[smime] draft-turner-additional-cms-ri-choices-00
Alfred Hönes <ah@TR-Sys.de> Fri, 09 October 2009 13:02 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: smime@core3.amsl.com
Delivered-To: smime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8A413A6A74 for <smime@core3.amsl.com>; Fri, 9 Oct 2009 06:02:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.244
X-Spam-Level: *
X-Spam-Status: No, score=1.244 tagged_above=-999 required=5 tests=[AWL=1.993, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, GB_I_INVITATION=-2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBMm3ajdHfny for <smime@core3.amsl.com>; Fri, 9 Oct 2009 06:02:26 -0700 (PDT)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id B6AA23A6A77 for <smime@ietf.org>; Fri, 9 Oct 2009 06:02:25 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA204183406; Fri, 9 Oct 2009 15:03:26 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id PAA13132; Fri, 9 Oct 2009 15:03:20 +0200 (MESZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <200910091303.PAA13132@TR-Sys.de>
To: turners@ieca.com, housley@vigilsec.com
Date: Fri, 09 Oct 2009 15:03:19 +0200
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
Cc: smime@ietf.org
Subject: [smime] draft-turner-additional-cms-ri-choices-00
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/smime>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2009 13:02:27 -0000
Hello,
following Sean's kind invitation, I have taken a closer look at
draft-turner-additional-cms-ri-choices-00.
It has been observed that CRLs in many deployments are increasing
in size to an extent making their use unmanageable in various
messaging scenarios. The IETF has standardized two protocols
providing certificate verification information.
To make responses obtained via these protocols available for
inclusion in CMS messages in an interoperable manner, standardized
conventions are needed, and this draft aims at providing these.
As such, this is a useful addition to the CMS framework.
I support adopting this straightforward document, which should not
need much discussion, and it should b possible to ship it quickly
to the IESG for publication as a Standards Track RFC.
Editorials:
(1) Section 4 -- a typo, and an enhancement request
(1a)
Typo in the 1st line: s/unprotect/unprotected/
(1b)
Because of the commonality and the related flaw later on in the draft,
I suggest to add to the text in Section 4 a clause like:
| SCVP responses use the type CVResponse, identified by the OID
| id-ct-scvp-certValResponse, which both are defined in [SCVP].
After this addition, some subsequent text might be shortened.
(This is a MAY !)
(2) Section 4.2 and Appendix A.1 -- inconsistency
Apparently, there has been a shift in the design; now the idea is
to assign new OIDs all under the id-ri branch, and not to 'recycle'
id-ct-scvp-certValResponse immediately for Unprotected SCVP Responses.
However, this shift has not been completed consistently in the draft
text; the next detail most likely is a result of this incomplete
change.
In Section 4.2, the first paragraph and the subsequent definition
do not match and this inconsistency leads to an inappropriate
citation:
To carry an unprotected SCVP response, the otherRevInfoFormat is set
| to id-ct-scvp-certValResponse, which has the following ASN.1
^^^^^^^^^^^^^^^^^^^^^^^
| definition [SCVP]:
^^^^^^^
! id-ri-unprotected-scvp-response OBJECT IDENTIFIER ::= { id-ri TBD }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Following the naming style in 4.1.*, this should perhaps read:
To carry an unprotected SCVP response, the otherRevInfoFormat is set
| to id-ri-unprotected-scvp-response, which has the following ASN.1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| definition:
id-ri-unprotected-scvp-response OBJECT IDENTIFIER ::= { id-ri TBD }
Note:
It would indeed have made some sense to keep
id-ct-scvp-certValResponse for this purpose,
but the uniform use of id-ri would be lost this way.
Even worse, the last OID definition in A.1 does not match
Section 4.2 either, introducing yet another name, which does
not appear anywhere else in the draft:
| id-ri-scvp-certValResponse OBJECT IDENTIFIER ::= { id-ri TBD }
^^^^^^^^^^^^^^^^^^^^^^^^^^
I strongly propose to use id-ri-unprotected-scvp-response as well.
Note:
A.2 indeed uses, consistent with the definition in 4.2 (but not
the prose, as shown above):
| id-ri-unprotected-scvp-response OBJECT IDENTIFIER ::= { id-ri TBD }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Please ensure consistency of the OID names.
(3) Appendix A -- comment
The draft says:
Appendix A.1 provides the normative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in
[X.680] for compilers that support the 1988 ASN.1.
Appendix A.2 provides informative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in
[X.680], [X.681], [X.682], and [X.683] for compilers that support the
2002 ASN.1. This appendix contains the same information as Appendix
A.1 in a more recent (and precise) ASN.1 notation, however Appendix
A.1 takes precedence in case of conflict.
That's a really nice description.
Should the WG adopt this text as boilerplate for future documents --
as long as we still hesitate to fully shift to the 'new' ASN.1 ?
Kind regards,
Alfred Hönes.
--
+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. |
| Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 |
| D-71254 Ditzingen | E-Mail: ah@TR-Sys.de |
+------------------------+--------------------------------------------+
- [smime] draft-turner-additional-cms-ri-choices-00 Alfred Hönes
- Re: [smime] draft-turner-additional-cms-ri-choice… Sean Turner