the text to mention this. However everyone seems to use fixed values for these based on close to 20 years of draft use, so they're not used but their presence is required. >Again, this is neither correct formal syntax nor correct HTTP requests. Quite probably. What should it say? >Firstly, clients don't care about HTTP server using CGI, they just care about >knowing where to send SCEP requests. Sure, that's why I said so in the updated draft, just hardcode in "/cgi- bin/pkiclient.exe" for compatibility with existing implementations. >Secondly, hardcoded URI paths are in violation of RFC 7320. You can read more >on this in Section 4.4 of > ><https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/?include_text=1> SCEP predates RFC 7320 by 14-15 years, so it's a bit late to the party... >I understand that this is a deployed protocol and the default path used is >unlikely to change. However, I don't think the document should pay so much >attention to use of CGI-PATH/CGI-PROG. My suggestion is: a) Remove any >reference to CGI-PROG/CGI-PATH from the document b) Replace the above section >with something like this: See above, the text already says that it's only there for backwards compatibility. I can change it to remove CGI-PROG/CGI-PATH if required, but I'm worried about this triggering another round of comments and editing, particularly since there are multiple places in the text that will require changes. >1) Missing references: Are these really needed? References to AES and SHA-2 and LDAP? It's just going to add a lot of noise to the spec, will people really need to be given a reference to the AES spec in order to implement SCEP? >2) Should ACME work be mentioned in the Introduction? There are quite a lot of cert-enrolment protocols, the original SCEP text only covers CMP and CMP which date from the same time as SCEP, I didn't want to get into a survey of other protocols because it'd be a long and somewhat tedious list. >Clients shouldn't care whether or not SCEP is provided by a CGI program. >Please change this to "CA HTTP URL path" or "CA HTTP URI path". See above about potential cascading changes throughout the text, I'd really prefer to just leave this stuff alone since it's worked OK for nearly 20 years. >How often and for how long should a client poll? Recommending some defaults >would be useful to set expectations. I have no idea... I mean I literally have no idea, I don't know what implementations do in practice. I know that in some cases with manual approval it can take hours, but I'm not sure if that's typical. It could be seconds, minutes, hours... >Why not "MUST NOT" and what are possible implications of violating the SHOULD >NOT? Because some implementations may choose to parse at least a few common error strings. They shouldn't, but they can if they want to. >What does the last requirement actually mean? Is this describing order of >certificates or just saying that it is not an intermediate certificate? It's saying that the leaf certificate in the chain is the issued certificate. >So just to double check that I understood this correctly: the client is >generating a self-signed certificate B in order to retrieve its certificate A >signed by CA? Yes. >The last requirement is quite problematic for extensibility. I understand why >this sentence is there though. Are future extensions to SCEP likely? Why is it problematic for extensibility? What's returned is lines of text, you can add any further lines you like. > A SCEP CA is the entity that signs client certificates. A CA MAY > enforce any arbitrary policies and apply them to certificate > requests, and MAY reject a request for any reason. > >I think this is pretty much granted and doesn't need to be said, especially >the latter part. This was something that previous people who commented on it requested, see my earlier comment about being caught between conflicting requests for changes. >When referncing RFC 4648 you should specify the section number to avoid all >confusion. I assume you meant Section 4? Yes, I've updated the text although it already points out that it's "base64" and not "base64url" that's used. Peter.
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Max Pritikin (pritikin)
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Max Pritikin (pritikin)
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Benjamin Kaduk
- Re: [saag] Comment added to draft-gutmann-scep hi… Patrick McManus
- Re: [saag] [FORGED] Re: Comment added to draft-gu… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Patrick McManus
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann