IETF Logo Mail Archive

Re: [lamps] Call For Adoption of cmp-updates and lightweight-cmp-profile

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 07 January 2020 20:35 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99291200B3 for <spasm@ietfa.amsl.com>; Tue, 7 Jan 2020 12:35:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0tGJPSFBUil for <spasm@ietfa.amsl.com>; Tue, 7 Jan 2020 12:35:41 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2A46120025 for <spasm@ietf.org>; Tue, 7 Jan 2020 12:35:40 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 2D8243897D for <spasm@ietf.org>; Tue, 7 Jan 2020 15:35:17 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6E93060A for <spasm@ietf.org>; Tue, 7 Jan 2020 15:35:37 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: LAMPS WG <spasm@ietf.org>
In-Reply-To: <7442575F-61A0-43DF-B674-D1E9F8287317@vigilsec.com>
References: <157429966624.922.6336772483106473689.idtracker@ietfa.amsl.com> <7442575F-61A0-43DF-B674-D1E9F8287317@vigilsec.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 07 Jan 2020 15:35:37 -0500
Message-ID: <32139.1578429337@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/LFAWq6El77wMtAE4kVdF6Ni39Ro>
Subject: Re: [lamps] Call For Adoption of cmp-updates and lightweight-cmp-profile
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 20:35:45 -0000

I support adopting
  - draft-brockhaus-lamps-cmp-updates

with the following (non-blocking) comments:
  * I find that section 3 lacks motivation for why it is making these changes.
  * why is "The following updates were made since RFC 4210:" in the past tense?
  *
     Note: RFC 6402 section 2.10 [RFC6402] specifies OIDs for a CMC CA and
     a CMC RA.  As the functionality of a CA and RA is not specific to
     whether use CMC or CMP as certificate management protocol, the same
     OIDs SHALL be used for a cmpCA and a cmpRA.

I believe that I might need a little bit of convincing here on reusing cmpRA.
I want to think about this a bit.... the last two paragraphs of 3.2 hint at
my not well formed concerns.
As such this document would seem to update RFC6402 as well.

I do wonder if 4210bis might be better a better idea rather than
replacing/updated so much "EncryptedValue -> EncryptedKey".

  - draft-brockhaus-lamps-lightweight-cmp-profile

This is the document I'm more interested in.
At 64 pages, I wonder about "lightweight" ;-)
I believe that a two paragraph summary of Appendix D and E would be worthwhile.
How much of 4210 could we just throw out in a 4210bis?
s/IPSec/IPsec/         {it's the brown M&M of rfc4301}

section 2.6 says:
   "Chapter 2", so I think the references are all dangling.
   XML2rfc deals with tis for you, so I'm guessing you aren't using <xref> here?

I find this statement:
   HTTP transfer is RESOMMENDED to use for all PKI entities, but there
   is no transport specified as mandatory to be flexible for devices
   with special constrained to choose whatever transport is suitable.

(aside from the typo), difficult to take in a profile.
RECOMMENDED is a synonym for SHOULD, and usually needs to have some
explanation of when another answer is appropriate.
If you want to be open to COAP, then let's just say that.
I'm glad that section 7.1 makes the URL clear.
I think that lower case 'cmp' would be more consistent with other .well-known uses.

7.2 should say TLS 1.2 or greater/newer, rather than saying 1.2 or 1.3.

Both the HTTP and HTTPS usage might need to be clear if support for
HTTP/2 and/or QUIC is expected to be supported.  Constrained environments
want to know what they can skip.


7.5.  CoAP transport
   ...
   Such specification is out of scope of this document and would need to
   be specifies in a separate document.

I think that it's not that hard to specify this.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email