IETF Logo Mail Archive

[secdir] Re: draft-ietf-lamps-rfc5273bis-08 ietf last call Secdir review

Sean Turner <sean@sn3rd.com> Tue, 16 September 2025 02:13 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 84EE663454E6 for <secdir@mail2.ietf.org>; Mon, 15 Sep 2025 19:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUCUnaRb__Qt for <secdir@mail2.ietf.org>; Mon, 15 Sep 2025 19:13:27 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 842AD634549A for <secdir@ietf.org>; Mon, 15 Sep 2025 19:13:27 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-80e4cb9d7ceso638078985a.1 for <secdir@ietf.org>; Mon, 15 Sep 2025 19:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1757988801; x=1758593601; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=oC4FDsZwZTcM87ORXafX2WrNvIQl079mMgjRa3+De+o=; b=NnAiXMR63lo3gieNtOXNQhr2QVN3FwMqFJuY3bx4qpYdswLMJHvU6mDEc3FTpc3ekS qXlUTb32ltfNWm/BNeLvAXmaX+ZbiuCbCZoyi+IMc2Ca1rcyNl5BAROvYQ2PxxbdR4qy 7W697Vd/ZGH6bPTj08Y0ceLyeEi7hJ9SHC/EQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1757988801; x=1758593601; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oC4FDsZwZTcM87ORXafX2WrNvIQl079mMgjRa3+De+o=; b=V+OIwj4MHIE/kzyty6j/foK8+Xh3amEapDtw6GGH2c388JmM7Mw1jKlhvC8heS/Ynj 7pdXEGoI0kW/8oLe1zSzYY4ORvssyVI2oyp8lRbOEdrivtyW7ukdw+lPPJuVuZGEp/UN d66hAxLLmbFjJtfcIuwUxkQF0kpgQxPUwIE9kv58WHP4xCQFRLXJxUq4SCgki/mhrf4O rFw3AZ3lB1jmrSsqssUXZ7gheDGS5moMyI0lOZEJc2K3FVCG8dIz5FTDbDYKKPj8dgzG 46vXK3X34uZsW5TEExtlm3FqPmTgX0ZJjkPkYRM0V+jBkNlIemXUyLdVk7/v+qmmR1i3 2DPA==
X-Gm-Message-State: AOJu0Yx5wPo4qJuhKN0ZvA9g77O7mJOL/NGS1C8eo3zajkhSeTxI2row IIQFP/NlzyTJFAFa0XnPVOmA9ymwTUgeFruTCYLEEZPi5FElk+lyf0Lw2ruzCQ6XQr0=
X-Gm-Gg: ASbGncvhy0l866J9HgqETbe8RqZnki7utT8iiMzEn5HENmKFO4jdhzV7jbDwyajgUGx ZulMdYJuJGCY+5BJ5ZjWiC98+rmt+VSunHk73Y6AbQakUXg9yDlZDt9GMOP9FoFqNAVTDnqSeKF wOftZujuacu5wm+dG+3CHVi7P72p5wiv/JiHFXT/CyOMRavY7qO/CjHH7X7Y7wNcLI4IQyV1pu9 L9YirRhybBTIfwyHR7x+EpKlPlw5WsfXVQAevRFxTM4rXhWK6JspLwPN0KenUlTpwNHJt8TBSot 41d1p/A2CC8v7AQuM2pPW4liDWCxkzvzOVJzu+Pr1zqAoKWzakKIkBQVIomT+8bWGdA4ZYL2Li0 AWHeD5BtAD01qZFlqLKeHQxCGavTK8vx/chetfbye66s=
X-Google-Smtp-Source: AGHT+IFkiCG2VWXvelDpgS6esX94vIuf0pDkroGMb236qboHsbo5NINjN5HTe0PwN37YvepD+h9lcA==
X-Received: by 2002:a05:6214:3109:b0:776:c8be:54e0 with SMTP id 6a1803df08f44-776c8be556amr86928256d6.4.1757988801094; Mon, 15 Sep 2025 19:13:21 -0700 (PDT)
Received: from smtpclient.apple ([2600:4040:252a:8d00:7c4a:b6f3:1ee7:d4c6]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-783c85f16a1sm28213756d6.14.2025.09.15.19.13.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Sep 2025 19:13:20 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Message-Id: <007E0DC7-83FC-4424-8C98-E240C56D8E0B@sn3rd.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B5EFDD85-34BB-45A9-AD55-58F43ECC709F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81\))
Date: Mon, 15 Sep 2025 22:12:59 -0400
In-Reply-To: <175710826468.831636.17610359058310470993@dt-datatracker-f7c8fdcb7-pjx77>
To: Benjamin Kaduk <kaduk@mit.edu>
References: <175710826468.831636.17610359058310470993@dt-datatracker-f7c8fdcb7-pjx77>
X-Mailer: Apple Mail (2.3826.700.81)
Message-ID-Hash: PB66RCD62YOZGMNLQYSBWQPJXJUCOEDK
X-Message-ID-Hash: PB66RCD62YOZGMNLQYSBWQPJXJUCOEDK
X-MailFrom: sean@sn3rd.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-lamps-rfc5273bis.all@ietf.org, last-call@ietf.org, spasm@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [secdir] Re: draft-ietf-lamps-rfc5273bis-08 ietf last call Secdir review
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/K0F0V1RCplveaYpWfemmVzWbsdI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Thanks for your review. I created an issue to track this here (lots of sub-issues):
https://github.com/lamps-wg/cmcbis/issues/146

> On Sep 5, 2025, at 17:37, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
> 
> Document: draft-ietf-lamps-rfc5273bis
> Title: Certificate Management over CMS (CMC): Transport Protocols
> Reviewer: Benjamin Kaduk
> Review result: Has Issues
> 
> # secdir review of draft-ietf-lamps-rfc5273bis-08
> CC kaduk
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of the review is "on the right track".  This is in a certain sense
> a simple document, but it's also artifact of its predecessor's times, and
> given the current protocol ecosystem and level of understanding, there are a
> number of ways in which we can and should say more than RFC 5273 did.
> 
> Thank you for including section 3 with the changes since the previous RFC(s)!
> 
> I made a pull request with some additional editorial suggestions:
> https://github.com/lamps-wg/cmcbis/pull/123
> 
> ## Comments
> 
> ### Obsoletion
> 
> This document claims to make RFC 6402 obsolete, but really we can only handle
> Section 3 of that RFC.  I see that there are 5272bis and 5274bis documents
> in flight as well, which would collectively take care of all of 6402.  Perhaps
> we should have an RFC Editor note to highlight the situation and attempt to
> ensure that all three are published together with the joint obsoletion.

That is the plan! We got ‘em all on the same telechat and Deb can control when they are get pushed forward. Joe and I made sure to all three of the I-Ds include a 6402 obsoletion header.

> ### binary requests
> 
> In §4 (File-Based Protocol) there's a line about "When files are used to
> transport binary, Full PKI Request or Full PKI Response messages" and a table
> that lists four message types.  I'm not sure I understand what the "binary"
> maps to -- initially I thought that the comma was a typo and we're just
> clarifying that the Full PKI Request/Response use binary encodings, but then I
> started to wonder if "binary request or response" refers to the .p10 and .p7c
> formats.  For what it's worth, "binary" only appears in RFC 5727 in comments
> describing what's in the example message exchange, so I'm inclined to believe
> that "binary reqest/response" is not currently a CMC term of art.
> (I also kind of expect that the "simple" requests/responses, by nature of
> their file type, can only contain a single request/response and so there's no
> need to specifically state a requirement, which tends to support the theory
> that the comma is a typo.)

You’re right the “simple” requests/responses are single so there’s nothing to say about them - and .p10 is also binary (according to the Media Type registration) and implementations that support .p7c need to support binary (according to 8551).

s4.1 and s4.2 indicate binary and I am pretty sure that this was done to maintain feature parity there.  Would this be better:

OLD:

 When files are used
   to transport binary, Full PKI Request or Full PKI Response messages,
   there MUST be only one instance of a request or response message in a
   single file.


NEW:

 When files are used
   to transport Full PKI Request or Full PKI Response messages,
   there MUST be only one instance of a request or response message in a
   single file and the file MUST be binary encoded.

see: https://github.com/lamps-wg/cmcbis/pull/148

> ### File names
> 
> For the mail-based protocol (§5), we require that a file name be specified
> (either via Content-Type or Content-Disposition), but I'm failing to find any
> justification or motivation for why this filename is needed.  What is it
> supposed to be used for?

The only thing I can think of is that it helps with automation.  And, this is ancient history so I am basically guessing. Actually now that I jump all the way back to RFC 2797 (circa 2000), it has the same requirement. I’d be a little worried about dropping it at this point and breaking interop with whatever is out there. 

> ### HTTP
> 
> I hope that httpdir can take a look (I do not see a review request for them,
> though), as there may well be a lot to say about the HTTP usage here.
> 
> Specifying the specific response code 200 is probably not considered best
> practice for application specifications at this point.
> 
> (Specifying to use POST is good, though.)
> 
> I'm surprised we don't say anything about how to know what URL path to make
> the POST to, even to leave it out of scope.  (I suppose a similar thing could
> be said about the file-based protocol.)
> 
> Servers in general cannot expect support for any type of HTTP authentication,
> though perhaps it's reasonable to reiterate that here.  I might try to frame
> it as more of a declarative statement that CMC over HTTP is using HTTP solely
> as transport and does not expect to make use of HTTP functionailty such as
> X/Y/Z, though.
> 
> I'll also try to help the usage of HTTP terminology in my editorial PR (of
> particular note, the PKI Response section seemed to assume HTTP/1.x usage).

So we got Julian’s review:
https://mailarchive.ietf.org/arch/msg/spasm/gUelJ48nSiEULPvPBC89MbmLDFM/
We’ll start picking through it now.

> ### Replay considerations
> 
> I think the guidance about carefully considering environmental conditions (§9)
> applies at least as much to deployers of this protocol as to implementors, so
> we should probably update the target of our guidance here.
> (Perhaps this expands to "choose your implementation carefully" as well as
> "choose to implement".)

Would this work:

OLD:

Implementers of this protocol need to carefully consider environmental conditions before choosing whether or not to implement the senderNonce and recipientNonce attributes described in {{Section 6.6 of CMC-STRUCT}}.

NEW:

[Implementers/Deployers] of this protocol need to carefully consider environmental conditions before choosing whether or not to [implement/use] the senderNonce and recipientNonce attributes described in {{Section 6.6 of CMC-STRUCT}}.

See: https://github.com/lamps-wg/cmcbis/pull/152/

> ### Generally accepted principles of secure key management
> 
> It's a bit unfortunate that we are using such vague language about "strongly
> encouraged to consider generally accepted principles of secure key management"
> in the security considerations, but I'm not sure that I have a particular
> reference that I would suggest pointing to for discussion of these topics.

Agreed not entirely sure where I’d point.  In this context, it’s basically saying if you want to setup a protected channel between your EE and RA/CA you need to some extra work and don’t take short cuts.

> ### content shrouding
> 
> We have a nice note (§9) about using EnvelopedData to provide content
> shrouding in cases where TLS cannot be used.  But this is the security
> considerations section; we should talk about what the risks are and why one
> might want to have some kind of content shrouding at all (whether via TLS or
> EnvelopedData)!
> 
> It's also interesting to note that the phrasing is "EnvelopedData ... must be
> used" (lowerase must), which leaves it unclear whether there's an analogous
> requirement to use TLS when it's possible to use TLS.  Perhaps we're just
> saying that EnvelopedData is the only way to get content shrouding when TLS is
> not available, in which case we probably want to avoid a "must be used"
> construction.

This was really the point. I’d sugest changing it to:

OLD:

   In these instances,
   the Enveloped Data content type (Section 3.2.1.3.3 of [CMC-STRUCT])
   must be used to provide the same shrouding that TLS would have
   provided.

NEW:

   In these instances,
   the Enveloped Data content type (Section 3.2.1.3.3 of [CMC-STRUCT])
   provides the same shrouding that TLS would have provided.

see: https://github.com/lamps-wg/cmcbis/pull/161

> Content shrouding is not exactly available for the mail-based protocol, which
> should get a mention (and thus suggestion to use EnvelopedData there as well,
> or perhaps operationally ensure that SMTP is going over TLS).

I guess I’m somewhat confused by this comment. Since CMC uses CMS if you want to shroud it can use EnvelopedData (more on AuthEnvelopedData later), so this addresses all of the instances where you wouldn’t have had prior trust relationships.

No problem adding some text about running SMTP over TLS, but isn’t that addressed by para #2?

> And I guess the analogue for the file-based protocol is file permissions,
> which we don't currently talk about at all (we should).

I would be happy to add something, but what? Tracking via:
https://github.com/lamps-wg/cmcbis/issues/162

> ### TCP pipelining
> 
> I think that it is probably not safe to attempt to "pipeline" requests over a
> TCP connection (starting to send another request before the full response has
> been received to the first request), but we only implicitly at best cover this
> situation.  I'd suggest making a clear statement about whether or not the
> client needs to wait for the full response before making another request on
> the same connection.

Is this what you’re looking for:

OLD:

   Reusing one connection for multiple successive requests, instead of
   opening multiple connections that are only used for a single request,
   is RECOMMENDED for performance and resource conservation reasons.

NEW:

   Reusing one connection for multiple successive requests, instead of
   opening multiple connections that are only used for a single request,
   is RECOMMENDED for performance and resource conservation reasons.
   The client MUST wait for the full response before making another request
   on the same connection.

See: https://github.com/lamps-wg/cmcbis/pull/154

> ### reference classification
> 
> I think erratum3593 is not a normative reference, since we have incorporated
> all of its content into this document already.

see: https://github.com/lamps-wg/cmcbis/pull/156

> ## Nits
> 
> ### BER
> 
> Do we need a reference for BER? (X.690 presumably.)

sure, see: https://github.com/lamps-wg/cmcbis/pull/158

> ### AuthEnvelopedData
> 
> Is it okay to use AuthEnvelopedData as well as EnvelopedData?  Or is it not
> possible to do so based on the key-material situation?

I cannot think of a reason why we couldn’t, but this change isn’t small. It would require:
- a new sections in s3.2.1.3 of -rfc5272bis
- new figures in s5 of -rfc5272bis
- debate about whether EnvelopedData or AuthEnvelopedData is the “primary”
- debate about whether the encryptedPOP/decryptedPOP control should also change
- new algorithm requirements in -rfc5274bis

Will need to think about this one a bit. Tracking via:
https://github.com/lamps-wg/cmcbis/issues/159

Cheers,
spt

v2.37.1 | Report a Bug | By Email | System Status