Re: [secdir] [EXTERNAL] Secdir last call review of draft-ietf-lamps-ocsp-nonce-update-04
Himanshu Sharma <himanshu@netskope.com> Thu, 04 April 2024 19:03 UTC
Return-Path: <himanshu@netskope.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02BAC151991 for <secdir@ietfa.amsl.com>; Thu, 4 Apr 2024 12:03:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netskope.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5U9ga-eKesf for <secdir@ietfa.amsl.com>; Thu, 4 Apr 2024 12:03:55 -0700 (PDT)
Received: from us-smtp-delivery-117.mimecast.com (us-smtp-delivery-117.mimecast.com [170.10.133.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D653C16943D for <secdir@ietf.org>; Thu, 4 Apr 2024 12:00:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netskope.com; s=mimecast20210603; t=1712257238; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=n1EQUfl8c6eqvBa0ncxcsGyeOPAlW2pYizwBhRXrAQw=; b=W97HUCGWmlz3fn9afd8HJUxHNvD9R6qrXN7Ka4TpyEfznKcYFoDAnn7JJzbRP5f/hm45nz ffyd52XYltlZVPfDZPpE5DAPON6HlnToR8r1Y505ITpmT0TJNABwYszPgWjfumPDn/B7Xp LV7fAdKbXGBsyyrMSXkQVpVHhoEJWqU=
Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-632-0FWhqAV4O1ar7ITVfk7pWQ-1; Thu, 04 Apr 2024 14:58:37 -0400
X-MC-Unique: 0FWhqAV4O1ar7ITVfk7pWQ-1
Received: by mail-il1-f200.google.com with SMTP id e9e14a558f8ab-369eedd4b5bso12388585ab.1 for <secdir@ietf.org>; Thu, 04 Apr 2024 11:58:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712257117; x=1712861917; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=LEa47kLoANlRxNPdMHHUJtPgYPIwdLD2+tM2q4I9Ics=; b=nxs25iFiut0JIbaljYW8wyAem9GPlxz5Vms8HwgvpRfpTYkjhPro6WVFshUrTjtTCe 4RSfNQD/dxL+wgeNbFco9vjmt1Ys6PWjM+F1TN4ZtIzPsqSJ/KAuKKJB/S8veJxdwUa8 p+vslSnu1Zj7x9YRlqKeqZci6CXmCAdrJ/Y8d8DHsNsTQ7FMMgDQJdbciTXtTY5E2aeS fcs7xqcU7DEqMg1offwZw3la0bpH5FXqsM/Jzw4+xOcmr80Aw9FLRlGdTb4Ee8GpGl+j ebvDtAGwkQcwe9UReamvhsR2I4XImAHFP5yqV7hGEjQN5Ng6qNI+EXMxyQc+kF4cHJSz UpVA==
X-Gm-Message-State: AOJu0Yx2d81TaUxXTxH3IlBIOvHSZsvlaGa+eM7KLKNtnuqq21xHMG5N qE4Yr7bp8JhNSUx5kfZj+uCozSmNL6MDdNT1UO26QmvqTjt2eiuP0gCah188RytwDHBuydyZL3M RhS9pxhezKw628aI/A3FesqlewjFFsC4a2Jb9DqTAXACiwSLzTVP4PdIq0ZhxXDyG24CH3JbMyE Yk2TSF/tcs+FlqYAcbqGd/
X-Received: by 2002:a05:6e02:1449:b0:366:b3e4:a0e3 with SMTP id p9-20020a056e02144900b00366b3e4a0e3mr341822ilo.3.1712257116928; Thu, 04 Apr 2024 11:58:36 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IH/cGovWmf7AGhzbcSelhLIRDKn+Rd0o/6JGMNImn0WsWX+yh2N68v3Y10j9R/D0RRWHAjFzAfTu/BH
X-Received: by 2002:a05:6e02:1449:b0:366:b3e4:a0e3 with SMTP id p9-20020a056e02144900b00366b3e4a0e3mr341808ilo.3.1712257116555; Thu, 04 Apr 2024 11:58:36 -0700 (PDT)
Received: from netskope.com ([163.116.131.244]) by smtp-relay.gmail.com with ESMTPS id e4-20020a056e020b2400b0036a001133edsm103232ilu.15.2024.04.04.11.58.36 for <secdir@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:58:36 -0700 (PDT)
X-Relaying-Domain: netskope.com
Received: by mail-pg1-f199.google.com with SMTP id 41be03b00d2f7-5dbddee3694so762015a12.1 for <secdir@ietf.org>; Thu, 04 Apr 2024 11:58:35 -0700 (PDT)
X-Received: by 2002:a17:902:d344:b0:1de:f0f0:90ac with SMTP id l4-20020a170902d34400b001def0f090acmr441298plk.11.1712257115177; Thu, 04 Apr 2024 11:58:35 -0700 (PDT)
X-Received: by 2002:a17:902:d344:b0:1de:f0f0:90ac with SMTP id l4-20020a170902d34400b001def0f090acmr441271plk.11.1712257114749; Thu, 04 Apr 2024 11:58:34 -0700 (PDT)
MIME-Version: 1.0
References: <171191291059.15585.6093566049458714751@ietfa.amsl.com>
In-Reply-To: <171191291059.15585.6093566049458714751@ietfa.amsl.com>
From: Himanshu Sharma <himanshu@netskope.com>
Date: Thu, 04 Apr 2024 11:58:23 -0700
Message-ID: <CAL9pJ7m=FWWwmXt0qBE_EAYtj19HRBDpnUdgq1rvOBpw37xJeg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: secdir@ietf.org, draft-ietf-lamps-ocsp-nonce-update.all@ietf.org, last-call@ietf.org, spasm@ietf.org
x-netskope-inspected: true
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: netskope.com
Content-Type: multipart/alternative; boundary="000000000000173d80061549edcd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wq2f7jaKNcpVu49OyJlyfarGtys>
Subject: Re: [secdir] [EXTERNAL] Secdir last call review of draft-ietf-lamps-ocsp-nonce-update-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 19:03:58 -0000
Hi Joseph, As discussed offline, explained and agreed upon the reason for choosing the 32 bytes primarily for backward compatibility, and explained about the behavior of ocsp client in case of response that doesn't contain nonce from responder. I have updated the ID ( https://datatracker.ietf.org/doc/draft-ietf-lamps-ocsp-nonce-update/05/) according to your and other reviewr's suggestions. Russ helped in verification of ASN.1 modules and it compiles fine. I believe it satisfies all the outstanding questions. Please let me know if there are still any outstanding questions that I can answer in order to get the approval. Thanks Himanshu On Sun, Mar 31, 2024 at 12:21 PM Joseph Salowey via Datatracker < noreply@ietf.org> wrote: > Reviewer: Joseph Salowey > Review result: Has Issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The summary of the review is has issues. I'm probably just missing some > history/context, here are the items that stood out. > > 1. The document states "An OCSP client that implements this document > SHOULD use > a minimum length of 32 octets for Nonce octets in the Nonce extension." > How > was the minimum of 32 bytes chosen? This seems like it might be longer than > necessary. Is there a security reason for this or a different reason? > Later in > the document it states receiver MUST accept at least 16 octets. > > 2. In addition, the SHOULD should say when it is acceptable not to follow > it. > When is it OK for an implementation to send less than 32 bytes? For > example, > you could rephrase this as "clients MUST use a minimum length of 32 octets > unless they are configured to interoperate with a OCSP responder that > requires > a shorter nonce length or ... ". Also if a client uses more than 32 bytes > their request may be ignored. > > 3. An 8954 server will respond to greater than 32 octet nonce with a > malformedRequest. The client can report this and indicate that perhaps it > needs > to be configured to talk to an 8954 server. The text goes further to say > that > the server MAY ignore nonces greater than 32 and less than 16 octets. Does > this > mean that the response does not contain the nonce? What should the client > do in > this case? Why even allow responders to ignore a nonce that is greater > than 32 > octets? > > 4. I took a look at the ASN.1, it looks OK to me, but I'm a bit rusty. I > assume > that it was reviewed by the working group, it not then someone with more > recent > ASN.1 experience should look at it. > > >
- [secdir] Secdir last call review of draft-ietf-la… Joseph Salowey via Datatracker
- Re: [secdir] [EXTERNAL] Secdir last call review o… Himanshu Sharma
- Re: [secdir] [EXTERNAL] Secdir last call review o… Himanshu Sharma
- Re: [secdir] [EXTERNAL] Secdir last call review o… Joseph Salowey