Re: [lamps] WG Last Call for draft-ietf-lamps-ocsp-nonce-01
Corey Bonnell <cbonnell@outlook.com> Thu, 30 April 2020 01:21 UTC
Return-Path: <cbonnell@outlook.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877BD3A0C41 for <spasm@ietfa.amsl.com>; Wed, 29 Apr 2020 18:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.918
X-Spam-Level:
X-Spam-Status: No, score=-2.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzk0xidx_XVn for <spasm@ietfa.amsl.com>; Wed, 29 Apr 2020 18:21:56 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12olkn2065.outbound.protection.outlook.com [40.92.22.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 904A43A0C3D for <spasm@ietf.org>; Wed, 29 Apr 2020 18:21:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dAaPx/5uc3l6lnjow8FLI352g6+M4zStwbszNp79bj6FcTUj3EHbUSVOT8vdLna8BPQuaSXswmE+BBnhC99ExjMCSx5z7TdihZqYPRaDAKJoVBHEllm4L2YjeAlPygcUL+KKFHA16qw/WbtBX806SJYn1Hv/V+rYQP8JICoV7LJJBPTmVly2U5o7hR7PpSHP6SEE04PSGIuaapo72gIwftCgiON7xTOs2Sd2V8W23xQ/WZrmqEZrguRpzBBL/7WWsJ0V+IT3qMGBprJkfJE0qyrmoedkfpqY3jSTaL2i1dWrHvwwSZjdcvbckZVKNwyqoCuVvDI1Z4aflQp3PnPIHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l5b8y50192VgDEGeK348scoNrwP43fQ2uUNMXc7xoN0=; b=AHOUstZY0DxOsOC1judbxHo4s6F4rabTrX1vfIo0+t2TrIEsZkuce8AJwlhkY/UFKm3yEC0aGmmMIodrA1asWUlZkDl3wOa8Y+d+unc/8EeR6JxyHENx7a/e5Xn+reV7mbEj7cwNJqdpEb2TtfYyEGWppyFKqrhlrirvAIzsN6nbA2s7qCT9nEM6MbjpzNi2QdfMAml4v008+Gr+D2MDS6ghGL/vGntqR6T2Cb23mhtFV9Gb+zy8wzliNKPO3EynjRzSjmXhOXsvFlKjAz6T5lKCm9WZH7pv5sPWVb+Sfa8Twb7CsMAETK1ReXHarPBIsdyvgDvpmrFCJd67J++LnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l5b8y50192VgDEGeK348scoNrwP43fQ2uUNMXc7xoN0=; b=UJGqAJwYEoF6oY3XC9cpcpPPjHqC+Nql4r7a0ClIsvzCASF6hawg8KjhFOXll1hc6pai0urxpopbXb9/2RGBHNultPn84rLHS1j0go9DABERVnBgCWi/eILE+p2Tz7fSqXhtFgWwojOXuMjxiiQweMZJdvzFoSle5kuZpN6mJPTK01Hsvn9FTAngNJMzD52eJ48xjnzjksjj4pa1uG3SyHVF6ukJr/FmRLuJPWnBDqNGukab7nGJ5tAOE3Silfj+frwPrK0ovOJFCyWlVYzkdiOC5qhpd8Ef2qoxpOsjMg1xIlcdKFogVpvetC3yPmyman9GjW/nyS6jt8U/NMF8mA==
Received: from MW2NAM12FT004.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::4f) by MW2NAM12HT240.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::402) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.12; Thu, 30 Apr 2020 01:21:54 +0000
Received: from MN2PR18MB3264.namprd18.prod.outlook.com (2a01:111:e400:fc65::45) by MW2NAM12FT004.mail.protection.outlook.com (2a01:111:e400:fc65::71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.12 via Frontend Transport; Thu, 30 Apr 2020 01:21:54 +0000
Received: from MN2PR18MB3264.namprd18.prod.outlook.com ([fe80::ed17:1554:5a59:cd4c]) by MN2PR18MB3264.namprd18.prod.outlook.com ([fe80::ed17:1554:5a59:cd4c%7]) with mapi id 15.20.2937.028; Thu, 30 Apr 2020 01:21:54 +0000
From: Corey Bonnell <cbonnell@outlook.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Thread-Topic: [lamps] WG Last Call for draft-ietf-lamps-ocsp-nonce-01
Thread-Index: AQHWHKQM9zyLNeGXGEKZjf7LXygMvqiNPHcAgAOj10E=
Date: Thu, 30 Apr 2020 01:21:54 +0000
Message-ID: <MN2PR18MB3264D1191332AA6B7B631F4FC3AA0@MN2PR18MB3264.namprd18.prod.outlook.com>
References: <31FF8CDA-9A6B-4C16-ABD0-800E06325748@vigilsec.com>, <679B73FC-7C1B-4F9B-87E9-ADF5AB70BCDB@akamai.com>
In-Reply-To: <679B73FC-7C1B-4F9B-87E9-ADF5AB70BCDB@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:70EFCB4978A27E4637893B119AECCEB1220CE8C224FDEAD18F57CD53EB6711EE; UpperCasedChecksum:AF7BEDCB8E4A8D5038E2BD5ECCBAF09F88194C06AEFA40E0619A8BF8956BB798; SizeAsReceived:7032; Count:45
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [1QvWi9S6cE9GWtsg0P1BtRGbgh9xORMe]
x-ms-publictraffictype: Email
x-incomingheadercount: 45
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 8ba55a87-8731-423a-8b12-08d7eca4de6d
x-ms-traffictypediagnostic: MW2NAM12HT240:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cywEjYdxDx2EpoxDBaptMR9BvqBE9xF4MhGQgxWpv6p8dWp4zmBx56VymKEbes72LXT3JFQ4bVOmQi6UEPGBVrDeFVxf0jCn/0kSG8HNz503LrJWahVRivF/sVCi8cLjSU5Ejr987BfWdMU3soibok4i/Cw3KiNer7YWtKyphUUFCi93P0uJTC4VprQ+aMRH+Mqrr65QXh+1/0XOzZkt2Uj1Q8ozTwbNMyYRrNT0KOvF9GJ1pUYnLDpgtfnuA0zZ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:0; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR18MB3264.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:; DIR:OUT; SFP:1901;
x-ms-exchange-antispam-messagedata: B0Kr7+saiQJyHYGkfhk7roWjYeb3dyth1q7cruelKuHnWyVJXXprAu+2r4SOvFP+0AQXpjaxAs3Uss0spYO2e3mpKMtxI881AsMMPTSdUw9nlnKO1umsC4gcRDWm2DqRcSz/4jW5v83mjc5bb8tyMw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR18MB3264D1191332AA6B7B631F4FC3AA0MN2PR18MB3264namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 8ba55a87-8731-423a-8b12-08d7eca4de6d
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2020 01:21:54.5288 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2NAM12HT240
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/zVGPWD1OxjmygMXMAEELLPvutgE>
Subject: Re: [lamps] WG Last Call for draft-ietf-lamps-ocsp-nonce-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 01:22:00 -0000
Section 2.1 mandates that "newer clients" MUST send a nonce of at least 16 octets output from a CSPRNG. However, section 3.2 specifies that clients SHOULD send 32-octet nonces. Given that newer clients would not be bound by legacy limitations and could presumably support 32-octet nonces, is there a compelling reason to specify two different lengths in the two sections? It seems to me it would be preferable to have alignment with the guidance for newer client implementations and recommended best practice in the Security Considerations. Thanks, Corey ________________________________ From: Spasm <spasm-bounces@ietf.org> on behalf of Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> Sent: Monday, April 27, 2020 1:40 PM To: Russ Housley <housley@vigilsec.com>; LAMPS WG <spasm@ietf.org> Subject: Re: [lamps] WG Last Call for draft-ietf-lamps-ocsp-nonce-01 Nit in the abstract: OCSP responder [insert oxford comma here] and possible evasions Section 2.1 newer OCSP clients MUST use length of at least 16 octets for Nonce Should MUST be a SHOULD? Don't care either way since it says "newer clients" Looks good to me, ship it. _______________________________________________ Spasm mailing list Spasm@ietf.org https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7C%7C89e67c46d5fd4966ff0a08d7ead21ddc%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637236060478859670&sdata=Ol3rSY9uu7Fi3Rjv17KXVV4M%2FWNXJjBgXpWZSxB0oOg%3D&reserved=0
- [lamps] WG Last Call for draft-ietf-lamps-ocsp-no… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Salz, Rich
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Corey Bonnell
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Mohit Sahni
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Russ Housley
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Mohit Sahni
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Mohit Sahni
- Re: [lamps] WG Last Call for draft-ietf-lamps-ocs… Russ Housley