[lamps] Martin Duke's Discuss on draft-ietf-lamps-cmp-updates-20: (with DISCUSS and COMMENT)
Martin Duke via Datatracker <noreply@ietf.org> Wed, 01 June 2022 17:07 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: spasm@ietf.org
Delivered-To: spasm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 93A6FC14CF0F; Wed, 1 Jun 2022 10:07:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Martin Duke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-lamps-cmp-updates@ietf.org, lamps-chairs@ietf.org, spasm@ietf.org, housley@vigilsec.com, housley@vigilsec.com
X-Test-IDTracker: no
X-IETF-IDTracker: 8.3.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Martin Duke <martin.h.duke@gmail.com>
Message-ID: <165410326059.36213.15687292037240868456@ietfa.amsl.com>
Date: Wed, 01 Jun 2022 10:07:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MfwpQ6sweXdP7Vl3vQEjLRNAPis>
Subject: [lamps] Martin Duke's Discuss on draft-ietf-lamps-cmp-updates-20: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2022 17:07:40 -0000
Martin Duke has entered the following ballot position for draft-ietf-lamps-cmp-updates-20: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lamps-cmp-updates/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- As far as I can tell, CMP provides multiple optional levels of encryption and authentication to protect its messages and components of that message. However, I gather that the transport substrate is allowed to be HTTP without TLS. Given that, how does this protocol defend against version downgrade attacks? If an on-path attacker responds to a client message with an error message requiring an older version, do all configurations of CMP detect the intervention? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I support Paul's DISCUSS. (2.13) IIUC, this section should also require the cmp2021 version. I found it quite confusing that this document is specifying two different versions, with version 3 diffs scattered throughout the draft. It would be much cleaner to have a clean definition of the revised v2, and then a new section that defines v3 with the small diff from v2.
- [lamps] Martin Duke's Discuss on draft-ietf-lamps… Martin Duke via Datatracker
- Re: [lamps] Martin Duke's Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Martin Duke's Discuss on draft-ietf-l… Martin Duke
- Re: [lamps] Martin Duke's Discuss on draft-ietf-l… Russ Housley