Re: [sacm] review of draft-ietf-sacm-ecp
Jessica Fitzgerald-McKay <jmfmckay@gmail.com> Thu, 25 July 2019 14:58 UTC
Return-Path: <jmfmckay@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C6EE1200EC for <sacm@ietfa.amsl.com>; Thu, 25 Jul 2019 07:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nT6UG2CHsB3 for <sacm@ietfa.amsl.com>; Thu, 25 Jul 2019 07:57:59 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B9F71200E3 for <sacm@ietf.org>; Thu, 25 Jul 2019 07:57:59 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id l15so51931885otn.9 for <sacm@ietf.org>; Thu, 25 Jul 2019 07:57:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z5Et7yU3YsmoFXdbCkQUByaTPm9ttnXFUeDhBjcsQ9U=; b=aZQqckSY+o1Q4+O+WaF4i2jMh4EnXHAqAWjEYlLOCGe3TJOdOf9FckaelVK8/i1UJr wMIQJg7eKay+EHwLARV9zRugHCPP2eLfOBYGrJuVTkOKPLsfc3VbX1GGs0ZmJY9+Uq7G ntzFuH9Z2IQAmls5QQ+2Kl9d0qPI+2HfAhO1e9eIYXKxiCKG8/vcQGSAFNcp8D3SRAxx ovzj5jhKvN2yrVoBRXbRXRZ+NR9ug0JI/DNsDEA+E0j5SPLyB2kOJuDYMlvSvkAo4qz4 mPi/tvvh/2JYsiD1P9G9WBsbxZDXuDeHM+a/GK+dU1phEsLsU5BS2FgaxF091+EhCb6/ PAyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z5Et7yU3YsmoFXdbCkQUByaTPm9ttnXFUeDhBjcsQ9U=; b=GyoLwFB5GiNmTk8vX9NVpa7RoiLiUjz9BWCiA4GSA/YcuvtqwAQm6n+W8kySP3RwlW 4UZBhtPNdEd0V/Xyp+6kbThSdHaHocv+Nj+aY5JwpZxVdIi7ktEnj5WODIJbQHLMpIo8 j9IwniB9Fg7SCnB9f5dBs4joUtdTZrEYWWi/B66Q6cKKT6q7BEAunKzLhzGpMXEE3/kI M0jvsvup7bwXmMRlZIP3upQOaLLqTYcG9sXx/ujLY4P19hjpLAGVJNvRWAyIZF/pnppa Fao5JRIfNfxDC5OwmQYcV0VYYINEGSf9JasETfJWzznH8mnYFf7LXozKl9EZ6A3nUcJ7 v67A==
X-Gm-Message-State: APjAAAWUrXkUgcB5B9zcp2HHsZTB/wrpN8kRWRVqvnn+2j0Vhlk5f7jE 2ZSKpvNnIp8YkF9I/u5xutoJrQVivUCi2EdXK18=
X-Google-Smtp-Source: APXvYqzkeNU/vgzI4WglNsd6vhnERI5o6ik3Z3fRq7oAsAkGyk2dubO9GLoYUlT/WVwIyGtTuVMbHSgtr3NrA2x75fc=
X-Received: by 2002:a9d:61c7:: with SMTP id h7mr60800501otk.357.1564066678535; Thu, 25 Jul 2019 07:57:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH4V_Z26YmJLz_P0V+enKegibYCZJbp=gCBs44Q4Hgy6qg@mail.gmail.com>
In-Reply-To: <CAHbuEH4V_Z26YmJLz_P0V+enKegibYCZJbp=gCBs44Q4Hgy6qg@mail.gmail.com>
From: Jessica Fitzgerald-McKay <jmfmckay@gmail.com>
Date: Thu, 25 Jul 2019 10:57:47 -0400
Message-ID: <CAM+R6NXNiK5ocGt5y1Z3XLo0X2yAALzJ1FeoOR=BjXvXSLr4+w@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: "<sacm@ietf.org>" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c77ac2058e82a663"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/LLtZGpr8B98qiIX6L2ypxUXAJWY>
Subject: Re: [sacm] review of draft-ietf-sacm-ecp
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 14:58:01 -0000
Thanks for the review, Kathleen. Response in line denoted by [jmf]. On Thu, Jul 18, 2019 at 10:14 AM Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Hello! > > I reviewed > https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/?include_text=1 and > have a few comments and questions below. Thanks for your work on this > draft! In addition to my review comments, I am curious on adoption as I'd > like to see if this has gained traction and if not, help figure out how we > (the working group participants) can help with that. > > Abstract: > After reading the full document, the following does not seem to be the > case in terms of how we use the word "extension" in the IETF. > "This document is an extension of the Trusted Computing > > Group's Endpoint Compliance Profile Version 1.0 specification [ECP]. > > This document uses other IETF protocols and formats, referencing them > appropriately and doesn't extend those either. > > I think the best approach may be to drop that sentence as the context is > covered prior to it. > [jmf] okay, we will drop the sentence. > > Introduction: > > Was this text meant for the WG development process or for -bis updates? > The described additions could be done with new RFCs that update or extend > this without doing a -bis as well. Just mentioning so authors are aware of > all options: > > Future revisions of this > document may include support for the collection of posture > information from other endpoint types as well as a standardized > interface for storing and querying data in repositories among other > capabilities. > > > [jmf] This text refers to future work group revisions of this document. Therefore, I will leave this text as is. Section 4.1 > If certificates are the only method of authentication, per the first > sentence in this section, why is certificate authentication a SHOULD? I > would expect a MUST for authentication and a RECOMMENDED for the preferred > method or a MUST for the only method. > > The target endpoint SHOULD authenticate to the posture manager using > a machine certificate during the establishment of the outer tunnel > achieved with the posture transport protocol defined in [RFC6876]. > > [jmf] I think the confusion here is actually in the first sentence of section 4.1. It currently reads An endpoint is provisioned with a machine certificate that will serve as its unique identifier on the network as well as the components necessary to interact with the posture manager. But, of course, that is not always true. An endpoint SHOULD be provisioned with a certification, which then SHOULD be used to authenticate to the posture manager. I will change the text in the first section of 4.1, and leave the rest of the text as is, > In the same section, do you mean authenticator or identity? > > In the future, the identity could be a hardware certificate compliant > with [IEEE-802-1ar]; ideally, this identifier SHOULD be associated > with the identity of a hardware cryptographic module, in accordance > with [IEEE-802-1ar], if present on the endpoint. > > [jmf] I think I mean authenticator. I will make that change. > Ah, the last sentence says a password is possible, so other methods can be > supported. Cleaning up the text a bit would be helpful. > [jmf] will do. > > Section 4.5 heading, did SWIMA get autocorrected to SWAM? Or did I miss a > few reviews (which is possible)? > [jmf] No, we mean Software Asset Management [SWAM]. SWIMA is used to implement the SWAM use case. I will expand the SWAM acronym and clarify the text here. > > Section 5: > > Is NETCONF/RESTCONF the only supported protocol interfaces? This section > reads as if that is the case. Would DMTF's CIM be supported with the > appropriate interface (SNIA, Windows, etc.) or other implemented > configuration assessment combination? Or has YANG development gone far > enough that this is not necessary? > [jmf] Other interfaces could be supported, but are not described here. I will clarify the text to say so. > > Thanks again for your work on this document! It looks very good and will > be helpful. I think it can also serve as a nice example of how to detail > endpoint security requirements in protocol documents (see > SAAG/SecDispatch/SMART discussion on threat models and a possible RFC3552 > revision). > > [jmf] Thank you! Jess > > > -- > > Best regards, > Kathleen > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm >
- [sacm] review of draft-ietf-sacm-ecp Kathleen Moriarty
- Re: [sacm] review of draft-ietf-sacm-ecp Jessica Fitzgerald-McKay