Re: [saag] AD Review of draft-eastlake-rfc6931bis-xmlsec-uris-17
Donald Eastlake <d3e3e3@gmail.com> Mon, 08 November 2021 02:31 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id AC3873A0798
for <saag@ietfa.amsl.com>; Sun, 7 Nov 2021 18:31:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id t_pNjeH-ErOM for <saag@ietfa.amsl.com>;
Sun, 7 Nov 2021 18:31:40 -0800 (PST)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com
[IPv6:2607:f8b0:4864:20::d35])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id EEF423A086E
for <saag@ietf.org>; Sun, 7 Nov 2021 18:31:39 -0800 (PST)
Received: by mail-io1-xd35.google.com with SMTP id e144so17317382iof.3
for <saag@ietf.org>; Sun, 07 Nov 2021 18:31:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc:content-transfer-encoding;
bh=PUWUt1smgjmae7RrFK8XHeTrwWalHcCl6HZ+OhrFzn4=;
b=ajsSaRweBvgJA1T6NBMgU29Uw4GjcG4/TQevk6aoi63Cbv94r5ufdxGvwdXmNdKPXd
hXIVGGF22/Pnksh2FRPdr4Jytjnr0MR7GZNJRawZdi30TT5P73q7htwGd4apFULCZDzr
0nwfK2m+gazDoBZp626+XaO9EEilbVwYgS+OA5ThQwsxv/fV2VHKvTwyRZdVfXo+qUk+
xs/Q5ree/zUdH9icwuouo1vt1bb1wmSrU2N7nWEq+j6c/BnamKpQmqhRRRdgzRM2JTA9
zRmicGLYfhXEh9sJG+VTKFZac20aNM5t26AAR1PuKIglmwHP6XT2+2g+rPCcfPKBdMJ8
xqPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=PUWUt1smgjmae7RrFK8XHeTrwWalHcCl6HZ+OhrFzn4=;
b=5IzrIQOzdYo+0H7gzG9S+tLY7aJbiWdw8DXsyEgcavGDrHwHUC8QFKN9mR9ISIGRls
9S6e5AuTPkVDv7UYYr9IsezcYw053lQAwNM2cA3CUNdEbFL2sAQm9VT7Qboe+ZREo/zH
uEiQ3xrF9LzwQMm30O8jZyCaRleHCPMWO8+eiADKJ3X0Yqmn2n/rqL+Kn4UMP/pQ6KXf
H1Rj0vEn7rC0vKi77gB/xKJCmZmpj80kFA3DHSZd8NDcaFDeMzjw+pT343I8x1z+F/O5
Bx15gknWwxtHSRo7bLbkBtwDvBlEXvX2ue5wLO2thCjTSpfi9THBbfGkX9FeAOkCuZpj
v2tg==
X-Gm-Message-State: AOAM531s94C1AEhmTYEV8HSh1fwRzsAqbcCgIwDW/uk5PjKvoPYNaHxs
JhkUd0zgS6BgDhFVEw7RF4wN5Rn5f5tmsCXDtINh4cRwHTI=
X-Google-Smtp-Source: ABdhPJzApYxAZq1yVquFYow9JGPW79DJnXITvnjTqKxic24cZl/v3eb+E6rp3/Sg7jguYImlcUhP0qgw90nCHnXdZQM=
X-Received: by 2002:a02:b790:: with SMTP id f16mr13206813jam.2.1636338698172;
Sun, 07 Nov 2021 18:31:38 -0800 (PST)
MIME-Version: 1.0
References: <BN1P110MB09398B273C13AC5E9AD1309FDC909@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN1P110MB09398B273C13AC5E9AD1309FDC909@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sun, 7 Nov 2021 21:31:27 -0500
Message-ID: <CAF4+nEFZUJMR75h3KtjSNncogDwUxWkBqOkPvX1wmJ-05zxY-A@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: saag <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/kUFWgxlflJcIyVzyJzGjuHQt764>
Subject: Re: [saag] AD Review of draft-eastlake-rfc6931bis-xmlsec-uris-17
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 02:31:53 -0000
Hi Roman, Thanks for the review. See below: On Sun, Nov 7, 2021 at 11:34 AM Roman Danyliw <rdd@cert.org> wrote: > Hi! > > I performed an AD review on draft-eastlake-rfc6931bis-xmlsec-uris-17. As this document is AD-sponsored, I would also appreciate additional reviewer either now or when the document enters IETF LC. My feedback is below: > > ** I checked all of the new URIs listed in the document. Generally, they returned a page saying that these identifiers are reserved and pointed back to this document. The following URIs demonstrated different behavior. Is this expected or a sign that further coordination with W3C is required? > > -- Returns a 404: > http://www.w3.org/2021/04/xmldsg-more#siphash-2-4 I believe the W3C will set up web pages or fix them as needed for UIRs defined by this document or its predecessors. I've suggested to them that we might as well wait until the document is a bit further through the process. > -- Returns a generic page on namespaces (but I'll note that these URI are also already defined in [GENERIC], aka https://www.w3.org/TR/xmlsec-generic-hybrid/): > > http://www.w3.org/2010/xmlsec-ghc#rsaes-kem > http://www.w3.org/2010/xmlsec-ghc#ecies-kem URIs defined in other documents but included in this draft for convenience are somewhat of a different matter. > ** Editorial. Why do only of some the algorithms have examples? For example, in the original RFC6931 text, Section 2.1.3 (SHA-384) has one, but Section 2.1.4 (Whirlpool) does not. Section 2.1.5 (SHA3) was originally in RFC6931 and in this bis got an example (for SHA3-224). Of the newly added algorithms, Section 2.2.4 (Poly1305), 2.2.5 (SipHash-2-4), 2.2.6 (XMSS), 2.6.7 (ChaCha20) didn't get examples (not an exhaustive list), but Section 2.3.12 (Edwards-Curve) and Section 2.6.8 (ChaCha20+Poly1305) did. There is no particularly good reason. I can add some examples. > ** Abstract. Editorial. > > OLD > This document updates and corrects the IANA registry for the list of > URIs intended for use with XML digital signatures, encryption, > canonicalization, and key management. These URIs identify algorithms > and types of information. > > NEW > This document updates and corrects the IANA "XML Security URIs" registry that lists the URIs intended for use with XML digital signatures, encryption, canonicalization, and key management. These URIs identify algorithms and their associated type information. OK on the change of the first sentence. However, at least the URIs in Section 3.2 seem to me to identify types of information and I'm not sure they can be said to be associated with a crypto algorithm. > ** Section 1. Typo. s/has has/has/ > > ** Section 1. Typo. s/elemets/elements/ > > ** Section 2. This section discusses the namespace change from #xmldsig to #xmldsig-more. It seems like an introduction of #xmlsec-ghc should also be added here. > > ** Section 2.2.3. Editorial. s/is here used/is used here/ > > ** Section 2.2.4. Typo in the identifier URI: > > OLD > http://www.w3.org/2021/04/xml6dsig-more#poly1305 > NEW > http://www.w3.org/2021/04/xmldsig-more#poly1305 OK on the above. > ** Section 2.2.6. Is there a reason there isn't more narrative text point out the different variants of XMSS the same way that Section 2.1.5 or 2.2.2 ? This is one of the algorithms added in this version of the draft. I'll see if I can add some more useful text. > ** Section 2.6.4. This is comment on the original text from RFC6931 copied into this document. Why doesn't the full namespace from the "identifiers" list match the example for #psec-kem? The latter says "xmldsig-more#psec-kem" but the example says "xmlenc#psec-kem". The namespace from specific W3C documents, such as in this case, <https://www.w3.org/TR/xmlsec-generic-hybrid/>, should dominate name spaces created for this draft or its predecessors. I'll check into this case. > ** Section 2.6.7. Typo. s/repreented/represented/ > > ** Section 2.6.7. Typo. /nexted/nested/ > > ** Section 2.7.2. Typo. s/specificed/specified/ > > ** Section 2.7.2. Typo. In the example: > OLD > /AgreementMethod> > > NEW > </AgreementMethod> > > ** Section 4.2. Typo in the fragment name of the table (used to update the IANA registry) > > OLD > 2021/04/xmldsig-more#po1305 > > NEW > 2021/04/xmldsig-more#po1y305 OK on the above. > ** Section 5.1 > The W3C has assigned "http://www.w3.org/2021/04/xmldsig-more#" for > additional new URIs specified in this document. > > "xmlsec-ghc#" is also used. Perhaps we should ls I think xmlsec-ghc is not an added namespace for this draft, it's from https://www.w3.org/TR/xmlsec-generic-hybrid/. I'll say something about it. > ** Section 5.2. Why loosen the registration procedure from specification required to expert review? The documentation requirement seems nearly equivalent to "specification required". Given how little churn this gets (especially in new Types), what would be the circumstances where the rigor of a W3C or IETF wouldn't be appropriate? This text was just carried forward from RFC 6931. The question is why did the IANA Registry not use the registration procedure specified by RFC 6931? In any case, I'd be happy to change this in the draft Specification Required. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com > Regards, > Roman
- [saag] AD Review of draft-eastlake-rfc6931bis-xml… Roman Danyliw
- Re: [saag] AD Review of draft-eastlake-rfc6931bis… Donald Eastlake
- Re: [saag] AD Review of draft-eastlake-rfc6931bis… Roman Danyliw
- Re: [saag] AD Review of draft-eastlake-rfc6931bis… Donald Eastlake
- Re: [saag] AD Review of draft-eastlake-rfc6931bis… Roman Danyliw
- Re: [saag] AD Review of draft-eastlake-rfc6931bis… Donald Eastlake