Re: [secdir] secdir review of draft-ietf-pkix-tamp-05
Russ Housley <housley@vigilsec.com> Mon, 01 March 2010 15:47 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE83B28C3D5; Mon, 1 Mar 2010 07:47:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.339
X-Spam-Level:
X-Spam-Status: No, score=-102.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PHb+MsQPC0Px; Mon, 1 Mar 2010 07:47:57 -0800 (PST)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by core3.amsl.com (Postfix) with ESMTP id C1DD328C3C1; Mon, 1 Mar 2010 07:47:57 -0800 (PST)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id D35E79A4726; Mon, 1 Mar 2010 10:48:11 -0500 (EST)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id qtZJxkRjKwJW; Mon, 1 Mar 2010 10:47:54 -0500 (EST)
Received: from [192.168.2.106] (pool-96-255-37-236.washdc.fios.verizon.net [96.255.37.236]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 16EBC9A471B; Mon, 1 Mar 2010 10:48:11 -0500 (EST)
Message-ID: <4B8BE1B3.2010601@vigilsec.com>
Date: Mon, 01 Mar 2010 10:48:03 -0500
From: Russ Housley <housley@vigilsec.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: Glen Zorn <gwz@net-zen.net>
References: <00c101cab945$18bf9090$4a3eb1b0$@net>
In-Reply-To: <00c101cab945$18bf9090$4a3eb1b0$@net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: cwallace@cygnacom.com, secdir@ietf.org, srashmo@radium.ncsc.mil, iesg@ietf.org, pkix-chairs@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-pkix-tamp-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 15:47:58 -0000
Glen: > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > > EDITORIAL COMMENTS > > Section 1.2.2 says: > Management trust anchors are used in the management of cryptographic > modules. For example, the TAMP messages specified in this document > are validated to a management trust anchor. Likewise, a signed > firmware package as specified in [RFC4108] is validated to a > management trust anchor. > This might be better put as > Management trust anchors are used in the management of cryptographic > modules. For example, the TAMP messages specified in this document > are validated by a management trust anchor. Likewise, a signed > firmware package as specified in [RFC4108] is validated by a > management trust anchor. The point is that the certification path must terminate at the management trust anchor. This is accomplished when the signature can be validated directly with the management trust anchor public key, but it is also accomplished when the top-level certificate in a valid certification path is the management trust anchor. The phrase "validated to" is intended to reflect this situation. > In Section 1.3.4, s/The application-specific protocol processing MUST be > provided the/The application-specific protocol processing MUST provide the/ Thanks for catching that mistake. > Section 3, paragraph 3 says "Certificates include a signature, which removes > the ability for relying parties to". Just a question: should "relying" in > the sentence actually be "relaying"? In any case, "ability for" should > probably be changed to "ability of". No, this is correct. Parties that validate certificates and then depend upon the stuff in the certificate are called "relying parties." > Suggestion: Section 4.4 says in two places "The status codes appear in the > same order as the TrustAnchorUpdate structures to which they apply"; maybe > "The status codes MUST appear in the same order as the TrustAnchorUpdate > structures to which they apply" would be clearer. That is a good improvement. > In Section 7, s/if the signer is not representated/if the signer is not > represented/. Thanks for catching that mistake. > The Security Considerations section is remarkably clear and comprehensive. Thanks. Russ