Re: [secdir] Secdir review of draft-housley-ct-keypackage-receipt-n-error-05

[Russ Housley <housley@vigilsec.com>]

Radia:

Thanks for the very insightful review.  Please see my comments below.

> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
>  
> 
> This document defines a syntax for two Cryptographic Message Syntax (CMS) content types that can be used in responses to messages containing key packages. One is for acknowledging receipt and the other is for reporting errors. The exact syntax is unimportant to security and the message purpose seems sensible and non-controversial.
>  
> A few thoughts (mostly on procedural rather than technical issues):
>  
> In addition to defining the key-package-receipt and key-package-error content types, this document defines a KeyPkgIdentifierAndReceiptReq attribute. It wasn’t clear (at least to me) whether this document was also defining this attribute or whether this information was included in this document for the purpose of providing context.

The KeyPkgIdentifierAndReceiptReq attribute is included in a key package to request a receipt for that package.

> The document defines a long list of error codes with the comment “Expect additional error codes” without specifying a mechanism for additional error codes to be defined. It also says that there are no IANA considerations, but I would assume that IANA would operate the registry for things like the error codes listed here. If not IANA, where would the definitive registry be?

I do not think that an IANA registry is the way to go here.  An additional specification is needed to publish the ASN.1 module with the additional values.  The ASN.1 module in this specification includes:

	         ... -- Expect additional error codes  -- }

so that receipt of a value in this list does not cause a decode error.


> The KeyPkgReceiptReq includes a specification as to where to send the receipts, and that specification is a sequence of distinguished names. There is no specified limit on the number of distinguished names and no stated requirement that the names have any relation to the sender of the Key Package. This potentially represents a denial of service amplification engine.

Good point.  I will add a sentence to the Security Considerations to warn implementers.

> There is no indication that the key package identifier be unguessable or tied cryptographically to the key package contents. As a result, there is the potential that an attacker could stop delivery of a key package and send his own substitute key package with the same identifier. This would result in the recipient acknowledging a key package that he did not in fact receive. This could potentially confuse the sender about the state of the exchange.

This is a very good point.  In S/MIME, the receipt includes the signature of the signer to avoid this concern.  In that environment, a mail list agent might add a signature, but the original signature remain in place.

In this situation, there are senders, intermediaries, and recipients.  An intermediary might appear to be the signer to some recipients.  So, the S/MIME approach cannot be used directly.

> minor typo? The last line of page 5 says “which receivers of the key package are expected to return receipts”. I believe that should read “which receivers of the key package are requested to return receipts”.

This will be corrected in -07.

Russ