Re: [lamps] AD Review of draft-ietf-lamps-lightweight-cmp-profile-13
Roman Danyliw <rdd@cert.org> Mon, 10 October 2022 15:56 UTC
Return-Path: <rdd@cert.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1ECC14F74C for <spasm@ietfa.amsl.com>; Mon, 10 Oct 2022 08:56:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1zG_Qt80v58E for <spasm@ietfa.amsl.com>; Mon, 10 Oct 2022 08:56:06 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0109.outbound.protection.office365.us [23.103.209.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 456D8C14CF0B for <spasm@ietf.org>; Mon, 10 Oct 2022 08:55:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=cegvcTS/xwiEzs9S8TfHSykOXrMT8cIqmCrAKa9WXHzRI1JVGUHCIzENE4PJTrmHHqeDNv2GY2jiXhwLKCfSZFxEvT5fPbsKr+dwHUwdTwTHluUCxNAMhskA/wcZ/mxPLqia3l0eHYvY4zyCeMNAdjSaK7fNKBHS2iBS+gAKXJSP0ZvTs3BbiGG4S8bzHVMijxmIDJGEfRCOoZQDbKSrgHqHutV8wkPD7doEmP+qu4YYd8zx/TKqO8E0S71CJdoli4AX/08XOToCVgCFr/vawPZZBva6Sgg/e+STKEzHMdLfWYY+8hf1DIUOJJ/ChDLCw4QTjwTnowWSJRaTseuR2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qdR4QYlZ283hLuaeMjU1GlQ++a95kHwx4gEHE0YQ03k=; b=YVINxWWu+Kexi3Fg/7dYjoOVCGKyN/cAm6yGedBdngLd5BuBU8ZIuSURxfe7s9ZesNvnB3+/njMpDts2lCFRNhMUP2RZtBgN6NIvl20W2+mea7y5c+i0zO0ktqPts3eCQoJr6X7UeupaPP2afqAHUg9ME945+F0G9Ihh9efQZHsjvilsH7yRKNspYSaXV7ecgpwWTlhNs1hwkQv8/LU0YNiQQjeNFPh8039fLmGjXReM/+EG6vOnINapM2u0d3JNYZdxLbviW5uUfWGTP7j1Mpq6AeNEVW24t5pvrP1X2Apqluiq9MnyqQ4BeMluk1gGRN0J6k+5O1W+LruxQAiWBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qdR4QYlZ283hLuaeMjU1GlQ++a95kHwx4gEHE0YQ03k=; b=gxnUfgBWFFZn+M4AdEQjTHZD3sWYGERla1YgXGbb806lh6I9ryQLh6RMt+4arcaRRYEvoLzSodVsi9dyiLVpTYZzHUQ0rZIZsaOA5UeCA/VYX+edkzhna7IkauETmzYS2zM+JcNP+T090AxF7pdYJX/WxaL3iel7zcGGWz1pQQo=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1285.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:179::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.17; Mon, 10 Oct 2022 15:55:44 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dbc:d573:57cb:e0e1%6]) with mapi id 15.20.5676.040; Mon, 10 Oct 2022 15:55:44 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "von Oheimb, David" <david.von.oheimb@siemens.com>, "Fries, Steffen" <steffen.fries@siemens.com>
Thread-Topic: AD Review of draft-ietf-lamps-lightweight-cmp-profile-13
Thread-Index: AdjKEHgGN3DPx+sVS0uIPf07i4oJmAJzG+cgAjjraiA=
Date: Mon, 10 Oct 2022 15:55:44 +0000
Message-ID: <BN2P110MB11073DF0E0EC9CB697F71321DC209@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB1107086331DCF6BA1111EC78DC489@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <GV2PR10MB62103779FC70CD8B8D51B3CCFE579@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <GV2PR10MB62103779FC70CD8B8D51B3CCFE579@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2022-09-29T08:29:06Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=b7de6219-3062-4666-95f0-4a12277c4e11; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1285:EE_
x-ms-office365-filtering-correlation-id: 02f8cf84-fa0f-4cba-ff5e-08daaad7e3bf
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5nDn1mMzRD4jg2n5mZHcx8ZhxmxzDhHxQV6uak0Zl7/0KsHZNAUnMapw0ocW2AaN7nD35DcC/YOPqX/SzpeVo2BlHUxqXdAhGxP+nqliG4d5e7nSI2+bwF0tYm3RQdYKC7RWQUh7WEPj4fvKYjiubHynlRx0Ypx2xBbk+Rl2Vyd82ogyeF9EW3qWZqVQJ/WawEEV3i4/BVPJu6bTWYBHUvuz51t7+wEqkvGxZhcDAuDkoqbqfdLnyb47zs5j5ew83eQC5dgBxR1r1VwxpKY8Gs+raAe4eGM6yzRHg5H8xDh+NYZ9IHHJv9iXQkyiBbTX2C6U7myDCi9BP1WRDOMmTFGSQZX/f3sMzRziLqd3PzyOWHwuvMLxx9seA+2xNioPli6Q/1G4Z/vR9CxB2dfGgSJgaceuvEIkVr82QACqHkfHQwSc6z/ZxPJ34oNQNNAsoxLgxizES3Tu2xgKapHv9/K58I3iTGoWMeT2lo51H4GPI2PsxU67H2cAqrINeA49rMiRQKiq2FNEza5f9oH1p6kHv45GEuyAudfHmc3s9qHjE/orgoJ9qanXklCucc5QxJqNcA0WFik8C+qCRrk16+zEEu/EPlPx97AmLBpCbg83DKMrSCLsxSbV9VQ6+iGhh7mhhocyIaQi47XKmezAAvw3vxd+OpXx6wPoFUe+ePzlCOr32bGn5mN4Te+Udq240A788u6x7v08MvHoQM8lWjh3Y/OEPpm7SLmFgeWoL+GTgPGRfaBo97rtZZ/r03aNdu5fMhWvvfkgn8eDmZ/Luw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(26005)(53546011)(9686003)(7696005)(498600001)(6506007)(186003)(966005)(55016003)(2906002)(83380400001)(30864003)(71200400001)(54906003)(6916009)(66556008)(8676002)(5660300002)(8936002)(52536014)(66476007)(66946007)(4326008)(66446008)(76116006)(64756008)(18074004)(66899015)(86362001)(38070700005)(122000001)(38100700002)(82960400001)(33656002)(579004)(559001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2NMzYbQ3xZVDr0jZNjKOxV3hQTsVW31dFyaduXvRpyKHTG3CGf+lluVkEUhPilCaiaVcaLYxxMPIdXZOVdLOZJKfMHu272x5J5uTNm1FMdtxXDXqjO1AKnmX8b/BeH+CvYKP4Gp7/aBqmE+SHGV9uPyXwXdJ+PRoEcUym4raTHtnIzgngMG5z+8c84C4cdYQvaAOsmf0oH2QhdAi5OyNn71rzR/wLm+yghupDf8ITyF3/27gTTTQRaFXq1vdDFYUja3Kz3pmrLOQm+W3ikRj8osN+q+r49e8C4YvSLYSFd0t5czhBO2SiMxMHFzPQwBOA2FVICBa+JSj9guauojsfNK073A04R5I6NLInIGlvmQjLvVtJBEdWWT9ncxYnd4J6sUZYzdv6FqLmGB3R9ZS/vZzWVrpPNXuRkmdwR5er4OIfmIvGqKODqBZw2qeNPArWHUwTh4sd13VNGz8F6z2p6Gl0ja/uMwUozaAewk0vcH1nPGTydjpsnhwCXYoqzqUWhVXMIgBXM6X5Wxce2Z9dNcWhfsaWrqHQwocH3cmoGaxxvdUz2ybG80zF2LrwQWPidY1hrrW+yyxy5+uYBX+kd24xIUGbC6aEkEfP84762CE4Llat9l6WIjkmmYRtLm1gDcdKm8Nx9duyajuQnca9imvh/A39xWDXApagS2hyilfIoRU5HTFWFNwaEqUiQWXAT7GTVNbwV8fzSUQgkMvbmVAf8djGQdhbTj1nYUB16DYpyY0Pa0gqh9TpxVXGM5yXdNSdeGMYq2JTbG7mIdgU9QDoAZ+XpQR6IeJBActUk2HBND4m7HVkokHllkloA5Z/VazdQtNurnI0PJDcxEeBHnB3Hkcs7gaokdNqm4ywRQ2J7ScKhZSHv5tV690qZSDAmqFB4xDF+bPRMeXtLzCg6wpZHhP+8TpMaXcGHMrtWAKF6odGBoPz//Xv3Ol+wIgd2Xx+mA5jv0dTAZ2dcYhtWAfenJ1OMenFzkcvKVdcP+WccZSqIYuaOYHhe0dHmclL1U0VuLURs/uoSzI94ZJnxuQQCSvO9OiKCZBBIYIO3LHSxnKVIM5CXMv9fcN/C4DRvLDRgjbroYtlyMd3ClAJ3ZAgcnqKHv4Ftu8wK3eOV0TgV2qj2DZ3e0uu9BZsaVE95XKCZ0nSZKJHzFIYw5NYWeF7f8ZsJMGiRrU2B7JccWemsSWyEHwCujGyiGaajZ3xbljNGYn4DgNt20tJGLTK8GWZW3a0QXujqBRrAHyDKRHKGfM2ycWJWwGhhuc36PQ/hdDMs+13Pmrn8eun/o2TtiMRQXogEpaFXM5eI9W70oUkCodbbf1dPzXQ7UvtqdHjt9ZT+oz2WgDWNOP7Fu9FtZR+fzUCJy8X24WfmyAolzbNucnoTmCXjCj9n81z0AH4CR9qTdu9VadAjkPrBb6UCVHh6B3YvHQ+b/zqgib+L36cMH10Y7mBnhz5uyWhyhx/cUa7bzsnjaWuGJi7p+1nGBJYe3YpFmL13BlLxmtKoA=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 02f8cf84-fa0f-4cba-ff5e-08daaad7e3bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2022 15:55:44.1579 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1285
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/JiF7SsS0TJZ-3l-cIOtUcp8fsV4>
Subject: Re: [lamps] AD Review of draft-ietf-lamps-lightweight-cmp-profile-13
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 15:56:11 -0000
Hi Hendrik! Thanks for the detailed response and all of the effort to produce the revisions in -14. Consider my feedback below resolved. I've requested IETF Last Call on the document. Regards, Roman > -----Original Message----- > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Brockhaus, Hendrik > Sent: Thursday, September 29, 2022 4:29 AM > To: Roman Danyliw <rdd@cert.org> > Cc: spasm@ietf.org; von Oheimb, David <david.von.oheimb@siemens.com>; > Fries, Steffen <steffen.fries@siemens.com> > Subject: Re: [lamps] AD Review of draft-ietf-lamps-lightweight-cmp-profile-13 > > Roman > > Many thanks for your feedback and for the valuable comments. Below you find > my responses and suggestions. > I will submit an updated version of the draft incorporating all changes proposed > as soon as possible. > If there is any proposed change that does not fit your expectation, please let > me know. > > Hendrik > > > Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Roman Danyliw > > > > Hi! > > > > I conducted an AD review on draft-ietf-lamps-lightweight-cmp-profile-13. > > Thanks for all of the hard work on this comprehensive document. My > feedback > > is as follows: > > > > ** Abstract. Editorial. > > > > OLD > > More special and complex use > > cases are supported as well, by features specified as recommended or > > optional. > > > > NEW > > More specialized or complex use cases are supported with optional > features. > > [HB] Thanks, change will be done. > > > > > ** Section 1. Editorial. > > > > OLD > > Especially CMP, CRMF, and CMS > > are very feature-rich standards, while in most application scenarios > > only a limited subset of the specified functionality is needed. > > > > NEW > > CMP, CRMF and CMS are feature-rich specifications, but most application > > scenarios use only a limited subset of the same specified functionality. > > [HB] Thanks, change will be done. > > > > > ** Section 1.2. Editorial. Colloquial language. s/is a solid and very capable/is > a > > capable/ > > [HB] Thanks, change will be done. > > > > > ** Section 1.2. Editorial > > > > OLD > > To > > this end, when there was a choice to have necessary complexity more > > on the EE or PKI management entity side, it has been pushed towards > > PKI management entities, where typically more computational resources > > are available and the development can be consolidated better > > > > NEW > > To this end, when there was design flexibility to either have necessary > > complexity on the EE or in the PKI management entity, this profile chose to > > include it in the PKI management entities where typically more > computational > > resources are available. > > [HB] Thanks, change will be done. > > > > > ** Section 1.2. "As also 3GPP and UNISIG already put across ..." > > > > What does "put across" mean? > > [HB] Proposed change: > OLD > As also 3GPP and UNISIG already put across, profiling is a way of > coping with the challenges mentioned above. > NEW > Profiling is a way to reduce feature richness and complexity of > standards to what is needed for specific use cases. 3GPP and > UNISIG already use profiling of CMP as a way to cope with these challenges. > > > > > > ** Section 1.2. > > In > > this way all the general and applicable aspects of the general > > protocol are taken over ... > > > > What does "taken over" mean here? > > [HB] Proposed change: > OLD > In > this way all the general and applicable aspects of the general > protocol are taken over and only the peculiarities of the target > scenarios need to be dealt with specifically. > NEW > In > this way the general aspects of the protocol are utilized > and only the special requirements of the target scenarios > need to be dealt with using distinct features the protocol > offers. > > > > > ** Section 1.3 > > > > Due to increasing security needs in operational networks as well as > > availability requirements, ... > > > > Isn't availability an example of a security requirement? > > > > ** Section 1.3 > > > > Due to increasing security needs in operational networks as well as > > availability requirements, especially on critical infrastructures and > > systems with a high number of certificates, a state-of-the-art > > certificate management system must be constantly available and cost- > > efficient, which calls for high automation and reliability. > > > > -- Since this profile is targeted at IoT and industrial solutions, shouldn't it read > > "operational technology" (instead of operational networks). Isn't anything in > > production an "operational network"? > > > > -- what is the set of technology which has a high number of certificates, but > isn't > > OT or critical infrastructure? > > [HB] Proposed change: > OLD > Due to increasing security needs in operational networks as well as > availability requirements, especially on critical infrastructures and > systems with a high number of certificates, a state-of-the-art > certificate management system must be constantly available and cost- > efficient, which calls for high automation and reliability. > NEW > Due to increasing security and availability needs in operational > technology, especially when used for critical infrastructures and > systems with a high number of certificates, a state-of-the-art > certificate management system must be constantly available and cost- > efficient, which calls for high automation and reliability. > > > > > ** Section 1.3 > > > > Further challenges in many industrial systems are network > > segmentation and asynchronous communication, while PKI management > > entities like Certification Authorities (CA) typically are not > > deployed on-site but in a more protected environment of a data center > > or trust center. > > > > -- This is a run-on sentence. Please split it. > > > > -- what is a "trust center"? > > [HB] Proposed change: > OLD > Further challenges in many industrial systems are network > segmentation and asynchronous communication, while PKI management > entities like Certification Authorities (CA) typically are not > deployed on-site but in a more protected environment of a data center > or trust center. > NEW > Further challenges in many industrial systems are network > segmentation and asynchronous communication. Also, PKI management > entities like Certification Authorities (CA) typically are not > deployed on-site but in a high protected data center environment, e.g., > operated according to ETSI Policy and security requirements for Trust > Service Providers issuing certificates [ETSI EN 319 411-1]. > > > > > ** Section 1.5 > > To allow PKI management entities to also comply > > with this profile, the p10cr message must be formatted by the EE as > > described in Section 4.1.4 of this profile, and it may be forwarded > > as specified in Section 5.2. > > > > -- Why not use a MUST and MAY since this seems to be specifying normative > > behavior. > > [HB] Right > OLD > To allow PKI management entities to also comply > with this profile, the p10cr message must be formatted by the EE as > described in Section 4.1.4 of this profile, and it may be forwarded > as specified in Section 5.2. > NEW > To allow PKI management entities to also comply > with this profile, the p10cr message MUST be formatted by the EE as > described in Section 4.1.4 of this profile, and it MAY be forwarded > as specified in Section 5.2. > > > > > -- Wouldn't it be more appropriate for draft-ietf-netconf-sztp-csr and draft- > ietf- > > anima-brski-ar to normatively reference this document and specify which part > of > > this document they must adhere to. > > [HB] You are right, and draft-ietf-anima-brski-ae Section 5.2 is using this draft > as > normative reference for this PKI management operation. But draft-ietf-netconf- > sztp-csr is already in RFC Ed Queue and the authors did not want to have a > further dependency to this draft. > > > > > ** Section 2. The solution architecture notes an expectation for > manufacturer- > > issued device certificates (IDevID). Is there a reference that can be used > which > > covers the Security Considerations of this kind of root of trust? > > [HB] We could add a note after the first paragraph to provide further > information. > NEW > Note: The owner or operator using the manufacturer-issued device > certificate for authenticating the device during initial enrollment > of operational certificates MUST trust the respective trust anchor > provided by the manufacturer. > > > > > ** Section 2. > > The EE creates a CMP request message, protects it > > using some asymmetric credential or shared secret information and > > sends it to its locally reachable PKI management entity. > > > > Per the term "locally reachable", is this implying on the "local network"? > Would > > there be a case where that isn't the case? There is subsequent text in this > > section which suggests that "It is also possible not to have an RA or LRA or > that > > there is no CA with a CMP interface." > > [HB] Good point. We can generalize it to 'a PKI management entity'. > OLD > The EE creates a CMP request message, protects it > using some asymmetric credential or shared secret information and > sends it to its locally reachable PKI management entity. > NEW > The EE creates a CMP request message, protects it > using some asymmetric credential or shared secret information and > sends it to a PKI management entity. > > > > > ** Section 2. Editorial? > > Especially the communication between an LRA and RA can be performed > > synchronously or asynchronously > > > > I'm confused by the use of "especially". Can't the text say "The > communication > > between ...? > > [HB] Right, I will change this. > OLD > Especially the communication between an LRA and RA can be performed > synchronously or asynchronously. > NEW > The communication between an LRA and RA can be performed > synchronously or asynchronously. > > > > > ** Section 2. > > > > Note: CMP response messages could also be used proactively to > > implement the push model towards the EE. > > > > I found the inclusion of this text confusing given that earlier text in this > section > > explicitly said "All certificate management operations specified in this > document > > follow the pull model, i.e., are initiated by an EE (or by an RA acting as an > EE)." > > This aside seems to be describing something that is out of scope for this > profile. > > Why is it needed? > > [HB] Netconf specifies enrollment using, e.g., different request formats, > including > CMP request messages, and specifies the certificate delivery message > independently > from the request format. Also, ietf-anima-brski-prm specifies a push model, > which can > be implemented using CMP messages. Therefore, we thought such note on the > push model > could also be helpful here, even if it is out of scope of this document. > In the meantime, there is Section 1.5 on using CMP with SZTP and if it confuses > the > reader, we could delete this note or rephrase it to express more clearly, that > the push > model must be specified elsewhere. > OLD > Note: CMP response messages could also be used proactively to > implement the push model towards the EE. In this case the EE acts as > receiver, not initiating the interaction with the PKI. Also, when > using a commissioning tool or a registrar agent as described in BRSKI > with Pledge in Responder Mode (BRSKI-PRM) [I-D.ietf-anima-brski-prm], > certificate enrollment in a push model is needed. CMP in general and > the messages specified in this profile offer all required > capabilities, but the message flow and state machine as described in > Section 4 must be adapted to implement a push model. > NEW > Note: In contrast to the pull model used in this document, other > specifications could use the messages specified in this document > implementing the push model. In this case the EE is pushed (triggered) > by the PKI management entity to provide the CMP request, and therefore > EE acts as the receiver, not initiating the interaction with the PKI. > For example, when the device itself does only act as a server as > described in BRSKI with Pledge in Responder Mode (BRSKI-PRM) [I-D.ietf- > anima-brski-prm], support of certificate enrollment in a push model is > needed. While BRSKI-PRM currently utilizes its own format for the > exchanges, CMP in general and the messages specified in this profile > offer all required capabilities. Nevertheless, the message flow and > state machine as described in Section 4 must be adapted to implement a > push model. > > > > > ** Section 2. > > > > Third-party CAs may implement other variants of CMP, different > > standardized protocols, or even proprietary interfaces for > > certificate management. Therefore, the RA may need to adapt the > > exchanged CMP messages to the flavor of certificate management > > interaction required by the CA. > > > > How does this affect the implementation of this profile? The matters > discussed > > here seem out of scope as long as the RA and CA conform to the table in > Section > > 7.1. > > [HB] This is right. I will express it more clearly that this is an option that can be > relevant in a real-life scenario, but it is out of scope of this document. > OLD > Third-party CAs may implement other variants of CMP, different > standardized protocols, or even proprietary interfaces for > certificate management. Therefore, the RA may need to adapt the > exchanged CMP messages to the flavor of certificate management > interaction required by the CA. > NEW > Third-party CAs, not conforming to this document, may implement > other variants of CMP, different standardized protocols, or even > proprietary interfaces for certificate management. In such cases, > an RA needs to adapt the exchanged CMP messages to the flavor > of certificate management interaction required by such a non- > conformant CA. > > > > > ** Section 3.1, but broadly applicable. This is a subjective editorial comment. > > The sections which describe the specific fields are difficult to read due to the > > indentation. Consider: > > > > -- Using hanging indents for the distinct bullets to improve readable. For > > example: > > > > OLD > > -- MUST be 3 to indicate CMP v3 in all cases where EnvelopedData > > -- is supported and expected to be used in the current > > -- PKI management operation > > -- MUST be 3 to indicate CMP v3 in certConf messages when using > > -- the hashAlg field > > > > NEW > > -- MUST be 3 to indicate CMP v3 in all cases where EnvelopedData > > -- is supported and expected to be used in the current > > -- PKI management operation > > -- MUST be 3 to indicate CMP v3 in certConf messages when using > > -- the hashAlg field > > > > -- Indenting the sub-elements fields and their associated text. For example: > > > > OLD > > body > > -- The request of the EE for a new certificate using a PKCS#10 > > -- certificate request > > p10cr REQUIRED > > certificationRequestInfo REQUIRED > > version REQUIRED > > -- MUST be 0 to indicate PKCS#10 V1.7 > > subject REQUIRED > > -- The EE subject name MUST be carried in the subject field > > -- and/or the subjectAltName extension. > > -- If subject name is present only in the subjectAltName > > -- extension, then the subject field MUST be a NULL-DN > > NEW > > body > > -- The request of the EE for a new certificate using a PKCS#10 > > -- certificate request > > p10cr REQUIRED > > certificationRequestInfo REQUIRED > > version REQUIRED > > -- MUST be 0 to indicate PKCS#10 V1.7 > > subject REQUIRED > > -- The EE subject name MUST be carried in the subject field > > -- and/or the subjectAltName extension. > > -- If subject name is present only in the subjectAltName > > -- extension, then the subject field MUST be a NULL-DN > > [HB] Thank you for this feedback. You are right, that this will increase the > readability. I will give it a try to change this. > > > > > ** Section 3.1. > > senderKID RECOMMENDED > > > > Section 5.1.1 of RFC4210 says that senderKID MUST be used if a NULL-DN is > set > > for the sender. This isn't explicitly stated here. > > [HB] Good point. This profile generally requires that the senderKID is present. > OLD > senderKID RECOMMENDED > -- MUST be the SubjectKeyIdentifier of the CMP protection > -- certificate in case of signature-based protection > NEW > senderKID REQUIRED > -- MUST be set > -- MUST be the SubjectKeyIdentifier of the CMP protection > -- certificate in case of signature-based protection > > > > > Related, a recipient is REQUIRED, but there is no mention of the recipientKID > > field. If recipient is NULL, should it be used? > > [HB] recipKID is supposed to be used only when DH keys are used for > message protection. Currently the profile only support MAC- and signature- > based > protection and does not offer protection using KEM keys. > RFC4210 Section 5.1.1. stats: > senderKID and recipKID are usable to indicate which keys have been > used to protect the message (recipKID will normally only be required > where protection of the message uses Diffie-Hellman (DH) keys). > > As draft-ietf-lamps-rfc4210bis plans to extend the document to support > of KEM keys, recipKID may also be required. > > > > > ** Section 3.1. > > recipNonce RECOMMENDED > > -- If this is the first message of a transaction: SHOULD be > > -- absent > > -- If this is a delayed response message: MUST be present and > > -- contain the value of the senderNonce of the respective request > > -- message in the same transaction > > -- In all other messages: MUST be present and contain the value > > -- of the senderNonce of the previous message in the same > > -- transaction > > > > I'm struggling with the top-line "RECOMMENDED" guidance. The subsequent > > text says that it is "MUST" for asynchronous ("delayed response") messages. > > This is true in a number of other cases where the top-level field is defined as > > OPTIONAL or RECOMMENED, but the underlying guidance says that it is > required > > (MUST) under certain circumstances. Perhaps explain that approach. > > [HB] This looks like a contradiction. In Section 3 we want to express the main > line. In Sections 4 and 5 there may be further requirements specified that apply > in a specific case together with some general guidance. > We will add a paragraph explaining this to Section 3. > > NEW > Note: In the description of CMP messages, the presence of some fields is > stated > as OPTIONAL or RECOMMENDED. The following text may state requirements > on the > same fields apply only if the field is present. > > Change to Section 3.1 > OLD > recipNonce RECOMMENDED > -- If this is the first message of a transaction: SHOULD be > -- absent > NEW > recipNonce RECOMMENDED > -- If this is the first message of a transaction: MUST be > -- absent > > > > > ** Section 3.2. > > Any > > included keyUsage extension SHOULD allow digitalSignature. > > > > What would be the situation where the keyUsage couldn't include > > digitalSignature? Why can't this be a MUST? > > [HB] Right > OLD > Any > included keyUsage extension SHOULD allow digitalSignature. > NEW > If > the keyUsage extension is present, it MUST include digitalSignature. > > > > > ** Section 3.2. > > > > Generally, CMP messages MUST be protected, but there are cases where > > protection of error messages specified in Section 3.6.4 is not > > possible and therefore MAY be omitted. > > > > Recommend restating this text so it doesn't mix a MUST and MAY. Perhaps: > > > > All CMP messages but those carrying error messages MUST be protected. > CMP > > error messages SHOULD be protected when possible. See Section 3.6.4 for > use > > cases where this would not be possible. > > [HB] Thank you for this proposal. I take your proposal. > > > > > ** Section 3.5. Given that error messages might not be protected: > > > > OLD > > The message protection MUST be validated: > > > > NEW > > The message protection MUST be validated when present: > > [HB] Proposal: > OLD > * The message protection MUST be validated: > - The protection MUST be signature-based except if > o MAC-based protection is used as described in Section 4.1.5 > and Section 4.1.6.3 or > o protection is omitted in certain error messages as described > in Section 3.6.4. > NEW > * Messages without protection MUST be rejected except for error > messages as described in Section 3.6.4. > * The message protection MUST be validated when present and messages > with an invalid protection MUST be rejected. > - The protection MUST be signature-based except if MAC-based > protection is used as described in Section 4.1.5 and Section > 4.1.6.3. > > > > > ** Section 3.5. The text in Section 3.1. says that the senderKID MUST point to > the > > key material (but the presence of that field is optional under many > > circumstances). > > > > OLD > > The senderKID SHOULD identify the key material used for > > verifying the message protection. > > > > NEW > > If present, the senderKID MUST identify the key material used for verifying > the > > message protection. > > [HB] Thanks, will be changed > OLD > - The senderKID SHOULD identify the key material used for > verifying the message protection. > NEW > - If present, the senderKID MUST identify the key material > needed for verifying the message protection. > > > > > ** Section 3.5. Should validation guidance around the implicitConfirm value > be > > stated? > > [HB] This section only covers the generic validation aspects, while generalInfo > field contents (to which implicitConfirm belongs) are typically dependent on > the > message type. Therefore, guidance on handling these fields are given in the > respective sections below. Moreover, we already state that contents of this > field should be handled gracefully. > > > > > ** Section 3.5. > > > > If the messageTime is present, it SHOULD be close to the current > > time. (failInfo bit: badTime) > > > > Can any generic guidance be given for what this threshold of "close" should > be? > > If not, add that the value set for this time threshold will be vary by use case. > > [HB] Good point. RFC4210 says that > The messageTime field contains the time at which the sender created > the message. This may be useful to allow end entities to correct/ > check their local time for consistency with the time on a central > system. > and > messageTime time of production of message > -- current time at requesting CA > > Therefore, I propose the following change: > OLD > * If the messageTime is present, it SHOULD be close to the current > time. (failInfo bit: badTime) > NEW > * If the messageTime is present and > - the receiving system has a reliable system time, the messageTime > SHOULD be close to the current time of the receiving system, > where the threshold will vary by use case. (failInfo bit: badTime) > - the receiving system does not have a reliable system time, the > messageTime MAY be used for time synchronization. > > > > > ** Section 3.6.1 > > > > In case > > they expect a further message from the EE, a connection interruption > > or timeout will occur. > > > > Are timeouts timed to standardized protocol behavior or will they be > > application/use case specific in the case of asynchronous exchanges? > > [HB] Timeouts will be application/use case specific. > OLD > In case > they expect a further message from the EE, a connection interruption > or timeout will occur. > NEW > In case > they expect a further message from the EE, a connection interruption > or timeout will occur. The value set for such timeouts will vary by > use case. > > > > > ** Section 4.1.1 > > > > If the EE > > successfully received the certificate, it MUST send a certConf > > message in due time. > > > > What is a recommended timer for "due time"? If this if application or use > case > > specific, please say that. > > [HB] this is a good point. Finally, it is an application / use case specific time > the CA is intended to wait. > Using the confirmWaitTime the CA could add to the header of the response > message to > let the EE know for how long it intends to wait for a certConf. > To reduce complexity, we did not specify this option, but potentially we should > do so. > We could add in Section 3.1 to the generalInfo in the PKIHeader: > NEW > confirmWaitTime OPTIONAL > -- RECOMENDED in ip/cp/kup messages if implicitConfirm is > -- not included > -- PROHIBITED if implicitConfirm is included > -- See [RFC4210] Section 5.1.1.2. > ConfirmWaitTimeValue REQUIRED > -- ConfirmWaitTimeValue MUST be a GeneralizedTime value specifying > -- the point in time up to which the PKI management entity will > -- wait for the certConf message. The accepted length of the > -- waiting period will vary by use case. > > In addition to this change I propose the following changes: > > Section 4.1.1 > OLD > In case the PKI management entity does not need any explicit > confirmation from the EE, it MUST include the extension as described > in Section 3.1. This prevents explicit certificate confirmation and > saves the overhead of a further message round-trip. > NEW > In case the PKI management entity does not need any explicit > confirmation from the EE, it MUST include the generalInfo field > implicitConfirm. Otherwise, it SHOULD include confirmWaitTime as > described in Section 3.1. This prevents explicit certificate > confirmation and saves the overhead of a further message round-trip. > > Section 5.1.1 > OLD > Note: If the EE requested omission of the certConf message, the PKI > management entity SHOULD handle it as described in Section 4.1.1 and > therefore MAY grant this by including the implicitConfirm extension > in the response header. > NEW > Note: If the EE requested omission of the certConf message, the PKI > management entity SHOULD handle it as described in Section 4.1.1. > Therefore, it MAY grant this by including the implicitConfirm > generalInfo field or include the confirmWaitTime in the response header. > > > > > ** Section 4.1.4. > > ... using a legacy PKCS#10 [RFC2986] request > > > > Why is RFC2986 characterized as "legacy"? In IETF standards parlance, it is > not. > > [HB] You are right, this is not precise. RFC4210 states in Section 5.3.3 > Alternatively, the PKIBody MAY be a CertificationRequest (this > structure is fully specified by the ASN.1 structure > CertificationRequest given in [PKCS10]). This structure may be > required for certificate requests for signing key pairs when > interoperation with legacy systems is desired, but its use is > strongly discouraged whenever not absolutely necessary. > This means that p10cr may be used to interoperate to legacy CA. > OLD > This PKI management operation can be used by an EE to request a > certificate using a legacy PKCS#10 [RFC2986] request instead of CRMF > [RFC4211]. > NEW > This PKI management operation can be used by an EE to request a > certificate using PKCS#10 [RFC2986] format to interoperate with > CAs not supporting CRMF [RFC4211]. > > > > > ** Section 4.1.5. The CMP Message Header guidance in Section 3.1. says that > > "In case a message has MAC-based protection the changes are described in > > Section 4.1.5. The variations will affect the fields sender, protectionAlg, and > > senderKID.". This section provides guidance on senderKID. > > > > It is silent on how to populate sender. > > [HB] Good point. > OLD > 2 The senderKID MUST contain a reference the recipient can use to > identify the shared secret information used for the protection, > e.g., the username of the EE. > NEW > 2 In case the sending entity does not know its own name by now, it MUST > put the NULL-DN into the sender field. The senderKID MUST contain a > reference the recipient can use to identify the shared secret > information used for the protection, e.g., the username of the EE. > > > > > Per protectionAlg, it says: > > > > See Section 6 of CMP Algorithms [I-D.ietf-lamps-cmp-algorithms] for > > details on message authentication code algorithms (MSG_MAC_ALG) to > > use. > > > > I was expecting something stronger: The value of protectionAlg MUST be an > > MSG_MAC_ALG algorithm specified in [I-D.ietf-lamps-cmp-algorithms]? > > [HB] As CMP Algorithms is not supposed to be a complete list of allowed > algorithms, I think this wording is fine. > See CMP Algorithms Section 7.2 > The following table contains definitions of algorithms which MAY be > supported by implementations of the Lightweight CMP Profile > [I-D.ietf-lamps-lightweight-cmp-profile]. > > As the set of algorithms to be used for implementations of the > Lightweight CMP Profile heavily depends on the PKI management > operations implemented, the certificates used for message > protection, and the certificates to be managed, this document will > not specify a specific set that is mandatory to support for > conforming implementations. > > > > > ** Section 4.1.5. > > > > The PKI management entity checking the MAC- > > based protection SHOULD replace this protection according to > > Section 5.2.3 in case the next hop does not know the shared secret > > information. > > > > What is the alternative suggested by the SHOULD on following the > procedures > > of Section 5.2.3? Is it failing and sending back an error? > > [HB] We use SHOULD because the PKI management entity may not know > whether the > next hop knows the shared secret. If the next hop does not know the needed > shared secret, it will send back an error. > > > > > ** Section 4.1.6. > > > > This PKI management > > entity MUST use a certificate containing the additional extended key > > usage extension id-kp-cmKGA in order to be accepted by the EE as a > > legitimate key generation authority. > > > > Should the EE consider the response invalid if it doesn't see the id-kpcmKGA > > EKU? > > [HB] Further guidance for the EE on KGA certificate validation comes later in > the text: > The EE SHOULD validate the > signer certificate contained in the SignedData structure and verify > the presence of this extended key usage in the signer certificate. > > Note: When using password-based key management technique as described > in Section 4.1.6.3 it may not be possible or meaningful to the EE to > validate the KGA signature and the related certificate in the > SignedData structure since shared secret information is used for > initial authentication. In this case the EE MAY omit this > validation. > > But we could change accepted-> acceptable her > OLD > This PKI management > entity MUST use a certificate containing the additional extended key > usage extension id-kp-cmKGA in order to be accepted by the EE as a > legitimate key generation authority. > NEW > This PKI management > entity MUST use a certificate containing the additional extended key > usage extension id-kp-cmKGA in order to be acceptable by the EE as a > legitimate key generation authority. > > > > > ** Section 4.1.6 > > > > Note: When performing central key generation for a certificate > > update, the KGA cannot use the old EE credentials for protection. > > Therefore, the PKI management operation described in Section 4.1.2 > > SHOULD be used instead of Section 4.1.3 to request a certificate for > > the newly generated key pair on behalf of the EE. > > > > Should the use of procedure in Section 4.1.3 be explicitly prohibited in this > KGA > > use case? > > [HB] When changing the text, I would also propose not to declare it as 'Note'. > OLD > Note: When performing central key generation for a certificate > update, the KGA cannot use the old EE credentials for protection. > Therefore, the PKI management operation described in Section 4.1.2 > SHOULD be used instead of Section 4.1.3 to request a certificate for > the newly generated key pair on behalf of the EE. > NEW > When an EE requests central key generation for a certificate update > using a kur message, the KGA cannot use a kur message to request the > certificate on behalf of the EE as the old EE credential is not > available to the KGA for protecting this message. Therefore, if the > EE uses the PKI management operation described in Section 4.1.3, the > KGA MUST use Section 4.1.2 to request the certificate for the newly > generated key pair on behalf of the EE from the CA. > > > > > ** Section 4.1.6. Typo. > > > > OLD > > and support of key transport and > > password-based key management techniques are OPTION > > > > NEW > > and support of key transport and password-based key management > techniques > > are OPTIONAL > > [HB] Thank you, will change it > > > > > ** Section 4.1.6 > > > > The password- > > based key management technique shall only be used in combination with > > MAC-based protection, which is a sideline in this document. > > > > What does it mean for MAC-based protection to be "a sideline"? > > [HB] In Section 1.6 we state > * signature-based protection is the default protection; an initial > PKI management operation may also use MAC-based protection, > If it confuses the reader, we can easily delete 'which is a sideline in > this document' and use normative language. > OLD > The password- > based key management technique shall only be used in combination with > MAC-based protection, which is a sideline in this document. > NEW > The password- > based key management technique SHALL only be used in combination with > MAC-based protection. > > > > > ** Section 4.1.6. Why is "privateKey" OPTIONAL"? > > [HB] Right. In a general response message, as define in Section 4.1.1 it > is OPTIONAL, but here it is REQUIRED. > OLD > privateKey OPTIONAL > NEW > privateKey REQUIRED > > > > > ** Section 4.1.6. Editorial. > > > > encryptedContentInfo > > REQUIRED > > ... > > contentEncryptionAlgorithm > > REQUIRED > > > > The cardinality of these fields is on a separate line from the field name > > [HB] I used indentation and the field names are long. Therefore, I could not > place the cardinality into the same line without further indentation. > This is a similar solution as in the ASN.1 module in RFC4210 Appendix F, e.g., > PKIMessage ::= SEQUENCE { > header PKIHeader, > body PKIBody, > protection [0] PKIProtection OPTIONAL, > extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate > OPTIONAL > } > or > CertRepMessage ::= SEQUENCE { > caPubs [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate > OPTIONAL, > response SEQUENCE OF CertResponse > } > But I am open for a different formatting if it eases reading. > > > > > ** Section 4.1.6. Typo. s/ see and [RFC8933]/see [RFC8933]/ > > [HB] Thank you > OLD > -- algorithm specified in signatureAlgorithm, see and [RFC8933] > NEW > -- algorithm specified in signatureAlgorithm, see [RFC8933] > > > > > ** Section 4.1.6. > > > > digestAlgorithm > > REQUIRED > > -- MUST be the same as in digestAlgorithms > > > > > > Perhaps "MUST be the same as in the digestAlgorithms field of > > encryptedContent" > > [HB] Good point > OLD > -- MUST be the same as in digestAlgorithms > NEW > -- MUST be the same as in the digestAlgorithms field of > -- encryptedContent > > > > > ** Section 4.1.6.1. Per "-- MUST be used when 1-pass ECMQV is used", > please > > cite RFC3278. > > [HB] OK > OLD > -- MUST be used when 1-pass ECMQV is used > NEW > -- MUST be used when 1-pass ECMQV is used, see [RFC3278] > > > > > ** Section 4.2. Editorial. s/In case no generic error occurred/In the case that > no > > generic error occurred,/ > > [HB] Yes > OLD > In case no generic > error occurred the response to the rr MUST be an rp message > containing a single status field. > NEW > In the case no generic > error occurred, the response to the rr MUST be an rp message > containing a single status field. > > > > > ** Section 4.3. Editorial. > > > > OLD > > In the following the aspects common to all general messages (genm) > > and general response (genp) messages are described. > > > > NEW > > The following message flow is common to all general messages (genm) and > > general response (genp) messages. > > [HB] With adaptations > OLD > In the following the aspects common to all general messages (genm) > and general response (genp) messages are described. > NEW > The following message flow and contents are common to all general > message (genm) and general response (genp) messages. > > > > > ** Section 4.3.1 > > > > OLD > > -- MUST be present if CA certificates are available > > -- MUST be a sequence of CMPCertificate > > > > NEW > > -- MUST be present if CA certificates are available > > -- if present, MUST be a sequence of CMPCertificate > > [HB] Good point, will change it accordingly > > > > > ** Section 4.3.4. > > > > if available, the > > thisUpdate time of the most current CRL instance it already has, as > > specified in CMP Updates Section 2.16 [I-D.ietf-lamps-cmp-updates]. > > > > The reference should be Section 2.17 of cmp-updates. > > [HB] Thank you for spotting this! > > > > > ** Section 4.3.4 > > > > (a) If no thisUpdate value was given by the EE, the PKI > > management entity MUST return the latest CRL available. > > > > (b) If a > > thisUpdate value was given, the PKI management entity MUST return the > > latest available CRL in case this CRL is more recent, otherwise the > > infoValue in the response message MUST be absent. > > > > Given the above guidance, the role of the thisUpdate field isn't clear. The > > guidance around (a) is clear - if the requestor doesn't have a thisUpdate, send > > back the latest CRL. However, my read of the text for (b) is that the PKI > > management entity will check the thisUpdate is received but still return the > > latest CRL just in case. That seems identical to the behavior in (a), so why the > > distinction and why bother even sending the thisUpdate if the new CRL is > always > > returned? I was expecting that if the last updated version of the CRL is before > > the thisUpdate in the request, the PKI management entity wouldn't send > > anything back. > > [HB] Your expectation is right, the PKI management entity should only send the > latest CRL, if it is younger than thisUpdate. I tried to express this with 'in > case this CRL is more recent'. > Is my below proposal more clear? > OLD > If a > thisUpdate value was given, the PKI management entity MUST return the > latest available CRL in case this CRL is more recent, otherwise the > infoValue in the response message MUST be absent. > NEW > If a > thisUpdate value was given, the PKI management entity MUST return the > latest available CRL if this CRL has a more recent thisUpdate time. > Otherwise, the infoValue in the response message MUST be absent. > > > > > ** Section 4.3.4. Typo. s/provided form the/provided from the/ > > [HB] Thank you for spotting this. > > > > > ** Section 4.3.4. What is the difference between the normative guidance in > > these two sentences of this section? > > > > -- The EE MUST identify the requested CRL either by its CRL distribution > > point name or issuer name. > > > > -- In addition to the prerequisites specified in Section 3.4, the EE > > MUST know which CRL to request. > > > > Are both needed? > > [HB] You are right, it is partly redundant. > A paragraph like the second sentence you listed, is present in every > sub-section of Section 4 to express the deviations to the generic PKI > management operations prerequisites specified in Section 3.4. > > > > > ** Section 4.3.4. In considering how the EE gets the value of the thisUpdate > > timestamp to use in the transaction described in this section -- if the PKI > > management entity does NOT return a thisUpdate, what should the EE do? > > Does the EE store a timestamp of when it got it response and declare that the > > thisUpdate value, or does it store this empty value? > > [HB] The EE is supposed to provide the thisUpdate time of the latest CRL it > has. > If it does not have any instance of that CRL, it omits the field. > > This should have been expressed by this sentence: > The EE MUST include > the CRL source identifying the requested CRL and, if available, the > thisUpdate time of the most current CRL instance it already has, as > specified in CMP Updates Section 2.16 [I-D.ietf-lamps-cmp-updates]. > > To make it even more explicit, I propose the following change. > OLD > thisUpdate OPTIONAL > -- SHOULD contain the thisUpdate field of the latest CRL form > -- the issuer specified in the given dpn or issuer field, > -- in case such a CRL is already known by the EE > NEW > thisUpdate OPTIONAL > -- SHOULD contain the thisUpdate field of the latest CRL the EE > -- has got from the issuer specified in the given dpn or > -- issuer field, > -- MUST be omitted if the EE does not have any instance of the requested > CRL > > > > > ** Section 5.1 > > > > In addition to the checks described in Section 3.5, the responding > > PKI management entity SHOULD check that a request that initiates a > > new PKI management operation does not use a transactionID that is > > currently in use. > > > > Should this be a MUST? Why would reuse of the transactionID be > acceptable? > > [HB] RFC4210 does not strictly require uniqueness of transactionIDs, but it > makes sense that this profile does. > OLD > PKI management entity SHOULD check that a request that initiates a > NEW > PKI management entity MUST check that a request that initiates a > > > > > ** Section 5.1. > > > > The responding PKI management entity SHOULD copy the sender field of > > the request to the recipient field of the response ... > > > > Again, should this be a MUST? Is this because the RA might use the CA's > value > > for the sender field? > > [HB] the sender and recipient fields in the PKIHeader are of no practical use. > They are required mainly for backward compatibility with CMP V1. > Therefore, this profile provides guidance how to populate them using a > SHOULD > but not a MUST, see also Section 3.1. > > > > > ** Section 5.1.1. Similar comment to Section 5.1.2 and 5.1.3. > > > > The PKI management entity SHOULD check the message body according to > > the applicable requirements from Section 4.1. > > > > Are you should you need normative language here? It seems confusing to say > > that implementers "SHOULD" only (but not MUST) check that the protocol > data > > is following the normative language already described. > > [HB] You are right, it should be a MUST here > OLD > The PKI management entity SHOULD check the message body according to > the applicable requirements from Section 4.1. > NEW > The PKI management entity MUST check the message body according to > the applicable requirements from Section 4.1. > > > > > ** Section 5.1.1. Editorial. > > > > OLD > > The PKI management entity SHOULD perform also ... > > > > NEW > > The PKI management entity SHOULD also perform ... > > [HB] I will update that > > > > > ** Section 5.1.1. > > > > If the requested certificate is available, the PKI management entity > > MUST respond with a positive ip/cp/kup message as described in > > Section 4.1. > > > > Isn't this a normative restatement of what was normatively already said in > > Section 5.1.1? > > [HB] I do not fully understand this comment. Do you mean 'normatively already > said in Section 4.1'? > The point here is that in case the cert is available, the PKI management entity > must not send anything else, such as a negative response. > > > > > ** Section 5.2 > > > > A PKI management entity SHOULD NOT change the received message unless > > necessary. The PKI management entity SHOULD only update the message > > protection and the certificate template in a certificate request > > message if this is technically necessary. > > > > Can the intent to implementors be made clear. "Necessary" or "technically > > necessary" judged by whom? It's unlikely that a PKI management would > > randomly change something in the message so the changes it would make > > would be intentional. > > [HB] OK, we should make the intention clearer. > OLD > A PKI management entity SHOULD NOT change the received message unless > necessary. The PKI management entity SHOULD only update the message > protection and the certificate template in a certificate request > message if this is technically necessary. Concrete PKI system > specifications may define in more detail when to do so. > NEW > A PKI management entity SHOULD NOT change the received message unless > its role in the PKI system requires it. This is because changes to > the message header or body imply re-protection and changes to the > protection breaks end-to-end authentication of the message source, > and changes to the certificate template in a certificate request > breaks proof-of-possession. More details are available in the > following sub-sections. Concrete PKI system specifications may define > in more detail when to do so. > > > > > ** Section 5.2.2.1 > > > > The PKI management entity wrapping the original request message in a > > nested message structure MUST take over the recipient, recipNonce, > > and transactionID of the original message to the nested message and > > apply signature-based protection. > > > > Can the actions involved in "take over" these fields be described? Does this > > amount to the PKI management entity terminating the transaction and > issuing a > > new transaction upstream? > > [HB] What about this rephrasing > OLD > The PKI management entity wrapping the original request message in a > nested message structure MUST take over the recipient, recipNonce, > and transactionID of the original message to the nested message and > apply signature-based protection. > NEW > The PKI management entity wrapping the original request message in a > nested message structure MUST copy the values of the recipient, > recipNonce, and transactionID header fields of the original message to > the respective header fields of the nested message and apply > signature-based protection. > > > > > ** Section 5.2.2.2. Element of this use case description seem to conflict. > > > > (a) In this use case, > > nested messages are used both on the upstream interface towards the > > next PKI management entity and on the downstream interface from the > > PKI management entity towards the EE. > > > > (b) If the RA needs different routing > > information per nested PKI management message a suitable mechanism > > may need to be implemented. > > > > The text in (a) seems to suggest that if an RA accepts a batch downstream is > will > > then batch upstream. However, (b) seems to suggest that each message will > be > > unpacked and routed as is appropriate. > > [HB] I will rephrase the text. > > OLD > In this use case, > nested messages are used both on the upstream interface towards the > next PKI management entity and on the downstream interface from the > PKI management entity towards the EE. > NEW > In this use case, > nested messages are used both on the upstream interface towards the > next PKI management entity and by that entity on its downstream > interface. > > and > > OLD > If the RA needs different routing > information per nested PKI management message a suitable mechanism > may need to be implemented. > NEW > If the RA needs different routing > information per nested PKI management message provided upstream, a > suitable mechanism may need to be implemented to ensure that the > downstream delivery of the response is done to the right requester. > > > > > ** Section 5.2.2.2 > > > > While building the upstream nested message the PKI management entity > > SHOULD store the sender, transactionID, and senderNonce fields of all > > bundled messages together with the transactionID of the upstream > > nested message. > > > > If it doesn't store this information how could it support polling? Shouldn't > this > > be a MUST? > > [HB] Right > OLD > While building the upstream nested message the PKI management entity > SHOULD store the sender, transactionID, and senderNonce fields of all > bundled messages together with the transactionID of the upstream > nested message. > NEW > While building the upstream nested message the PKI management entity > MUST store the sender, transactionID, and senderNonce fields of all > bundled messages together with the transactionID of the upstream > nested message. > > And an editorial correct in the next paragraph: > OLD > When it forwards the unbundled responses, any > extra messages SHOULD be dropped, and any missing response message > (failInfo bit: systemUnavail) MUST be answered with an error message > to inform the respective requester about the failed certificate > management operation. > NEW > When it forwards the unbundled responses, any > extra messages MUST be dropped, and any missing response message > MUST be answered with an error message (failInfo bit: systemUnavail) > to inform the respective requester about the failed certificate > management operation. > > > > > ** Section 5.2.3. > > > > Before replacing the existing protection by a new protection, the PKI > > management entity MUST verify the protection provided and approve its > > content, > > > > Will an intermediate PKI management entity always be in a position to > "approve > > the content"? What kind of verification satisfies "approval"? Is this is the > same > > as the prerequisites noted in Section 5.2.3.1? > > [HB] Finally the required approval steps are solution specific. When replacing > the protection by an RA, the original data origin authentication gets lost. > Therefore, the RA must be in the position to do the approval. May be this > rephrasing helps. > OLD > Before replacing the existing protection by a new protection, the PKI > management entity MUST verify the protection provided and approve its > content, including any modifications that it may perform. It MUST > also check that the sender, as authenticated by the message > protection, is authorized for the given operation. > NEW > Before replacing the existing protection by a new protection, the PKI > management entity MUST > * validate the protection of the received message, > * check the content of the message, > * do any modifications that it may want to perform, and > * check, that the sender of the original message, as > authenticated by the message protection, is authorized for > the given operation. > > > > > ** Section 5.2.3 > > > > When an intermediate PKI management entity modifies a message, it > > SHOULD NOT change the transactionID nor the sender and recipient > > nonces. > > > > This guidance doesn't seem to square against Section 4 explicitly saying that > > (i.e., that they MUST NOT): > > > > Note: All CMP messages belonging to the same PKI management operation > > MUST have the same transactionID because the message receiver > > identifies the elements of the operation in this way. > > > > Are the transactions between the EE-to-Intermediate-PKI considered different > > than Intermediate-PKI-to-Next-PKI-element? > > [HB] Good Point. It should be MUST NOT here. > To properly forward the response, it is crucial that the transactionID, sender > nonce, and recipient nonce are identical. > > OLD > When an intermediate PKI management entity modifies a message, it > SHOULD NOT change the transactionID nor the sender and recipient > nonces. > NEW > When an intermediate PKI management entity modifies a message, it > MUST NOT change the transactionID, the senderNonce, or the > recipNonce - apart from the exception for the recipNonce > given in Section 5.1.5. > > > > > ** Section 5.2.3.1. It would have been useful to see the examples of what it > > means to "break a proof of possession" in this session where the idea is first > > introduced rather than in Section 5.2.3.2. > > [HB] > OLD > This variant of forwarding a message means that a PKI management > entity forwards a CMP message with or without modifying the message > header or body while preserving any included proof-of-possession. > NEW > This variant of forwarding a message means that a PKI management > entity forwards a CMP message with or without modifying the message > header or body while preserving any included proof-of-possession. > > Note: A signature-based proof-of-possession of a certificate request > will be broken if any field in the certTemplate structure is changed. > > > > > ** Section 5.3.1. Typo. s/A PKI management entity may use on of/A PKI > > management entity may use one of/ > > [HB] Thank you > > > > > ** Section 5.3.1 > > > > In the latter > > case it SHOULD verify the received proof-of-possession. > > > > Under what circumstances would one not want to verify the PoP? > > [HB] Good point. As long as the PoP in the new request message sent upstream > is > intact, e.g., the format (PKCS#10 or CRMF) and certificate request content is > not > changed, the RA is not necessarily required to verify the PoP. In case the PoP > gets > broken, e.g., by transcoding from a PKCS#10 request to a CRMF request, the > PoP MUST > be verified. > OLD > It either generates the key pair itself and > inserts the new public key in the subjectPublicKey field of the > request certTemplate, or it uses a certificate request received from > downstream, e.g., by means of a different protocol. In the latter > case it SHOULD verify the received proof-of-possession. > NEW > It either generates the key pair itself and > inserts the new public key in the subjectPublicKey field of the > request certTemplate, or it uses a certificate request received from > downstream, e.g., by means of a different protocol. In the latter > case it MUST verify the received proof-of-possession if this proof > breaks, e.g., due to transformation from PKCS#10 to CRMF certificate > request format. > > > > > ** Section 6. If there a formal definition of a "CMP client component" and > > "CMP server component"? If not, perhaps "CMP client component (e.g., an > EE > > or an RA communicating with a CA)". > > [HB] We made the wording more explicit. > > OLD > To > prevent waiting indefinitely, each CMP client component SHOULD use a > configurable per-request timeout, and each CMP server component > SHOULD use a configurable per-response timeout in case a further > Request message is to be expected from the client side within the > same transaction. > NEW > To > prevent waiting indefinitely, each CMP client SHOULD use a > configurable per-request timeout, and each PKI entity that sends CMP > requests SHOULD use a configurable per-request timeout, and each PKI > management entity that handles CMP requests SHOULD use a configurable > per-response timeout in case a further request message is to be > expected from the client side within the same transaction. > > > > > ** Section 6. > > > > The transport layer itself may cause delays, for instance due to > > offline transport, network segmentation, or intermittent network > > connectivity. Part of these issues can be detected and handled at > > CMP level using pollReq and pollRep messages as described in > > Section 4.4, while others are better handled at transfer level. > > > > The first sentence says "transport layer" but the second sentence says > "transfer > > level." Is there a meaningful distinction being made? If not, please use the > > same term. Otherwise, define the difference. > > [HB] Maybe we are wrong, but we refer to TCP and UDP as transport layer > protocols > and, e.g., HTTP as an example for a transfer level protocol on application layer. > RFC6712 uses the term transfer level or transfer protocols. Therefore, we > usually > use this term in the draft as well. > Where I use transport protocol or transport layer, I specifically refer to it. > For more clarity we will update the following sentence. > > OLD > HTTP SHOULD > and CoAP MAY be used for online transfer. > NEW > HTTP SHOULD > be used and CoAP MAY be used for online transfer of CMP messages > on application layer. > > > > > ** Section 6. > > > > Long timeout periods are helpful to minimize the need for > > polling and maximize chances to handle transfer issues at lower > > levels. > > > > Is this assertion true because an EE would not poll if the connection making > the > > request is still open? If so, that isn't clear from the profile. > > [HB] What we wanted to say is, that if long timeout periods are used, the > chance > is higher that the response will be received, even if there are technical issues > to deliver the message. > With a short timeout, the client may terminate the PKI management operation. > Polling > will anyhow only be initiated if the client receives a response containing the > status > "waiting". This could happen if the server realizes the connection has timed out > but > there is no response from upstream. But this is not the important point here. > With regard to your previous comment, I anyhow propose this change: > OLD > Note: Long timeout periods are helpful to minimize the need for > polling and maximize chances to handle transfer issues at lower > levels. > NEW > Note: Long timeout periods are helpful to maximize chances to > handle minor delays at lower layers without the need for polling. > > > > > ** Section 6. > > > > Note: When using TCP and similar reliable connection-oriented > > transport protocols, which is typical in conjunction with HTTP, there > > is the option to keep the connection alive over multiple request- > > response message pairs. This may improve efficiency, though is not > > required from a security point of view. > > > > I don't follow the security argument for doing multiple request-response pairs > in > > a single connection vs. multiple ones. It's clear that it doesn't apply here but > the > > text is cautioning that it might apply someplace else and the reader shouldn't > be > > confused. What is that other use case? > > [HB] You are right. It is unrelated here. > OLD > This may improve efficiency, though is not > required from a security point of view. > NEW > This may improve efficiency. > > > > > ** Section 6.1. > > > > PKI management operations SHOULD use URI paths consisting of '/.well- > > known/cmp/' or '/.well-known/cmp/p/<name>/' as specified in CMP > > Updates Section 3.3 [I-D.ietf-lamps-cmp-updates]... > > > > Is the guidance here on well-known intentionally different than draft-ietf- > lamps- > > cmp-updates. In that document CMP implementations "MUST support the > use > > of the path prefix '/.well-known/' ..." - that is, there is an MTI of using .well- > > known. Here the text allows for using something other than .well-known (but > > implicitly a compliant CMP implementation would still have to support .well- > > known). What is the outcome desired - an MTI or .well-known but potentially > > using something else? > > [HB] Right > OLD > PKI management operations SHOULD use URI paths consisting of '/.well- > known/cmp/' or '/.well-known/cmp/p/<name>/' as specified in CMP > Updates Section 3.3 [I-D.ietf-lamps-cmp-updates] followed by an > operation label depending on the type of PKI management operation. > NEW > PKI management operations MUST use URI paths consisting of '/.well- > known/cmp/' or '/.well-known/cmp/p/<name>/' as specified in CMP > Updates Section 3.3 [I-D.ietf-lamps-cmp-updates]. It SHOULD be followed > by an operation label depending on the type of PKI management operation. > > > > > ** Section 6.1. Per the discussion on using TLS > > -- would the recommendations of draft-ietf-uta-rfc7525bis apply? > > [HB] Yes > OLD > TLS SHOULD be used with certificate-based authentication to further > protect the HTTP transfer as described in [RFC2818]. > NEW > TLS SHOULD be used with certificate-based authentication to further > protect the HTTP transfer as described in [RFC9110]. In addition, > the recommendations provided in [draft-ietf-uta-rfc7525bis] SHOULD > be considered. > > I also propose to perform similar changes to Section 6.2OLD > Like for HTTP transfer , to offer a second line of defense or to > provide hop-by-hop privacy protection, DTLS MAY be utilized as > described in CMP over CoAP [I-D.ietf-ace-cmpv2-coap-transport]. > NEW > Like for HTTP transfer, to offer a second line of defense or to > provide hop-by-hop privacy protection, DTLS MAY be utilized as > described in CMP over CoAP [I-D.ietf-ace-cmpv2-coap-transport]. > If DTLS is utilized, the same boundary conditions (peer > authentication, etc.) as stated for TLS to protect HTTP transfer > in Section 6.1 apply to DTLS likewise. > > > > -- should the provisioning of client certifications and PSKs be declared out of > > scope > > [HB] Yes, I will add a note not at the end of Section 6.1 and 6.2. > NEW > Note: The provisioning of client certificates and PSKs is out of > scope of this document. > > > > > ** Section 7.1. Per RevROnB, should one be concerned that a RA and CA > might > > not support revocation. Let's presuppose a system was compromised, and > > incident response is being performed and the device is not involved. The > > procedures in Section 5.3.2 would need to be invoked. If they aren't an > option, > > what would be the alternative? > > [HB] The alternative would be to do revocation on the CA without using CMP, > for instance, using a local admin interface. But this is out of scope of this > document and therefore not explicitly listed. We will ad an additional footnote > to clarify this. > > NEW > 3) An alternative would be to perform revocation at the CA > without using CMP, for instance using a local administration > interface. > > > > > ** Section 7.2. Normative guidance on HTTP. > > > > (a) Table 4: HTTP is a SHOULD for EE, RA, and CA > > > > (b) Section 7.2: HTTP transfer is RECOMMENDED to use for all PKI entities > > > > (c) Section 6: HTTP SHOULD and CoAP MAY be used for online transfer. > > > > Can these be harmonized? > > [HB] I do not see a contradiction. But I propose the following changes. > > Delete 'HTTP SHOULD and CoAP MAY be used for online transfer.' in Section 6. > > Section 7.2 > OLD > HTTP transfer is RECOMMENDED to use for all PKI entities for > maximizing general interoperability at transfer level, yet full > flexibility is retained to choose whatever transfer mechanism is > suitable, for instance for devices and system architectures with > specific constraints. > NEW > HTTP SHOULD be supported and CoAP MAY be supported at all PKI > entities for maximizing general interoperability at transfer > level. Yet full flexibility is retained to choose whatever > transfer mechanism is suitable, for instance for devices and > system architectures with specific constraints. > > > > > ** Per IDNits: > > > > -- Obsolete informational reference (is this intentional?): RFC 2818 > > (Obsoleted by RFC 9110) > > > > I believe that RFC2818 can be safely replaced with RFC9110. > > [HB] RFC9110 explicitly specifies use of TLS 1.3. For backward compatibility > Section 6.1 also allows for TLS 1.2. But I think this should not hinder switching > from RFC2818 to RFC9110, right? > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] AD Review of draft-ietf-lamps-lightweight… Roman Danyliw
- Re: [lamps] AD Review of draft-ietf-lamps-lightwe… Brockhaus, Hendrik
- Re: [lamps] AD Review of draft-ietf-lamps-lightwe… Brockhaus, Hendrik
- Re: [lamps] AD Review of draft-ietf-lamps-lightwe… Roman Danyliw
- Re: [lamps] AD Review of draft-ietf-lamps-lightwe… Brockhaus, Hendrik