[sacm] review of draft-ietf-sacm-ecp
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 18 July 2019 14:14 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ACD81202DE for <sacm@ietfa.amsl.com>; Thu, 18 Jul 2019 07:14:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrWkk0Cajz7u for <sacm@ietfa.amsl.com>; Thu, 18 Jul 2019 07:14:43 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 133BA1202FE for <sacm@ietf.org>; Thu, 18 Jul 2019 07:14:37 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id b7so29111803otl.11 for <sacm@ietf.org>; Thu, 18 Jul 2019 07:14:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=DVUJte6J6uAGXEbts4/VRePz+aP8h8+YNSA3d4pf7lA=; b=jZsWC8vHRMPdT7gIRPLl9mbYnIeY5dii94raDUVbzis8EDImIMDsVwdF4VmM2g3dYC vx+UsusN8hW4Krhe7qEexQujbjDyfAqcl5pbDEJDmlP6oU7A/3S5VwplnOhxk1ZUq0dQ +tDv1FAEY+jefv1wo/8aV6B5JAJCZkZMFhzDyyn5/KP/bi3ufkRAINCD1g+vhSpY8Ad8 aZiZ/XxD2YX1rPAm5AHiFuZa6sRxYhUiVlDGJMkZwAxQd5UzsSY7UqyKouxjKaFvHp7N g1OrKxnppGszIYidvA9eRFRZts9lQe5YPS9sTPzr79FeVVDQvUJJisCx2xoRpyGnNcmH oPOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=DVUJte6J6uAGXEbts4/VRePz+aP8h8+YNSA3d4pf7lA=; b=Wai/98+QgHVrVu8rPXa4mdCMmKxxjEb4F90lQkGkcjmT7k0Y8fmgXon9f/LtGIEvj9 1Q5H8av5DwszXE7p09F+ZkxRtec1Oxj4Llnbzpo4O7QqExOO8/qwFYKudNaem99Dnw7U w5PiUUBTWhSZotwlxNJ9LKZXfBqDw/08HFilJA1RiaLa+jQzg3qGsG6b+GPoy8o8H1bc 2L+WXato1Hab1h+thgG2jUnR1FieiXmSVO1Y/Vhnpr92Q5GERcFmDpzdEl3RGo8uXII6 aE6xXF+BFHHgev2lueYAprMtvtv0Ni1k3L9ZijbTVWHdR4ciCs6jcmqBcXIHfz028O/V 4mNg==
X-Gm-Message-State: APjAAAUHo6y4LhE/G8eNSJgpOMQMmAhFiX5jbrLluoraRSk+VR7Xu/yf BCrRO9rAvn0hRxjKSso8f3UiAzK74RkQolgeALfTb8pNiy8=
X-Google-Smtp-Source: APXvYqwfm8+vv/msvl8nHsh9UiIw9HWFxKeyEfYRsJ35cWhOPQD7Ai/Inl2c8SirA9pligKNazqj4ZgkxNbyoN2vgvs=
X-Received: by 2002:a9d:6394:: with SMTP id w20mr28618837otk.151.1563459276118; Thu, 18 Jul 2019 07:14:36 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 18 Jul 2019 10:14:00 -0400
Message-ID: <CAHbuEH4V_Z26YmJLz_P0V+enKegibYCZJbp=gCBs44Q4Hgy6qg@mail.gmail.com>
To: "<sacm@ietf.org>" <sacm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c61e66058df53a4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/TPOzcCDx3uckFeBEpRNJIn-XPPA>
Subject: [sacm] review of draft-ietf-sacm-ecp
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2019 14:14:46 -0000
Hello! I reviewed https://datatracker.ietf.org/doc/draft-ietf-sacm-ecp/?include_text=1 and have a few comments and questions below. Thanks for your work on this draft! In addition to my review comments, I am curious on adoption as I'd like to see if this has gained traction and if not, help figure out how we (the working group participants) can help with that. Abstract: After reading the full document, the following does not seem to be the case in terms of how we use the word "extension" in the IETF. "This document is an extension of the Trusted Computing Group's Endpoint Compliance Profile Version 1.0 specification [ECP]. This document uses other IETF protocols and formats, referencing them appropriately and doesn't extend those either. I think the best approach may be to drop that sentence as the context is covered prior to it. Introduction: Was this text meant for the WG development process or for -bis updates? The described additions could be done with new RFCs that update or extend this without doing a -bis as well. Just mentioning so authors are aware of all options: Future revisions of this document may include support for the collection of posture information from other endpoint types as well as a standardized interface for storing and querying data in repositories among other capabilities. Section 4.1 If certificates are the only method of authentication, per the first sentence in this section, why is certificate authentication a SHOULD? I would expect a MUST for authentication and a RECOMMENDED for the preferred method or a MUST for the only method. The target endpoint SHOULD authenticate to the posture manager using a machine certificate during the establishment of the outer tunnel achieved with the posture transport protocol defined in [RFC6876]. In the same section, do you mean authenticator or identity? In the future, the identity could be a hardware certificate compliant with [IEEE-802-1ar]; ideally, this identifier SHOULD be associated with the identity of a hardware cryptographic module, in accordance with [IEEE-802-1ar], if present on the endpoint. Ah, the last sentence says a password is possible, so other methods can be supported. Cleaning up the text a bit would be helpful. Section 4.5 heading, did SWIMA get autocorrected to SWAM? Or did I miss a few reviews (which is possible)? Section 5: Is NETCONF/RESTCONF the only supported protocol interfaces? This section reads as if that is the case. Would DMTF's CIM be supported with the appropriate interface (SNIA, Windows, etc.) or other implemented configuration assessment combination? Or has YANG development gone far enough that this is not necessary? Thanks again for your work on this document! It looks very good and will be helpful. I think it can also serve as a nice example of how to detail endpoint security requirements in protocol documents (see SAAG/SecDispatch/SMART discussion on threat models and a possible RFC3552 revision). -- Best regards, Kathleen
- [sacm] review of draft-ietf-sacm-ecp Kathleen Moriarty
- Re: [sacm] review of draft-ietf-sacm-ecp Jessica Fitzgerald-McKay