IETF Logo Mail Archive

Re: [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: draft-ietf-lamps-x509-policy-graph-01

Michael StJohns <msj@nthpermutation.com> Thu, 14 December 2023 19:39 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7852DC14F5FD for <spasm@ietfa.amsl.com>; Thu, 14 Dec 2023 11:39:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZ0WTiz7UYZ7 for <spasm@ietfa.amsl.com>; Thu, 14 Dec 2023 11:39:31 -0800 (PST)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA470C14F5EF for <spasm@ietf.org>; Thu, 14 Dec 2023 11:39:31 -0800 (PST)
Received: by mail-qk1-x72b.google.com with SMTP id af79cd13be357-77f8e4702a6so191680585a.1 for <spasm@ietf.org>; Thu, 14 Dec 2023 11:39:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1702582770; x=1703187570; darn=ietf.org; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=xFQRjiVVqXNZQeHnh+yTo/YtK256icZaORtK3MJk2Kw=; b=HzEkrz9Rkcryv2EJ1S/ZL6gY4Jl+Oin7mH0no6PgQGgJ18rcIhB2dfBZcF/S+E09Ej 3l1t/ccJcUSCe0Yaa7+b+OcfpvDPkULdPBreLNN6yQuckNp/Ie0JZ/pumvAoW8GDwhc8 Frt8+lmuqA9dE9MOgYYU+oQJYUWh9RWgVInpII7W5Dxemp4iIfnseVLcb7/7SvKhWHEi BuXYmEd3jT6Zn9EYFC1wWs78TJXTRdx58KhH8G+W97W/FJIQzpOxeeuVFWipkLAA2+5m sidmW2C176CxMN+4u7/r4rrZmp/ByQ7a+D8V4PX2T6IxzprDtF4xspIeQz3IafkEUbn9 MnFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702582770; x=1703187570; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=xFQRjiVVqXNZQeHnh+yTo/YtK256icZaORtK3MJk2Kw=; b=rgL/brXUiTO2/7VurrASl7EtuzftJ6Y71D4EjIIsH2oP0hOc3QTxsg69JEwuuiHiXE H3fASx+xplE75iLhzYzfF3nCLUJqcBIkao79gldEG/xj8z4xYVz/UAwgzCXFtYQN4MUP 2XsmK2PrY72jbJJfSVALn4lRZIs0lBkZiUJ20VBn0Bmk6Pv3oE3IMaVDCZ10c87GldMD vl7vM4Zx5HAlHSZyLL6Qt3Fuj8BIxggeoT5+gswVwh2fHYLdqOMPyQd+J+c5HwN4+LkI An9OdleL1Or72clFP9VP0P7TcCkry0Lo39tI/uQeXTkpu55oAI5lZHBH8Xu+HGPAJSU5 HpDQ==
X-Gm-Message-State: AOJu0YwsYFvX5849ygwUctPRcl0wIs/Unuptjpopmi4jcQx31xAQJs+F HOTaP1/swl21bhczUi+bJeJTwg==
X-Google-Smtp-Source: AGHT+IEar1vhvISlG/jFw6CnSMKKgWSmdV6pXFMgP0pzC3HapgGLEi3m/ejsxUCFCITauFrmoOhpng==
X-Received: by 2002:a05:620a:8906:b0:77f:384b:ae4e with SMTP id ql6-20020a05620a890600b0077f384bae4emr14376810qkn.113.1702582770409; Thu, 14 Dec 2023 11:39:30 -0800 (PST)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id tn24-20020a05620a3c1800b0077f052fa73bsm5532793qkn.15.2023.12.14.11.39.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Dec 2023 11:39:30 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------xAc64p821Rx0vW03mV1oF0OR"
Message-ID: <922a1e0b-2e3c-41c3-b5ad-a26464988ede@nthpermutation.com>
Date: Thu, 14 Dec 2023 14:39:28 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
References: <99DEDEBF-35D7-4EE5-BABF-63A9F6D02C29@vigilsec.com> <3EEC4C31-31E2-462C-BB82-010F17E996A0@vigilsec.com> <3931a166-c465-4861-8101-50ebadb99a21@nthpermutation.com> <4CEF723E-614F-446A-8D80-EC63AF07C8F5@vigilsec.com> <d66f65e1-0119-46a0-8764-29fc65f63e75@nthpermutation.com> <801C3122-0410-426E-BFB8-F269CA1DA9D9@vigilsec.com> <73092f78-ba01-4709-9e39-7658e300e788@nthpermutation.com> <FBBC550B-257A-4189-84AA-E6493EC008F2@vigilsec.com> <3ae04ff9-7ad5-40fb-8552-832a3a43847b@nthpermutation.com> <F070F503-DE63-4E86-A2AA-BB77CC618F90@vigilsec.com> <53b35103-eff1-43f4-9a11-d7ed9b9771c2@nthpermutation.com> <DB9PR10MB571578EC6E7A86F55ACA66C5FE8FA@DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <DB9PR10MB571578EC6E7A86F55ACA66C5FE8FA@DB9PR10MB5715.EURPRD10.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/IUqS9cQYis7Ixs41nMoXb55BvSQ>
Subject: Re: [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: draft-ietf-lamps-x509-policy-graph-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2023 19:39:36 -0000

On 12/11/2023 2:21 AM, Brockhaus, Hendrik wrote:
>
> Mike
>
> Thank you for pointing this out. I was also thinking about how to best 
> express this.
>
> My understanding is that 4210bis obsoletes 4210 and 9480 and updates 
> 5912. In parallel 6712bis obsoletes 6712 and 9480.
>
> I am preparing updated versions of both -bis drafts on 
> https://github.com/lamps-wg/cmp-updates/ reflecting the released 
> documents RFC9480 – RFC9483.
>
> I am currently following the discussion on cms-kemri regarding the KDF 
> input as is may also affect the specification of KEM-based message 
> protection in 4210bis Section 5.1.3.4.
>
> As always, any feedback or proposal are welcome.
>
Hi -

--> The 6712bis draft is expired since February.  If these are a pair, 
they'll need to move along together.  If they both move then I think 
your approach works.

--> The OID/NAME for the updated 5912 module bothers me. RFC4210 has 
PKIXCMP - with a module of id-mod-cmp2000 (16) under 
1.3.6.1.4.1.5.5.7.0.   RFC5912 has  PKIXCMP-2009 with id-mod-cmp2000-02 
(16).   RFC9480 has PKIXCMP with id-mod-cmp2021-88 (99) and PKIXCMP-2021 
with id-mod-cmp2021-02(100).

4210bis  has PKIXCMP-2023 and id-mod-cmp2023-02(TBD2).  Not sure what 
the -02 gives you here - or is that meant to indicate 2002 standard?  If 
so - maybe PKIXCMP-2023-02 as well.

This seems a bit scattershot and makes it a bit difficult to figure out 
which ASN1 module supersedes another one.  Would versioning the OID make 
more sense?  (e.g. same module number plus two components for 
major/minor versions).  So 1.3.6.1.4.1.5.5.7.0.16.2023.1 for 
PKIXCMP-2023? (Or PKIXCMP-2023-02?).

--> Is there a standard practice in the PKIX world for module and module 
tag names and OIDs for replacement modules?  Does IANA have such a thing?

--> RFC9480 has the notation that PKIX still considers -88 modules to be 
the gold standard.  Is this still the case?  From A.1 of RFC9480:

> Although a 2002 ASN.1 module is provided, this 1988 ASN.1 module 
> remains the normative module, as per the policy of the PKIX Working Group.

--> Next - for the changes to the body of the module, are there any 
upstream modules where such a change could be problematic or limiting?  
E.g. importing an enum that's been extended?  (Do we have a tool for 
scanning for imports and doing the cross verification?

--> Lastly, it would probably make sense to include within the body of 
the module (in ASN1 comment blocks) the OID of the module this one is 
replacing and  the specific changes or updates that were made between 
the two.  e.g. for the most part the extracted module ought to be 
stand-alone.

Later, Mike

> Hendrik
>
> *Von:* Spasm <spasm-bounces@ietf.org> *Im Auftrag von *Michael StJohns
> *Gesendet:* Samstag, 9. Dezember 2023 22:53
> *An:* Russ Housley <housley@vigilsec.com>
> *Cc:* LAMPS <spasm@ietf.org>
> *Betreff:* [lamps] draft-ietf-lamps-rfc4210bis was: Re: WG Last Call: 
> draft-ietf-lamps-x509-policy-graph-01
>
> Thanks for the changes in the write up.  Comment below.
>
> On 12/9/2023 4:19 PM, Russ Housley wrote:
>
>     Mike:
>
>         On 12/8/2023 2:56 PM, Russ Housley wrote:
>
>         I didn't actually notice that one at the time - now RFC 9480. But what a mess.   I see that there is a RFC4210bis  document in progress (https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc4210bis/) and not one for 4211 - is that the one you meant?  I also see that the 4210bis document is missing an Obsoletes RFC9480 tag, except it can't have one because RFC9480 updates multiple documents... I'm not seeing this as a shining example of what to do....  the only saving grace is that the referenced document here  is only cutting and pasting  a single upstream document.
>
>     Yes, I meant RFC 4210.
>
>     RFC 4210 is updated by RFC 6712, RFC 9480, and RFC9481.  rfc4210bis should obsolete RFC 4210 and RFC 9480.
>
> Except that RFC9480 doesn't just update RFC 4210. It also updates RFC 
> 5912 and RFC 6712. If you obsolete 9480, what does that mean for the 
> changes marked within that document that apply to 5912 and 6712? 
> Generally "Obsolete" in RFC speak means "completely replaced", but the 
> 4210bis document doesn't completely replace RFC9480.
>
> Can a document be "Updated By" a second document that's marked as 
> Obsolete?
>
> As I said - this looks like a mess.
>
> Mike
>

v2.23.0 | Report a Bug | By Email