[lamps] AD Review of draft-ietf-lamps-cmp-updates-17
Roman Danyliw <rdd@cert.org> Fri, 04 February 2022 19:25 UTC
Return-Path: <rdd@cert.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBE933A2064 for <spasm@ietfa.amsl.com>; Fri, 4 Feb 2022 11:25:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FkBJF8aoRciE for <spasm@ietfa.amsl.com>; Fri, 4 Feb 2022 11:25:41 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0098.outbound.protection.office365.us [23.103.209.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 917FD3A2062 for <spasm@ietf.org>; Fri, 4 Feb 2022 11:25:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=LfqiDZ/fE6Eqmn1xx3/G6Iim4g1ZdB0x6GNEJANIwQ9hctyKMWK7etTM/amN50AH2bAN4yEbXXzUFe0M5aQyqOSZqwAC4ynctxtbTxffIv09e/gB8rwOFTwolAmKtezxhQGrMw5VnWRQb/Lxd5A5XwzoS7qhSnWkM5xkOjXe3OsyHVde0VB9dDpPW9HJq0y7NbVT0DDiavinq4P/e7laY2A8lWEPTdj1WVjLgxnByyjQ6w4lONFsa/gn+VjYehq3Acx8XVw1ageDrvnax38f8dqCB4P3FrIlji8Z508fc/sGl8rayyL44wEe2cKBmaA2EUClKJDK0sv4cuZR09zgQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TtL2f9tiHglJXIwFVwwFoM2Vnj3ZVoUOxsagm6ISdWY=; b=Xt/ALpprFT+PB+vP+XyYRWRN4OkdIqEg+PJ4ynIRpIzMhfBvPY7cD542uEguuiLCYxyKWipg9hsvM1EIk0+md1WEKzbDWz79Ko2fkCZt9WenQ+5bkL6Em3Y9JxenY4wzevwUlhvtLc4yf4jFLPCYvK5IwQOdIOHdKGN0EdKLGhgL12YtpGWYXLeX19dgCSVHYGf7DXO+raxoWstCI+EImdjRq/gRMJAyl2VRCGNJN9RPQOz9+lN+SRhbODz6NIDvn0WF+Nug+em+oy/YzlPUY2H3G2I6/PUavS2oEX105J3KcV8ajRM1aiYoFl60SSwdfbYfaQG7yP+fZc4UwEBD5Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TtL2f9tiHglJXIwFVwwFoM2Vnj3ZVoUOxsagm6ISdWY=; b=A3QZzCNDx6kL4IVDJz3aerPhucLy7uzA32Kwo+FrXrcxeGiTgXKomB/Ca6rfa/jRran5BeRpDAbgH7KBz4/LAag5lEt0xPdfwb0GxPqlOuHN0Ldpw1AguTXXH7Yz/iH9tvJoGJSZZJsNwOOVd78N3OspqjnZWxrPzjwFL06cexg=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1526.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:178::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12; Fri, 4 Feb 2022 19:25:38 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::45f0:b470:9c74:ef6e]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::45f0:b470:9c74:ef6e%3]) with mapi id 15.20.4930.022; Fri, 4 Feb 2022 19:25:38 +0000
From: Roman Danyliw <rdd@cert.org>
To: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: AD Review of draft-ietf-lamps-cmp-updates-17
Thread-Index: AdgZ/HRkFGx9IcAWSKWt6zqR92o3Cg==
Date: Fri, 04 Feb 2022 19:25:37 +0000
Message-ID: <BN2P110MB110706B084BDD4E8B3D698CADC299@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 783fc164-d428-41de-56de-08d9e8141fd5
x-ms-traffictypediagnostic: BN2P110MB1526:EE_
x-microsoft-antispam-prvs: <BN2P110MB1526829A58FE348AAADF6B48DC299@BN2P110MB1526.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 10uvMjY/IdCBsEnwUq50z1YxKnc2UI3JW1NJc3BfrU036zc7WZY7VFRk03MNDnlpm4MaF9m4hmo7a+er5HJsLpkdtOUb5MF4KCtp20owka46sNoH7KRKn6JNl1ixYz1jNCOgSjcf45Yh+OtYe5iITrY+WRml19eeca9GKVAkt8qkCYqcnJ+bo4XxrqdsydtyFlKlu+yT16Xi71xvZOeYkjsHTOtB+N9Mkb+Xq7cS9UPDtmd+v48DxO7YLRCu2tIbimIOqUvruH+W6xhLa2LlX2a8il4y26EeHYqTOWdXy3zCat7K6Pg2J1RV51aqihwRnrjZuEx8vol0REVNJWiIQy04yuY/cophqAoJRX7LG5AxFmTHkv91xkzvP1LMIV8cBVkKObS9up5Mbv9eqslWN92bc+AmJKcN88vfwp1v7VNJsIpvUUYHJPAuvMP8kaz3RoC0InSGeuK575TBPa7NSyJVTTYZg7ZMi7BJq139QMGXtzzyKWL+p5W7UdtcfEdiH0EHi1X+olb0a/UP14qFFvdm5mkPzT2pxrSHQTOUY7n6KXvpurjJAsfX75eCyNYChPZ9hgDZC8ZOnK9unpB6n41Vs2BxNVYd75X01kXRGeCHg+0aRS0vsobw3l6EIbQtKsd21PCIUSHxqxs/orcIOWitWquQRoGhnfC4fV7mOiuADEL8QNSUkE9vMaiP+xeNYxJcKG9+DBjbUbhNQl1YVg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(122000001)(38100700002)(38070700005)(66556008)(86362001)(76116006)(66476007)(66946007)(64756008)(6916009)(55016003)(8936002)(8676002)(82960400001)(2906002)(66446008)(52536014)(15650500001)(5660300002)(83380400001)(26005)(186003)(498600001)(7696005)(9686003)(71200400001)(6506007)(33656002)(16799955002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BYKVVFZjTiSRZpv7yIPz+xANKxt3ietoJQVbGGrUoIELEW4zNAf8qlg/cjlmpRBOdwpJ8/iTzU8WC61+nlDMJkY/zqcoHJ4z7FicN50yaGLbjJcvHlKUjVgXWTqwBhK76MZkui+JgjBBTFaTTQTVTg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 783fc164-d428-41de-56de-08d9e8141fd5
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2022 19:25:38.0076 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1526
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/5yAA3RADNiqNRwvDe_8GCg3Q-WY>
Subject: [lamps] AD Review of draft-ietf-lamps-cmp-updates-17
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2022 19:25:44 -0000
Hi! I performed an AD review on draft-ietf-lamps-cmp-updates-17. Thanks for this update to CMP and the careful edits this required. My feedback is below. ** I predict that the IESG will have strong feedback on number OLD/NEW style updates this text is performing on RFC4120 and the complexity in trying to understand how to apply them; and to a much lesser degree the same feedback on RFC6712. Can the rational for this "patch-style" approach instead of publishing a new bis document(s) be documented in this thread and/or in the shepherd report. ** Thanks for addressing RFC4210's errata . How should #5731 be handled (https://www.rfc-editor.org/verify_errata_select.php?eid=5731)? ** Section 2.2. Editorial. OLD The mechanism to prove this delegation explained in this section offers an automatic way of checking the authorization of such delegation. NEW This section provides a mechanism to both prove this delegation and enable an automated means for checking the authorization of this delegation. ** Section 2.6. Editorial. s/or add new extensions/or adds new extensions/ ** Section 2.6. Per "the RA MUST set the POP RAVerified", is there a missing word here. Perhaps set the POP <field/structure> to RAVerified? ** Section 2.6 The RA collects several messages that are to be forwarded in the same direction and forwards them in a batch. In communication to the CA request messages and in communication from the CA response or announcement messages will be collected. I'm having trouble following the guidance. The first sentence seems to be talking about batching messages in the same direction. I think this means things sent from the RA-to-the-CA; or from the CA-to-the-RA. However, the second sentence doesn't seem to parse. Is this second sentence the equivalent of saying: NEW Either the CA request messages from the RA, or the CA response and announcement messages can be collected and forwarded as a batch? ** Section 5.2.2. Should "Therefore, it is recommended to use EnvelopedData" used the normative "RECOMMENDED" language? ** Section 2.9. Editorial. s/neither in the OID nor in the parameters/either in the OID or in the parameters/ ** Section 2.18. Typo. s/.././ ** Section 2.22. For the case of a PKI management operation that delivers a new trust anchor (e.g., a root CA certificate) using caPubs or genm (a) that is not concluded in a timely manner What circumstance is this describing? ** Section 2.22 For other cases it is recommended to (a) use a shared secret information of possibly low security strength (e.g., a password) only for a single PKI management operation (b) use a shared secret information with an entropy that at least matches the security strength of the key material being managed by the operation. This seems written like it endorses a risky practice. Perhaps: NEW The shared secret information should have an entropy that at least matches the security strength of the key material being managed by the operation. Certain use cases may require the use of a low security strength (e.g., a human generated password) secret information. It is recommended that such secret information be limited to a a single PKI management operation. ** Section 2.23 The provider of trust anchors, which typically will be an RA involved in configuration management of its clients, MUST NOT include to-be- trusted CA certificates in a CMP message unless it can take responsibility for making the recipient trust them. When doing so, it MUST exert the same due diligence as for its own trust anchors. Could the words around "making the recipient trust them" be clarified? I'm struggling to understand how the "RA can take responsibility" for end-point behavior beyond conveying the new configuration. Is the intent: NEW A provider of trust anchors, which typically will be an RA information in configuration management of its clients, MUST not include to-be-trusted CA certificates in a CMP message unless the specific deployment scenario can ensure that the receiving end-point can successful load these anchors into the appropriate trust store. Per the second sentence "When doing so ...", could the intent of the "due diligence" be clarified? I'm assuming that the RA exercises some kind of care in loading an initial set of anchors. Is this text is repeating that whatever it did last time it should do again for these new trust anchors? My thought would have been that this would have been left to local policy and configuration. ** Section 2.23 Moreover, the EE MUST verify that the sender is an authorized source of trust anchors. This authorization is typically indicated using shared secret information or with a signature-based message protection using a certificate issued by a PKI that is explicitly authorized for this purpose. Would local policy also play a role in this authorization decision? ** Section 2.24. Add the following paragraphs after the third paragraph of the section: Shouldn't this text replace the fourth paragraph, "No further action by the IANA is necessary for this document or any anticipated updates."? ** Section 2.25. Editorial. s/For use of EnvelopeData/When EnvelopeData is used/ ** Section 2.25 When using EnvelopedData the localKeyId attribute as specified in RFC 2985 [RFC2985] and when using EncryptedValue the valueHint field MAY contain a key identifier Isn't the use of localKeyId (EnvelopedData) and valueHint (EncrypedValue) mutually exclusive? Is so, the text should likely read: NEW Either the localKeyId attribute of EnvelopedData as specified in RFC 2985 [RFC2985] or the valueHint field of EncryptedValue MAY contain a key identifier ... ** Section 3.4. Should this text replace the paragraph of "No further action by the IANA is necessary for this document or any anticipated updates" in Section 6 of RFC6712 instead of being appended to the section? Regards, Roman
- [lamps] AD Review of draft-ietf-lamps-cmp-updates… Roman Danyliw
- Re: [lamps] AD Review of draft-ietf-lamps-cmp-upd… Brockhaus, Hendrik
- Re: [lamps] AD Review of draft-ietf-lamps-cmp-upd… Brockhaus, Hendrik
- Re: [lamps] AD Review of draft-ietf-lamps-cmp-upd… Brockhaus, Hendrik
- Re: [lamps] AD Review of draft-ietf-lamps-cmp-upd… Russ Housley