Re: [secdir] secdir review of draft-ietf-kitten-rfc6112bis-02

Shawn M Emery <> Wed, 09 November 2016 01:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5882E129447; Tue, 8 Nov 2016 17:35:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.699
X-Spam-Status: No, score=-5.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZXhumPwIUDA0; Tue, 8 Nov 2016 17:35:38 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EAC1A129459; Tue, 8 Nov 2016 17:35:37 -0800 (PST)
Received: from ( []) by (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id uA91Za0l013488 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Nov 2016 01:35:36 GMT
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id uA91ZZ0T017318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 9 Nov 2016 01:35:35 GMT
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id uA91ZVt1026483; Wed, 9 Nov 2016 01:35:32 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 08 Nov 2016 17:35:31 -0800
To: Carl Wallace <>,
References: <>
From: Shawn M Emery <>
Message-ID: <>
Date: Tue, 8 Nov 2016 18:37:53 -0700
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: []
Archived-At: <>
Cc: Greg Hudson <>, The IESG <>,
Subject: Re: [secdir] secdir review of draft-ietf-kitten-rfc6112bis-02
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Nov 2016 01:35:39 -0000

On 11/ 7/16 04:16 PM, Carl Wallace wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments
> just like any other last call comments.
> draft-ietf-kitten-rfc6112bis-02 is an update that obsoletes RFC 6112. It's
> a copy of 6112 with a few corrections, some word-smithing and a small
> amount of new text. A few minor comments are below:
> - RFC6112 should appear in the bibliography.


> - I'd add a few more items to section 1.1 (changes since 6112) to call out
> the corrections to type names from RFC4556 and highlight the
> KeyExchange->KEYEXCHANGE change. Rationale for the MUST->SHOULD change
> might be nice here too.

I've updated the section according to your suggestions:

In Section 7, the pepper2 string, "KeyExchange", is corrected to comply 
with the string actually used by implementations.

The requirement for the anonymous option to be used when an anonymous 
ticket is used in a TGS request is reduced from a MUST to a SHOULD.  At 
least one implementation does not require this and is not necessary that 
both be used as an indicator of request type.

Corrected the authorization data type name, AD-INITIAL-VERIFIED-CAS, 
referenced in this document.

Does this clarify the changes?

> - The IANA considerations section was right in 6112, but probably doesn't
> belong here (at not least as defining a 'new' well-known name).

I've taken out the words 'new' from this section.

Thanks for your review and I've made the recommended updates in the next 
version of the draft.