IETF Logo Mail Archive

Re: [lamps] Murray Kucherawy's No Objection on draft-ietf-lamps-lightweight-cmp-profile-18: (with COMMENT)

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Wed, 14 December 2022 08:30 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B189C14F727; Wed, 14 Dec 2022 00:30:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T91r0nbHRojF; Wed, 14 Dec 2022 00:30:34 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2042.outbound.protection.outlook.com [40.107.7.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDFB9C14F6EB; Wed, 14 Dec 2022 00:30:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j5tzDOdp9UpFLUoeVgBscAaOC9fgqx6HLcPcx8+aqxophpwiW26hflgwbq3FJuDAsmA0Gfv2TwEb7GmhxbxC44OjBDryB61o6vFe00vWvAnmFQYeEeevvxL83ETaYu+oXHFJokyUCo3c1PO2f8F8sltz3pZF94PLTSDfKawLvR7IObkAAlmF5JEJkYncY0GM4XXxqKiZcwchdVpM1Y5GC7gIKzyyplKncrnDhiagbmFJIg5tHe+zODXSkLwK83hWkld4YX9RD7ask880N5LH2+h1ZtbdVbxCMhj1Pz0jpxPSbbaai68/FNdS6Yc9KYq1/WdASzx0y6Xvdg4YYXT+cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GsKTnc7Rp368ZEwC6hrjiuMxV5ao/kM9grBU/fQkoZA=; b=WwuF9qS9m4sCSD8ZqayDz7h5I20doziBdKyNecJ0AUIr4P+klxA4BDAo5E41IJvejXRM7OzOSxyNBKZ8OL9Qu7Xyhj0G6TsxJKLTg91+qgt2itrdkrB503KpoPhBs1YggJD8waa3ELqKYU38ChTxg9SVn7jCZRjGi0zrvZM6RvxjQtioBGk0WZnSha34IIiRrax2IkhYaY17TJD1f0XKXaQsGtskBFLJmkFmSkV8pgBM65H6BVGIA0SulqY3N0uriQIUnTj9PBGg8smGMMD+zxtumCh3oI2gHBPzgXdQHy/JwCVDKpcsClW185L2i0D+wsUw1JB+OYZsawxP8oblMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GsKTnc7Rp368ZEwC6hrjiuMxV5ao/kM9grBU/fQkoZA=; b=x97R0VPTkl+4FQ0LJBPHeKNq0/YyVw/VwTKgKCvMHaGL9+d4znhOBGJXeskxRfXYKNpyC6BFXZlYy2CPP1bkCyxnjWxMqLpxJNeHexXIqZGwhH+7s33he8QHUzxoSaOKCG1DYopFtK8x0NaQLoYFZkyqR9QNNYabssnvsADfnULKzG0k6iirCFPIaL5Y4jlyDqd/XLD4b4qvGU1TG+RDXPCO6Cto9/1AA2qd7XfIlSjrtTpZidST49vfGPUkQ3g/ZiswXQwwd3F/q6ZoXRS+lj6lL9lRXbWvD+eK/i03mEzceg4rQ12r/PkaOuBYNQomdefxGzUEPp6FWwxpoOwiyw==
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:7d::8) by AS8PR10MB5950.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:529::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Wed, 14 Dec 2022 08:30:30 +0000
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::cfed:9a7f:2568:206b]) by GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::cfed:9a7f:2568:206b%4]) with mapi id 15.20.5880.019; Wed, 14 Dec 2022 08:30:29 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-lamps-lightweight-cmp-profile@ietf.org" <draft-ietf-lamps-lightweight-cmp-profile@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: Murray Kucherawy's No Objection on draft-ietf-lamps-lightweight-cmp-profile-18: (with COMMENT)
Thread-Index: AQHZDrZyEaQM8z4lNU+Qq6PTqKsiz65tDJpA
Date: Wed, 14 Dec 2022 08:30:29 +0000
Message-ID: <GV2PR10MB62106D9F748CEA4BA9EA638EFEE09@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
References: <167091047171.45635.975609146244768236@ietfa.amsl.com>
In-Reply-To: <167091047171.45635.975609146244768236@ietfa.amsl.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2022-12-14T08:30:28Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=a03c6fac-a769-475b-9355-26d3871b0d5a; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV2PR10MB6210:EE_|AS8PR10MB5950:EE_
x-ms-office365-filtering-correlation-id: b6d74f9f-cc0a-45a0-0ebb-08daddad75a4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cnmz3XFreex9hMsF0g1H86SQr7tbhbN/iEyoSq9aefTGXSb2y3mRoZBduIaceF7R1NOVEeJ1jFgoIo+9iq51KC6tHUdNOTOhrjixd5Nl/fHXsQEeCyVSfRcreZTAwdTFcYF29wi4pczJH2sJ/TnscYXVgW9Yhn/S8FWYi5K0ELk8Yel3Catnhs6Tpx+QGXK3vdx4/g/xRyEVKL+rO02ZG7K/F4x7weFbOZEdZ5/tL57Dpbzm3ViUEUWuqM6yATg0unLC6J17F7/teaNML/hS8yTrsZwp+j5zNLblcmuz0IzOG7hHM/P+GcmM9zn+XEq4sRy+arTV63Ad2YqK6Nlikg0AYFIUzk+2XvqKfX2b/vlQsF94bn4RqG7lM8RgINmqy0iXWkrNVqjwdJTNKM1ctdLbgCBJoYmBCTYUtoT+chlQk7XP3ZPwiE0amPfn3vSi5UGjtHkq+lAzR7+IlCFd8KJhgJzOpVMLcTk3X2VvbAf/MShJR0lk3CF3VEUAsLLTxnBoKij+EkNdqlAMtw6fxRODWFzevNubfn3TTYhYkyH8fxQNKwrUTB3tmDxKGkJDkrjS+vl7yqsmqX2XJHjxsoMtADC+6FvUOrrc/V55xM6hWyjOjoX3RZciaqbejI1WPqOhgOYQZ8AE9ML86vsLCI+rYXwr3hMCjFxEr3mVo2KNkPypjuMzLMysao8KieINEUP/dlqwmFEXaIgpT9d9Sw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(366004)(39860400002)(136003)(376002)(396003)(346002)(451199015)(71200400001)(478600001)(9686003)(66556008)(83380400001)(7696005)(6506007)(186003)(26005)(66476007)(2906002)(38070700005)(33656002)(5660300002)(55016003)(316002)(76116006)(66446008)(66946007)(8676002)(64756008)(110136005)(4326008)(52536014)(8936002)(122000001)(54906003)(86362001)(82960400001)(41300700001)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oTo/X0TC6fMfx3Y/+XzuTE5a6FqZV6mvtKvTXUbPjmPUSkzPnOp5VSlfbV98OalKsFqkH6kI8WmpiIxfU6+hECWTypq69ZbnXHr7v6T44AMqp3NP4HqGmo8zbLU9szS3hZT583VjEY+rhXH/nsvl/EHlRyxRyagymPkqTHxpDEZTJba4Tl3EW1c6U+Q1qzBoAM16HKGfLI+PBQzaqhQgDuNFpgvbGKGfQ6Gm9bNmYi6h3ncYMRF2R4HDtkLjQRInHPKZOaFmRNcZCsxIpcWf2TObC6ghVJmO/BbuNmXzoGGvYY0X14p20AfiQW+KB82WNkW4zOfxRWy7mo3g5nb0APKEdtkz6hUHT04OoiLQnetITxIxGKP4OnU5i7waKrpp9nbVXKQavZNZdEErTMnfnbzvlq37B7/8xUQs4U2OG2r/+AYuM9B17BOYnZur1zhpIM8D0zHAdqg1EbETnbh7d6kOsi0O+m6+f5ZH0Rz6dJqK5nsrxxwGXwfKzPaI5R48bZiKL8VayjLeEKZy1d0vltr8qskMgywQJ0dhpv7u+kznPVnQP7YPjCtDn0xovJ1foQPyjfDwWYk1kRk4fTtH/7Q7CUOpZ/GXu5cyiaYGv9r9slVpPjq0PYOmeEPZTn13KQpaI36etAt/QJ2z5zxVZcmD8LuVlQm5LZdJrl9VUTb3RlCK5peMKz0wU/Ms8nAdfkn4qkNOGW0TfuhNYaCwM8INHKTKWZMv+nlneKGBd0pH++5NAaRc6OotGNIuraamlbt40UBiWYzh9/1CrOybbMi50fNe9O4IaCNST23Ad8kEfB7QWLcodGfJAccXXLlUb5c29yAxMKpwRLjHuvsM3fKkrwCcwUTIr8DBTqoozvOfuHZtRIEwYZLX8sI3y+SDVEqhtTsU7BL4B1cmDUwnmByBtlDXxJouekN8vn30vNQcCsdoNQ6xezNm831XS95kTdN75qzvpjrf0GtAOEq4FKcM0t/2dFlXeYLkNRo1H/Yg1ZPPCHA8FsZTkQXHh9jZssqyAGedOhhfVYFMWdbpuX/GIqvnSljtQxeaD3avPKrB2sg4sgwuUSK0T+uX42lPn25GEc0Nf3i9ub2L3X7iZ4X2aqErVE15ynsbAqkfpNqjFC++BaB4OwXKdTH1J3/WPWPfYv1ObaUn7ZCcq+UpoT4Oa8rq3SbN1pA6fIkk6yw44sJKIqDGCX9DT8j8PyVsqnAFm0qEM0awJXZW5CS3R4m1ETDnU4A7sb2tnGDNUbrrlFlPTacmkeKoXyuxDIHFoYpRSMIj/cF5aqTsdybI0q5Q+GpKiuUT5/8D6YCI/CWl17W7aHoKCPgV6a8wACSjnvgPqLjK3dJW7i7g+aDRwEIf+EiP7IvhvHSCyXt0HesIwgEFXfqxwLI1+czOKjWmTFzMxqZ/rxLvyD/+TheYoiOfTaxBJsgD05I6rMnKIRBDuamK0CUDD6ThXr8Swo944CgP2KZOBxNOOO7x1WICjc2JqkCFCaoW5AslQnVjSpMqNYDKEk6zTA4Dn7zqFPGKMZOeYFgqG2iF67JFXKjt6kKnv7rjZ0aBK8fDZrBqvlbDTUMtTDi2Df16FKGhVffx1OM62ehEiMk3fWpRVBQrGg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b6d74f9f-cc0a-45a0-0ebb-08daddad75a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2022 08:30:29.8800 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O8XjWNHEBSdabr9UellFqsNWbNh/tGEbzBXZar7dhlBTYFxqPKQGvi2GlUdk0wl9YNN2Xf/gm+WtgNswFGo5pnYKKWgFuCfYB2EgO+fZGxw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB5950
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/57bqaUQjRT1u2AjomYU1NC_XzvA>
Subject: Re: [lamps] Murray Kucherawy's No Objection on draft-ietf-lamps-lightweight-cmp-profile-18: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2022 08:30:38 -0000

Murray

Thank you for your review and for your comments.
I will need to discuss your generic comment on the usage of SHOULD with the co-authors and will come back to you with a response.
Maybe the scope of the document must be explained a bit more. This profile on the one hand intends to reduce the flexibility of CMP to the generic needs of automated certificate management of machine end entities. On the other hand, it is still a framework that is supposed to be further profiled by those having a specific use case or scenario in mind, for example like by 3GPP/ETSI or UNISIG. Therefore, there is still some freedom to serve the needs of the final target environment. 

Hendrik 

> Von: Murray Kucherawy via Datatracker <noreply@ietf.org>
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Section 1.7 uses a SHOULD NOT before that expression is defined in Section
> 1.9.
> 
> The bulk of the SHOULDs in this document would benefit from review and
> possible
> tuning.  SHOULD presents a choice for the implementer; it would be helpful
> to
> include with that choice some guidance about when one might legitimately
> deviate from what's stated.  If SHOULD is being used as "you really oughta do
> this, but you don't really have to and things will interoperate just fine", it
> doesn't deserve SHOULD; if what you mean is "yes you have to do this from
> now
> on, but we're retaining backward compatibility here" then it should say that
> explicitly.  In other cases, I wonder if you don't really mean MUST.
> 
> For instance, in 3.1, you have this:
> 
>     -- SHOULD contain a name representing the originator of the
>     --   message; otherwise, the NULL-DN (a zero-length
>     --   SEQUENCE OF RelativeDistinguishedNames) MUST be used
> 
> Looks great; I have no wiggle room.  Then you have this:
> 
>     -- SHOULD be the subject of the CMP protection certificate, i.e.,
>     --   the certificate corresponding to the private key used to
>     --   sign the message
> 
> Well, what if I don't do that?  Does anything break?  Can I just put whatever
> in there and everything still works?  If nothing breaks, why isn't this "MAY"
> or something that doesn't use a BCP 14 keyword?  If something breaks, why
> isn't
> this a MUST?
> 
> In 3.4:
> 
> "Each EE SHOULD know its own identity to fill the sender field."
> 
> What happens if I don't?  And what interoperability aspect fails if I don't
> know my own identity?  Should this be better expressed as "Each EE SHOULD
> fill
> the sender field with its own identity?"  Why isn't that a MUST?
> 
> The two SHOULDs at the bottom of 3.5 seem suspect too.  Since you're giving
> me
> a choice, I'm within specifications to consider the input valid if all of those
> tests fail.  Is that what's intended?
> 
> I'm not going to get into any of them past the bottom of Section 3, but
> hopefully you can see what I'm getting at.  I would typically DISCUSS this
> pattern, but since I'm so late to the party, I'll leave it to Roman to decide
> how much this observation weighs on the strength of the document.
> 
>

v2.23.0 | Report a Bug | By Email