Re: [lamps] AD review of draft-ietf-lamps-rfc7030est-clarify-05
Roman Danyliw <rdd@cert.org> Thu, 25 June 2020 17:47 UTC
Return-Path: <rdd@cert.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 246153A0E06 for <spasm@ietfa.amsl.com>; Thu, 25 Jun 2020 10:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zRUN0S7uL13q for <spasm@ietfa.amsl.com>; Thu, 25 Jun 2020 10:46:57 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE26D3A0E0A for <spasm@ietf.org>; Thu, 25 Jun 2020 10:46:54 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 05PHkq8u020464; Thu, 25 Jun 2020 13:46:52 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 05PHkq8u020464
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1593107212; bh=UT/GGLt6bZlMcVu+PLVqtSe6vJLop1wFnBT6RaCt93o=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=L3alf7m4PmQD5pjzNai8fw/frJPf+KEobNXRHu7ESpYGVDAxxTTYT65/xPILH4BB9 WyKm7ULZrFG3Hk/CBXVK6hJ8XQfaFxmC4pI5j0e7DWAZ4M9bbSjmge6bEBGxpClMls 9J9WVrusPzAiNWTnQoE/zfMeIxNCAU1JH0eCB1IA=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 05PHkmRd031323; Thu, 25 Jun 2020 13:46:48 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 25 Jun 2020 13:46:48 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 25 Jun 2020 13:46:47 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Thu, 25 Jun 2020 13:46:47 -0400
From: Roman Danyliw <rdd@cert.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>, LAMPS WG <spasm@ietf.org>
CC: max pritikin <pritikin@cisco.com>
Thread-Topic: [lamps] AD review of draft-ietf-lamps-rfc7030est-clarify-05
Thread-Index: AdYzkAx0m2ssZAMLTjWn2jugw7dc+APCClkAAh493hA=
Date: Thu, 25 Jun 2020 17:46:46 +0000
Message-ID: <f96f35ab4f5a4d15887f5104ce1713cc@cert.org>
References: <7cba97541fbd435b94192d23f966b363@cert.org> <30816.1592158056@localhost>
In-Reply-To: <30816.1592158056@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.201.72]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ck0yV7peGrRH22Y2rfoFI7z_wdE>
Subject: Re: [lamps] AD review of draft-ietf-lamps-rfc7030est-clarify-05
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2020 17:47:00 -0000
Hi Michael! Thanks for making all of these edits. More commentary is inline, but the bottom line is it looks ready for IETF LC. > -----Original Message----- > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson > Sent: Sunday, June 14, 2020 2:08 PM > To: Roman Danyliw <rdd@cert.org>; LAMPS WG <spasm@ietf.org> > Cc: max pritikin <pritikin@cisco.com> > Subject: Re: [lamps] AD review of draft-ietf-lamps-rfc7030est-clarify-05 > > > WG and Max, I have changed the section 3 (in this document) edits for the > RFC7030 section 4 edits to Replace/New. > > I could change the 4.5.2 change to be more explicit about what has changed. > I found that section very difficult to read in rfc7030, so I prefer to have the > changes applied in the update. > > Roman Danyliw <rdd@cert.org> wrote: > > I conducted an AD review of draft-ietf-lamps-rfc7030est-clarify-05. > > Thanks for the work on this document to address issues that had arisen > > in RFC7030. Below is my feedback: > > Thank you. > > > (1) From idnits: > > == The 'Updates: ' line in the draft header should list only the _numbers_ > > of the RFCs which will be updated by this document (if approved); it > > should not include the word 'RFC' in the list. > > Fixed. kramdown puts whatever I put in the header into the output. > I had "RFC7030" > > > This is likely an artifact of the document build chain you are using, > > but can you please recompile it to spit out the following s/Updates: > > RFC7030/Updates: 7030/ > > > > (2) From idnits: > > == Unused Reference: 'RFC8179' is defined on line 377, but no explicit > > reference was found in the text > > That's BCP14. I see it in the BCP14 paragraph. > > > == Unused Reference: 'X681' is defined on line 385, but no explicit > > reference was found in the text > > > == Unused Reference: 'X682' is defined on line 389, but no explicit > > reference was found in the text > > I believe that I got a request to please include them all. > The reference is: > This annex provides the normative ASN.1 definitions for the > structures described in this specification using ASN.1 as defined in > [X680] through [X683]. > > I will write them all out. > > > (3) Section 1. Editorial. > > "[RFC7030] defines the Enrollment over Secure Transport, or EST protocol. > > This specification defines a number ..." > > > Because of the paragraph break, I initially read "This specification > > defines a ..." to mean this document when you really mean RFC7030. > > Changed to: > > -{{RFC7030}} defines the Enrollment over Secure Transport, or EST protocol. > - > -This specification defines a number of HTTP end points for certificate > enrollment and management. > +Enrollment over Secure Transport (EST) is defined in {{RFC7030}}. > +The EST specification defines a number of HTTP end points for certificate > enrollment and management. > > > (4) Section 1. Per "Changes to [RFC7030] to bring it inline with > > typical HTTP processing risk changes the on-wire protocol in a way > > that is not backwards compatible. However, reports ..." > > > -- I had difficulty parsing this first sentence due to the use of > > "changes" twice. > > > -- Calling something "typical HTTP processing" begs for a reference > > describing that baseline behavior. > > > Maybe saying something like: > > > Any updates to [RFC7030] to bring it inline with HTTP processing per > [RFC7231] risks changing the on-wire protocol in a way that is not backwards > compatible. > > Done. > > > (5) Section 1. Editorial. There is no canonical set of implementers > > (so the definite article shouldn't suggest that). s/However, reports > > from the implementers .../However, reports from implementers/ > > done. > > > (6) Section 1. Typo. s/extranous/extraneous/ > > fixed. Thanks for all of the edits noted above. > > (7) Section 1. Editorial. Per "This document deals with errata numbers > > [errata4384], [errata5107], [errata5108], and [errata5904]", this is > > helpful to point out that these errata are getting addressed. They are > > even cited as normative references. However, by my read, the text only > > every explains how [errata5108] is being addressed. The other three > > are not mentioned in the text at all. Please make the text more > > explicit on which changes are addressing which errata. > > I have listed in the introduction how each of the four errata are closed. > > > (8) Section 3, 4, and 5. I found it confusing that each section used a > > different patch style. Is there a reason to do that? > > I see your point, but I think that we used the right style each time. > > > ** Section 3 summarizes the behavior of 4.1.3, 4.3.1, 4.3.2, 4.4.2 and > > 4.5.2 without providing specific references to exact text, and then > > provides a general updated behavior (again without providing exact text > > updates) > > Yes. I don't think that patching the text of each of those would make > it easier to read. We could cross-off the text of 4.1.3 if that would be > easier. > > > ** Section 4. Provides an outright new blob of text to drop into a > > section with high redundancy to the original > > The CSR Attribute text would have the base64 edit applied to it as well. > I personally thought that we might have edited that text a bit more to clarify > how CSRs are made. > > > ** Section 5. Uses an OLD vs. NEW convention. > > > Minimally, since the style of Section 4 and 5 are similar and are > > precise, I'd recommend making Section 3 look like one of these style > > (i.e., being clear on exactly what text is being updated/deprecated). > > okay, I'll change section 3. Please see next email/diff. The new Section 3.2 is much clearer. Thanks for putting it in. Consider all of my other comments about patch style as resolved. The nesting of the changes per the addressed issue works for me. > > (a) Section 1. "However, reports from the implementers suggest that > > many implementations do not send the Content-Transfer-Encoding, and > > many of them ignore it. The consequence is that simply deprecating the > > header would remain compatible with current implementations." - this > > commentary suggests that dropping the header would cause no issues if > > that approach is taken. > > That's what we have done. > > > (b) Section 3. "This document updates [RFC7030] to require the POST > > request and payload response of all endpoints use Base64 encoding as > > specified in Section 4 of [RFC4648]." - this updated guidance doesn't > > explicitly rule out the use of the header > > Correct, current implementations do not set the header, and ignore it upon > receipt. If there are lurking implementations that did not response that do > include the header, then they will continue to operate. If someone ran into > such an implementation that required the header, then it could work around by > continuing to include it. > > > (c) Section 3. "This format is to be used regardless of any > > Content-Transfer-Encoding header, and any value in such a header MUST > > be ignored." - this doesn't say anything about sending the header, only > > that it should be ignored on processing; this seems important for > > backwards compatibility. > > Yes. Liberal in what you accept. > Not, no need to send it. > > > Why drop the header from one section per (d) but not from the others > > per (e)? Under what circumstances should a header be sent - > > specifically, if (c) says the header should be dropped, why do we still > > send it per (e)? > > I don't think we do, and maybe your request for explicit patches is waranteed. Fixed as noted above. > > (10) Section 3.1. Per "This specification clarifies that despite > > [RFC2616], that white space including CR, LF, spaces (ASCII 32) and, > > tabs (ASCII 9) should be tolerated by receivers", is there a reason > > that there isn't a normative SHOULD here? > > Agreed. SHOULD now. Thanks. > > (11) Section 4. > > "Section 4.5.2 of [RFC7030] is to be replaced with the following text: > > 4.1. CSR Attributes Response" > > > ** Editorial. I suspect there is a tool chain rendering issue. The > > section header to drop into RFC7030 needs to read "4.5.2 CSR Attributes > > Response" (not 4.1 which is the next section of this document). > > Editorial alternative would be to drop the header entirely or following > > convention used in Sections 5.1 and 5.2. > > Yeah, I'll render it without the markup. Thanks. > > ** Editorial. It might also be valuable to explain what is getting > > changed instead of just providing an updated blob. > > I'll defer to the WG here. > > > (12) Section 4. Editorial. For consistency with RFC7090, consider > s/[X609]/[X.609]/. > > Okay. Thanks. > > (13) Section 5. The updates here drop the normative MUST to a "must" > > regarding the "response data must ...". The Errata text explains that > > "Note that the MUST was reduced to a must because no content-type is > > specified" but I'm still not following why we lost the normative MUST. > > What am I missing? > > Editorial mistake Thanks. Regards, Roman > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= > IPv6 IoT consulting =-
- [lamps] AD review of draft-ietf-lamps-rfc7030est-… Roman Danyliw
- Re: [lamps] AD review of draft-ietf-lamps-rfc7030… Michael Richardson
- Re: [lamps] AD review of draft-ietf-lamps-rfc7030… Michael Richardson
- Re: [lamps] AD review of draft-ietf-lamps-rfc7030… Roman Danyliw