IETF Logo Mail Archive

Re: [lamps] Francesca Palombini's No Objection on draft-ietf-lamps-cmp-updates-22: (with COMMENT)

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Tue, 28 June 2022 07:24 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75CFEC15AAD0; Tue, 28 Jun 2022 00:24:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BwSHpgskVrx; Tue, 28 Jun 2022 00:24:03 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2083.outbound.protection.outlook.com [40.107.21.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38728C15A756; Tue, 28 Jun 2022 00:22:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EvR7MsusGWHmAa49iCBNfvYNGLexp5/OMkmidr4vZLtTbX34ZGQBgt9V39yggb33lH6Uoxl7Q3MWHVn5igZdNI+52fFh5EGaXmMu5rhMtjCM8SHZGCV2gh1MUTrvG9nquECgQAOyDbtqCln4hBhDs5L9I0rX93HoBnWBvNp/VYO/891tV8+nZkpVb/PsQsYdNFhO/1cPOIAGqMKnlbS/BODUfoaMq+wlBfMaayrTi8yHtXSH73cX30498rLsWEw9o1AVduUXvtHJrw9THLaRbT2zCdnQbiJJ/fJr+WzscgjorBNHDgN0Kv6Dd2u9lHvdMUCgOKVQX7pwcD9VgJ2YgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=av/4R/40tYsUyzKr/qbE/InJUfXY2ewijgBHXbH5qRE=; b=k7DDTgf951W2X3xwhkHjAMnSG0ODOhvaHErTMSnMZEoWQT/+sbCHOQd4Oo/FqPzBxMlKrSzy/8qYOxl6O8c15n8osb5NuFpr8BPf/StkJqCaKBCar9CteYJSBkFKF1jd7L2/Z04iQiup/mP8fki6+r7iDlpRXDJzjWd1f1yoil4w8Em7BELGTUjD1Ctugda3AFCaYUBGqNyZGAILgDBjT6s+o9XlttwKgE7zGutmz32+1xv0NARq17x+aQ5nWyrVSU60l59Kfh7f9c6RwaD+fKTeIuIg3D8HTogNdqH13iiv3Ouvna23tBu9MR9neG/OoHJTu8G7uTRt63UvCKmEDQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=av/4R/40tYsUyzKr/qbE/InJUfXY2ewijgBHXbH5qRE=; b=FyBzlz7RASiroTBFFPRjnnMzoxCDTVv1P6BXUvL/NkBsL3rWfqRGN3fzKvsmYNy5eHwtgs4X0tY0Q6Bt7Kp291u9JeOdCXQmXNVJEYjuFGaiMPw5BTWEAGe8Ct3JXyoNl8RLEGz/mH2NBAOnv1qiW08dR30zrfRpX4pqOGuioHgF0GxpVgAXIQirmMcDMLl33KF+Ypl41YKL9n2Tegwgwee8/nuCIt1gmIc08L2FGYmps7hwAEOxv07hv5kYwmyuU0/7w9CavbE+qw9SpN+HMeP2jv5XZ1pOE09Sn2xHWKR69A+6cKAIAItZX1JzBNmnYXP6h/3NYFTiDlaJL05Zeg==
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:7d::8) by AM6PR10MB2629.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:a9::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5373.18; Tue, 28 Jun 2022 07:22:41 +0000
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::d8ef:359c:76d1:8dc1]) by GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::d8ef:359c:76d1:8dc1%5]) with mapi id 15.20.5373.018; Tue, 28 Jun 2022 07:22:41 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: Francesca Palombini's No Objection on draft-ietf-lamps-cmp-updates-22: (with COMMENT)
Thread-Index: AQHYilY3cZRNm0HWi0KRItEQU/OrKK1kWmCA
Date: Tue, 28 Jun 2022 07:22:41 +0000
Message-ID: <GV2PR10MB621001E8332528EE657369F6FEB89@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
References: <165635558714.46948.4072872589231570179@ietfa.amsl.com>
In-Reply-To: <165635558714.46948.4072872589231570179@ietfa.amsl.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2022-06-28T07:22:40Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=5f3723c3-c18a-4b3c-a727-cf0ad49965a4; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0c022250-590e-4525-ce05-08da58d6fd05
x-ms-traffictypediagnostic: AM6PR10MB2629:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ioweTWpasPBZCK8TImRfqcSMjUayukyqWQfcUfaPGenvLzu8FwLaHI70AMY2CPMvAqN7+5Ac/PbekJ8LVwybkcn+tV+3E+JP8ixpmlXk3mnq+DK6qzwBN4/Y+CH/05LXXYft4VohtxcKKGiI+pDxlgYIohN8Em/a9GZmVFc5fxVta7Du9dtoev2cfAWhjjwP/H4cxgC9C8H8cG0DZGEvIsw/0mWSxgxnLwT+tLREB48APclj1rTdCT7cQvR281/7wbgdSbggPe4bkUsZkvQQmMnIw1gwITEfLYDcFWQkBYgwQ8svjjV2T1NGQjM2brXM93Kx7EFldap4SjVRHNVpG//hPQzpRBeE6QTgx1p12BdYd1fe0DR2U+qyDaPnq6T8f0xSZZUa0e//zNIqv9XIbF8EE10F+ajn+/7w9cF9i6IqMNmoFm0pAAWf06Fxae1Kndmxsw7gfPnzuv2Uqpii8uK+RHsnPogg9tYD3YVBmlWffoelCjZqRc2Gy4LpBCx1eljU4bg8y31TR9Z9K1/IIpXmxG4HY85aTYpmnH8nkkB1s4ET4fxk0o1Q42MT+wkFnsBrj/QtTR3bNx8dc3TsN/wCN3DNx8YYnVysxBrj+OBRnYqbKmbpd/fwoXMfWywvKI21mfreQscOZZBlw5pL6Jg1rYrCHnxxohcNER4l1MgweIyGOw9Kds0z4w/5TYhmSsOQBLq2jHdf0NQevQ+5Kl6RsMa/yiaOL3s1VkDzjydTGtTtFqvJfyoIGx2nht+D3i9cfmI30UoEnX9YbtQFnAMRGK1ZneIKpOriVDq0scg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(396003)(136003)(346002)(376002)(39860400002)(38070700005)(33656002)(66476007)(76116006)(15650500001)(9686003)(54906003)(8936002)(122000001)(4326008)(64756008)(7696005)(41300700001)(26005)(478600001)(66556008)(8676002)(110136005)(6506007)(66946007)(71200400001)(86362001)(186003)(66446008)(316002)(5660300002)(55016003)(52536014)(2906002)(38100700002)(83380400001)(82960400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zJqSKtXEl1qZ1dmlLudevc828ouMwn2udbpINnOPVKhSPRLfieDkv1I0kF4jyoI03b5heSLH15GdEDVCBRnxOfSOUID8mKfakEgdNArm2VI3jiusiOUcO5QZtAngNsjpJWg3vwlYuAOgnncddWQ0DdIsUzoRyL/b5FXRAWTQLvXM5cWjoqtgCN9G6/ypsXsSlLSldbI+XdQDIGX9ieQKtXZAoeKji/ca3Q5gSkPdHdoQ+dkRgzb9WX5iCquJqkUK1DPTV/SlzdehVK5xp4/AmFrZgbGyvFMoeltmqmCmo+gueNS6Wat2scdzJOlER6ASn5Vx8X1x/jM9kMb2J/lSyEC0pS0OhAGiVU58J82XGkpLVqIJwQhWSsaFpYo9SXkDu2pPnqSZBizCbmG0hknT/CCM60DckNxBZ4azFp3sYagu5Q+DdIqmBQ51h1tunK4XoKTNvpurf9AVLqOEbgGmzdVqw84zKYPIpwCwsfBU9FoqPkRV3/2suCWjrWwFAwWmEaJwWBbKby67hbfW5l/EGOk0aFXC1IfbHMRSRZVPgFW28g7NF1ZjM69DKj7zKbmR7kc0finbPttoU1whOFSs7AEnmA/DZ6WMgQGvINlx5P3MHLRoYSJKZNBBQhvTrzYt4c7BFlMWDwYxzO2hD9NDarTQqvBqiRCSzI2apatgpZJyes6+FNQmHDD7HTEtK9glc6oMDy9y5bziatDdmExmiSINXxFQqb7kmCBQK6nxmIDrt+4y9Z+7oM7BdLDm58kUlEh7LwiSu1rI8a5PL5xUwt9Y6flYe9x9anY/vHDTM+RlVCEsQ2LMZxoaXZcE/hWlbK0/naatTONeSU1moq0qnx6xvrE/Hdolbv9DKzBOVilLR9+BUlF5nJV4HVIol2oZ0nrAEjbjMiDmzlPZBdtuBcmUzqAqWc1DnaTOyRBltTAxmbtwINi2ZW0ozNsifX/VMyA/TfwZc4ZZnPFihH24uz19+q8A5mM7534j3Vv5VmUZEpHxXvg5ltXYbyAdQcwOL8XBqwdJKW7kR5fH9n8rWLkpfJZnt2zniPN64yTBoHp4c8VsFE4Lm2jczkTpNOopx1q8tKCJh2qlvd5NMNBWzke44snQx8AZK5EIQGsWgNlrStqpehVoWhVgPTcHz4c4P2SISKfm68X+AMhUD2lE3bGMCL2FHtzQhyynYy9qt8Gf6jIlzWFPHpUZInWChDO5fXHVMersQEzjnPQbEnBBAQBSF4LQOdgu4Y8vaMyMkzkyFz7afOQggUICNLT3ixEvFQA6MW0Ry6ynIccEr6FAesYR4DcyFmHy2xL/PwUwgy6Mo7HH9r181eGKKWKdsxZNv0l3pRhAsRsZYAt6x4e6RdFdgEC2naDLpqLLdBSbjWBXUreuQ5hmTEXTEYc9b/tc8SkFW1QLTIMRGIk7q12BUMT5nm6WEl1VaNO2g7zY6YC3am7sYhOaiQNX7xAq7y0KO7iqiAgVBE2Bc1zWFEuzjNAJGjRKNcS02UfD0zM6GSdBxGBrWb+4KrPZ7DLj8k8ADKMAwNGZ+iQA07z5eA2jusKcmicCsMlPvebLVPVXLP3taBFxY+TRxL1rV5ruJ4JD4KbqtbuYJgFQ//4QSm8ToA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c022250-590e-4525-ce05-08da58d6fd05
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2022 07:22:41.7295 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7uIcg08ZLPEG3mivUDbf2gmlpGS/l94AuitVSgBdsc8oBZkbql9T9L7eyzmEev88AnqXI6OQYK2mU59/3Xa58fYHWl6vdGlqfO9YoBJS298=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR10MB2629
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ClRSMQequVc8dWorQZoVcyD0HeM>
Subject: Re: [lamps] Francesca Palombini's No Objection on draft-ietf-lamps-cmp-updates-22: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 07:24:07 -0000

Francesca

Thank you for providing you comments and your voting.

> Von: Francesca Palombini via Datatracker <noreply@ietf.org>
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you for the work on this document.
> 
> I have a few minor comments, hopefully easy to fix; answers are appreciated.
> 
> Francesca
> 
> 1. -----
> 
>    previous PKI management operation).  PKIProtection will contain a MAC
>    value and the protectionAlg MAY be one of the options described in
>    CMP Algorithms [I-D.ietf-lamps-cmp-algorithms].  The PasswordBasedMac
> 
> FP: I think the correct term here is MUST rather than MAY, otherwise this seem
> to imply that the protectionAlg can be something different as well.

CMP Algorithms dose not aim to provide a complete list of all possible algorithms 
to be used with CMP.
As stated in the Abstract of CMP Algorithms:
   This document describes the conventions for using several
   cryptographic algorithms with the Certificate Management Protocol
   (CMP).
And in its Introduction:
   This document lists current cryptographic algorithms usable with CMP
   to offer an easier way maintaining the list of suitable algorithms
   over time.
As I would read MUST, it would unnecessarily limit an implementation to only use
algorithms from CMP Algorithms.

> 
> 2. -----
> 
>    Note: In case several EC curves are supported, several id-ecPublicKey
>    elements need to be given, one per named curve.
> 
> FP: I could not find id-ecPublicKey in RFC 4210, could you give more context
> where this element is defined?

AlgorithmIdentifier used id-ecPublicKey to specify named curved as defined in RFC 5480. 

New text:
Note: In case several EC curves are supported, several id-ecPublicKey elements as defined 
in RFC 5480 [RFC5480] need to be given, one per named curve.

> 
> 3. -----
> 
> Section 2.25 and 3.4 - IANA considerations
> 
> FP: Given that Section 4 does now a full update of the IANA considerations (as
> a result from Paul's comment, which I believe was a necessary improvement), it
> seems to me as Section 2.25 and 3.4 have become useless. I suggest to just
> remove those to avoid the redundancy (and the risk for future updates that will
> modify one section but not the other).

I see your point.
But deleting Section 2.25 and 3.4 completely would contradict the style of the document and the reasoning of the changes to the IANA Considerations sections of RFC 4210 and RFC 6712 would be lost.

If people think it eases reading, I could replace the content of the changes in Section 2.25 and 3.4 with references to Section 4.
For more clarity I would put the text in Section 4 in separates subsections.

New text:
2.25.  Update Section 9 - IANA Considerations

   Section 9 of RFC 4210 [RFC4210] contains the IANA Considerations of
   that document.  As this document defines a new Extended Key Usage,
   the IANA Considerations need to be updated accordingly.

   Replace the fourth paragraph of this section with the text provided in Section 4.1.

3.4.  Update Section 6. - IANA Considerations

   Section 6 of RFC 6712 [RFC6712] contains the IANA Considerations of
   that document.  As this document defines a new well-known URI suffix,
   the IANA Considerations need to be updated accordingly.

   Replace the second paragraph of this section with the text provided in Section 4.2.

But still the two new subsections (6.1 and 6.2) introduced in Section 3.4  would get lost. 
Therefore, I personally dislike this approach.

As there was no objection to the original text in -21 by the IANA experts, I would prefer deleting the copied text from Section 4 :-)
To make it the text more explicit, I could change the original text in -21 in Section 4.
 
Old text:
   This document contains an update to the IANA Consideration sections
   to be added to [RFC4210] and [RFC6712].

New text:
   This document contains an update to the IANA Consideration sections
   to be added to [RFC4210] in Section 2.25 and [RFC6712] in 3.4. 

Which approach do people prefer?

> 
> 4. -----
> 
>    [RFC4210].  This document redirects to the new algorithm profile as
>    specified in Appendix A.1 of CMP Algorithms
>    [I-D.ietf-lamps-cmp-algorithms].
> 
> ...
> 
>    For specifications of algorithm identifiers and respective
>    conventions for conforming implementations, please refer to CMP
>    Algorithms Appendix A.1 [I-D.ietf-lamps-cmp-algorithms].
> 
> FP: There is no Appendix A.1 of [I-D.ietf-lamps-cmp-algorithms]. Did you mean
> Section 7?

Very good point. Thank you for spotting this.
I will change Appendix A.1 to Section 7.1.

> 
> 5. -----
> 
> FP: Nits reports the following:
> 
>   == Unused Reference: 'RFC2510' is defined on line 1580, but no explicit
>      reference was found in the text
> 
> RFC 2510 does appear in the document, but only in the section header, I would
> suggest adding the reference in the text as well.

I will update Section 2.21.

New text:
   Section 7.1.1 of RFC 4210 [RFC4210] describes the behavior of a
   client sending a cmp2000 message talking to a cmp1999 server as specified 
   RFC 2510 [RFC2510].  This document extends the section to clients with any 
   higher version than cmp1999.

v2.29.0 | Report a Bug | By Email | System Status