Re: [lamps] Robert Wilton's No Objection on draft-ietf-lamps-lightweight-cmp-profile-16: (with COMMENT)
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Thu, 01 December 2022 14:42 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 259BEC14F730; Thu, 1 Dec 2022 06:42:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UV1IqgVXV0FH; Thu, 1 Dec 2022 06:42:05 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0616.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::616]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62871C14F718; Thu, 1 Dec 2022 06:42:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bDVhanO8XMo+zcr/Us/n/d74i8aI4SzbRNHNc0bXtF9q4AoyLGPq6R2OiYroUP1cem/FuAZqifVnH4Zwo+ifRh9/wBs/MQTXiou7Rj1hfyl6KPszy248mUlmFVDQ/+f3NRgmFt+3cxbfU2Pze9hcVE5zGkvzv/f2r1IYjgjYfj4mXDVZiX1lWJzpnHm2bVvMtokiEzYKoAmTGDl50Bcvt2qTv3g+QRtm8RJCtxZK/oI4Z0JTBMhd1eB+6tfzQs6LNW1g+VOTe1IsHVhpNGM71jdKZnGFRgZQuk6jirlpiSTicbuSCLNryuQo3sBO+5Be3ujYyTEyDOw/bA7K65GBhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B2fHhHfTMbcSEX/DvkQRdWkcjP90Q3/zdoxLv73L4m4=; b=ILTxcdyJUmyn5TSOOH6bR7k7eWAP6VBKXWl/S59fr/XUTnSj9mDDRKHdsAW3lAYpUdNPz4HokSD5CTUi2ZKtMjl69pAe/+kxIjJdTZUl2EjqSC19irqv5uNudyqqBZxR6LmsnqLCRvMTvY6jyj6pyDq9eu5tKVdkv/WqHSNJFNyR14QMANuAS4ZUuHMTxPVia9jfJPr53iABeTnI+2NrkgqLrOUXU+h7238i77M1nqhVOggUbRXZe+beKUHzHr/ovgDZbHPkPHZX7DLSpncX8aOkc0TgafwSTn/hzLM4eOB0fxXqqE9O40LSSrqZ+YJAG8iLH2mI7Ovu6u14fdznkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B2fHhHfTMbcSEX/DvkQRdWkcjP90Q3/zdoxLv73L4m4=; b=WKAahBtfwWe5YEzA7D/gXKlIUulqCdgauDX3cEgBP01LpQVW184uTPaOSRPkgvJwu4L60D/zuhoHgr6cCdU/SroQUlhNcml3YxSInQ7s4fshG8TzNovT8DqgK4vDIjLxWGv7UHKkeInZ+vMRzKS3cm9aw/DBtpu2NHS0UL7w3uK7MK8XEcmwobPflELMXOlH5n2ka6vRbHqC4bbaZIuEkFqFeQK0t+NgdtalsL+a1RNbNAUqBEORN+R7dKqeccihuP5ZK1OURY/J0N0SdwMbFsYxHSGPSmUN9nMISYyZwhV9FXIbDu51rGEytqisqbDZkBcgtAAOWpsIbDNROTE2TA==
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:7d::8) by PAVPR10MB7187.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:313::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.23; Thu, 1 Dec 2022 14:42:00 +0000
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::cfed:9a7f:2568:206b]) by GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::cfed:9a7f:2568:206b%5]) with mapi id 15.20.5880.008; Thu, 1 Dec 2022 14:42:00 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Robert Wilton <rwilton@cisco.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-lamps-lightweight-cmp-profile@ietf.org" <draft-ietf-lamps-lightweight-cmp-profile@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: Robert Wilton's No Objection on draft-ietf-lamps-lightweight-cmp-profile-16: (with COMMENT)
Thread-Index: AQHZBXyVvTTqptzUOkyLcGacYRKIva5ZEcdw
Date: Thu, 01 Dec 2022 14:42:00 +0000
Message-ID: <GV2PR10MB6210D429E987028B83CB1E5EFE149@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
References: <166989605927.51656.11967886597730716693@ietfa.amsl.com>
In-Reply-To: <166989605927.51656.11967886597730716693@ietfa.amsl.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2022-12-01T14:41:58Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=1d9854b2-e966-42a4-9954-bc8c4f92c8f3; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV2PR10MB6210:EE_|PAVPR10MB7187:EE_
x-ms-office365-filtering-correlation-id: 481bf2fb-1a09-44d2-db94-08dad3aa3489
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3AnBpLVtCaiAOoFABNNxAyaoaHOW3Bz7NnhAMNUUV121OcJeY5t7v98076nNf7SUrYzL6q6E6+KWxY9mjO9Qzt5Nj6aLWvfKMme/fycl9jKrwKFN1hza+kOqjdKl+tzXzTXhX4cCg8y4PST9hFwKUMYmWH9MGEX9ozhceF62e/kM/06U3oZ9s9zrwIqpCTSUW/C7jAqXG/KLJ1OcSLVDJe5TCzo6gyLHXsTs7wgh9ht5qr5NtEj8EUJrat22D/2eTSyB4WnTt2D8p8IToWWbpO+SS8SOqPwljXpZxn1GEYSmEtKtNOy3OAT+EeN96exeUEFHWG+inOZ1zjbtIAMFoHmX+mSXARCRg5N2xDJFsxJQoaQbHgwS/H47uvUEI7JFwtfhHP2IvWe/V+fvTUrWt0FcLssUDnPSfDwwldHGq0pI+vHVIBsIteHH37sh+zA8iwkUhKW4i4sGnbJNA9fh2OYXDlNkhRZphA+sdYBWoV8GXtnc7a8QERGcG/f/CuZODrlzkizXpjKgOcrzGnA2Dw9oFY3AgTpZHyEDv9tJ44f4VvbtkUbuhbvijRheApvUUS7zaq4qqaMCd8Gopqkr8kXkB8nz01pQ6BeSrKb+u53cLTDRBgDXS+oa3VrRiyvTEkSQ9z6dkXhPz6+8D+hQY1Q6OHHkP3ePBY7XkTfuSeG8zbvhIyW6Tunmk3dUc8LyREwj9JkkyQ53sIDuBcSv5A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(376002)(39860400002)(346002)(396003)(366004)(136003)(451199015)(66899015)(66574015)(9686003)(86362001)(7696005)(478600001)(71200400001)(38070700005)(55016003)(2906002)(186003)(122000001)(38100700002)(82960400001)(33656002)(83380400001)(5660300002)(76116006)(26005)(316002)(6506007)(66556008)(8676002)(66446008)(64756008)(110136005)(66946007)(66476007)(8936002)(54906003)(52536014)(4326008)(41300700001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XJWyMQanHepjOEELkT+KylM4i4vq/hzeUR05Z044FOezGzkH4tqZzBBI/cYQgvHye47Pg4aMGM2yVhFYExWxM6iwVPqQhoxwm42QmK3D3uc8MPP/51OZ5orAt8/x/4u9TuZqzExCH85QmFuXf47RJGeTcDutAGpE04/16qSKf/34oPBy0/BvXg+dGzhCeBJlPDuQmD4PcRRGbFQvSPcuo5vSONBpxOXNcnI9MCS461iH4L5peKRfue0MqStB5Pmktjtb2m6b9FFu1+tDaF3/DY9Ev0wifWxthcKKtrmLgS9AL62hWSBQQYkZA41GaVzyWLvrLpcANEQ5NfscJsTngu81JWtUe5GXAp1xjt6rMH+SZVMqTB06v+E5UTvypHYjgmAllrgtW0F1ZgmImRNHR35z8pp3w6YOLyupO7uhMDMOU7m5GXYlE7Q1s7NGzAywk37n6/ifTU/R2DQJAMOhhMRFV+FsvzFQ1J28efcJ4xYdIF7vjbSMIya3lBv1D0UeDRtrzCtORhJlRiwuQyqaKQrkA4cdBJ62muPqegdw0qgU90OdqwTxuuBMsFjY0otf1/vJNw26ssoOx+xJNWxRbRGGpphm8mhm0IxtIG+2n8IZKmmVmjQ9Bf3HWi/INCSsUvuSq6RxK9dy5XmkNHehqgOBn1u2L9zCyEL9U7iL1dxn6WMwz2bqzedNkoWarrzq9Tltpx57FfvFrhnY5Hc1L6VDB8w+CZCPZb3YUcAvYqBjSQPUBC2KjUcIaopLXKZBMSUqZs6RrqQCE5PW7BTgJLuW3DxyCIBrWEV2GJZHagbkWG9nrsmnXCBDp9f0yy9PbgCGDOVJluARC13L5uHRYh1Kjyua9m1s6yD62K5Y3fwNuPvYFCkycSQrZgqUz73TREjkmcV/dUSd2x+hStY7lYkK1qzzFvZKRkAUIpPAe4vnvWosqn0q1AP1t4TZ80onnwzFiTT1/32YQhec1CmF1kyV34elK9dfggRcK3zMr3Xu1nG86gbYCjzZ1NY0MDPobR9/q/s6EsnRoOHD5q+3YwvV8XExzTU6rnBWg5kODyCEU0V7ORBQ86TWx6iRv1c6Xc3siXT4xsxayvPJQpIuZm2VDYzcaS0i6wRuo1Eb48ixUtt/yRhAYLhDUQXgJVsagi0ir/fjWJDI7kwF9qJk1uTH4Vhhm9/qO8yYssOcUVore4Jh/hSA89mWtehMSGKSxjYYExrmsK5jdZiwPF/e2vQKTtnvvAz6s28XPqBH5hJVmeclq9F7w7lqw7lLha2C8mbTa1i1cSj70eR2Z9ct6oNHn67Nw+D4aHcdgf50awTWd2k8johHje0OECInD6JQjabHTCv/yl8cGc4EtG5RvMNcB9803T7LzWw1LsS1MYxvJPy/2H/GXMfILFIhIoNsMiElVoeh43UNhTRgoFlpbvk3uV2CvOLs4fN6Fu4qXWFTyOUCNQqeyOBld4A+EeHsIvyDD2YI+A2PFKzP09sLdA4q+3RQjaXbWm08VRFkpDhZkB4qIbvohAg/Yn4kEpCWQ5eV6RwY3HsBqcYDxZcGfuSFdPGjFhwl6pqnzrBgzAjSCS9QqaTV36Sdu+JFC1SNpQQ7Jgu6VOVqt2L3Wewebg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 481bf2fb-1a09-44d2-db94-08dad3aa3489
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2022 14:42:00.5228 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 47D5FCtvg2sXJyl8cvwRGpecQhz3WYdZnghvOfbtR3XhCIWGggH9gftQFAQ5xBHfqkeqKQVVno4RXZrcAwmvkw9XOBxWFhEsJNEPeuyWuf0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAVPR10MB7187
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BJSR1R2-ANy7i-lpq0OsqB3BxwQ>
Subject: Re: [lamps] Robert Wilton's No Objection on draft-ietf-lamps-lightweight-cmp-profile-16: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 14:42:10 -0000
Robert Thank you for your review and comments. See my responses below. Hendrik > Von: Robert Wilton via Datatracker <noreply@ietf.org> > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > (1) p 7, sec 1.5. Use of CMP in SZTP and BRSKI Environments > > In Secure Zero Touch Provisioning (SZTP) [RFC8572] and other > environments using NETCONF/YANG modules, SZTP-CSR > [I-D.ietf-netconf-sztp-csr] offers a YANG module that includes > different types of certificate requests to obtain a public-key > certificate for a locally generated key pair. One option is using a > CMP p10cr message. Such a message is of the form ietf-ztp-types:cmp- > csr from module ietf-ztp-csr and offers both proof-of-possession and > proof-of-identity. To allow PKI management entities to also comply > with this profile, the p10cr message MUST be formatted by the EE as > described in Section 4.1.4 of this profile, and it MAY be forwarded > as specified in Section 5.2. > > Given the MUST statement above, should this document "update" > ietf-netconf-sztp-csr? [HB] Back then ietf-netconf-sztp-csr the authors did not want to refer to the Lightweight CMP Profile draft, as it was still draft and they did not what to have any additional dependencies. I personally would have appreciated a reference to this document. Our goal was to say, 'if you are using ietf.ztp-types:cmp-csr and also want to comply with this profile, you MUST ...' Answering your comment, I remembered that there was a last-minute change to the ietf-netconf-sztp-csr draft. In the latest version it says: identity cmp-csr { base certificate-request-format; description "Indicates that the ZTP-client supports generating requests using a profiled version of the PKIMessage that MUST contain a PKIHeader followed by a PKIBody containing only the ir, cr, kur, or p10cr structure defined in RFC 4210."; reference "RFC 4210: Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)"; } This means, that sztp-csr not only supports p10cr, but also ir, cr, and kur certificate request messages. Therefore, I propose the following change: OLD To allow PKI management entities to also comply with this profile, the p10cr message MUST be formatted by the EE as described in Section 4.1.4 of this profile, and it MAY be forwarded as specified in Section 5.2. NEW To allow PKI management entities that use the module ietf-ztp-csr and also wish to comply with this profile, the ir, cr, kur, or p10cr message MUST be formatted by the EE as described in Section 4.1, and it MAY be forwarded as specified in Section 5.2. > > (2) p 7, sec 1.5. Use of CMP in SZTP and BRSKI Environments > > In Bootstrapping Remote Secure Key Infrastructure (BRSKI) [RFC8995] > environments, BRSKI-AE: Alternative Enrollment Protocols in BRSKI > [I-D.ietf-anima-brski-ae] describes a generalization regarding the > employed enrollment protocols to allow alternatives to EST [RFC7030]. > For the use of CMP, it requires adherence to this profile. > > Similar to my comment above, should the "requires adherence" be "MUST > adhere", > and should this document "update" (BRSKI) [RFC8995]? [HB] Good Point. Finally, the normative sentence saying that this profile is applicable is in BRSKI-AE Section 5.2. Therefore, the usage of non-normative language here is on purpose.
- [lamps] Robert Wilton's No Objection on draft-iet… Robert Wilton via Datatracker
- Re: [lamps] Robert Wilton's No Objection on draft… Brockhaus, Hendrik