Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Sat, 11 June 2022 06:21 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 003C7C14F745; Fri, 10 Jun 2022 23:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePmOrkAdIBOl; Fri, 10 Jun 2022 23:21:50 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20611.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::611]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3ABCC14F6E7; Fri, 10 Jun 2022 23:21:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XAY7Xj2PJ/pHckPGOy0b+G+o7pnRv/gQE8ud4OOLL22/jga1zpeyN3g+2h0dF3dsKK0Mu6F2uIBhJA+kNmZ5Wt2BhZupHUAFyOXKX8B8dPhi+yOvtl9Gk5A9Itn4Nqb+RjpcEXrMohPYQ0vpIK3Emq2DqPw2t2KJMxfArM88ThPZ3VmOICFtV+Bnzi6GxFDmRhTN255JBoPB5YC4f878dMSDppfn7T0QM8zxb8/meJLL1VHZ03elplJhHesBTsvDBrp13P447wunGJrx02mrK3cGlZmHkl3kTRWvVldL3muBt2+mB0o3JkiYXE98wfUCpZs3KS3DMyaxKa0/mS1z5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=igosgqmg9c5ZJ2/6W+N2OuIPRpDaBPl09i7yJaYfCpM=; b=H/Pe3yCUhPrQFbzmHUgbV8WguywoqI5nsr5WQRuYVrZxnaiHnuQsZ23o/4mXh4EDsAZveNMVGcoavT/vkwYpbpZlHHDyDLlis6/OwnifUJ5I2ZaO4XAFbMBfQHE2NJtVjvOQVNa5I4e7A3bJhUKOqbFcGjqNxrweHzGDSkaG4GC9GZNmoLy1S6X7PpGpLL9HB7nBtcnsQPbZS1OlDcY2ld+WSSP9LB8PrKY54xtOX8jbwnfA/7OLmCJf34SWa+ZqoZOHeL2TnDqk5n2f3Xl14xt/8x3+H604W7MBOBZzDUUUyCEaoQ6CFRxYV5aEH/m5WP3xzMTy/bl0d3ue89nNxQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=igosgqmg9c5ZJ2/6W+N2OuIPRpDaBPl09i7yJaYfCpM=; b=g/ZI9Dj4wF9QyPyJLTaNQm/ey5oNKbEtd+b3BCqpKjb8jwYEIpNVx90sv+1KOPcQWvQsH4aiUiYgBl9kRbuDIMDjMml8AwjwO3JgiOitUMQ0QG145f0F38EVZK2K/piIENseMVkmw57oZ0+TKsgaMYHaypc5MKbIAvTlxNIiPhXESG2Zl7jrFXB7FKlSaTlUiG4g5P20uIcsAAPskVdNab1FyDqcYNNQFiQ+e9GbKhr7AbZg8H7dDplHcyHNPl4ZKVPM/sVlBgEhYy5jVOzWUznhijUeWuM8mQQeGIZlZ6C6BE3OigBXjbJQqBCvK6CnEXyWhhnUbKjayO+3DL5jQw==
Received: from DU0PR10MB6204.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3ec::13) by AM7PR10MB3206.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:108::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.12; Sat, 11 Jun 2022 06:21:42 +0000
Received: from DU0PR10MB6204.EURPRD10.PROD.OUTLOOK.COM ([fe80::c821:8f68:e1a2:ddc3]) by DU0PR10MB6204.EURPRD10.PROD.OUTLOOK.COM ([fe80::c821:8f68:e1a2:ddc3%5]) with mapi id 15.20.5332.015; Sat, 11 Jun 2022 06:21:42 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>
CC: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
Thread-Index: AQHYfPnjzDEKO2coT0qkWxzM01uaJK1Ju9Th
Date: Sat, 11 Jun 2022 06:21:42 +0000
Message-ID: <DU0PR10MB6204338981B44D443B036B86FEA99@DU0PR10MB6204.EURPRD10.PROD.OUTLOOK.COM>
References: <165488656549.33195.4087333678068665768@ietfa.amsl.com>
In-Reply-To: <165488656549.33195.4087333678068665768@ietfa.amsl.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=True; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2022-06-11T06:17:13.5522375Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 09920d77-3d4d-429c-1842-08da4b72a6b8
x-ms-traffictypediagnostic: AM7PR10MB3206:EE_
x-microsoft-antispam-prvs: <AM7PR10MB320692FE91706AB0CC99C388FEA99@AM7PR10MB3206.EURPRD10.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: n5ozrxu8cVm04SaLDt4DV7GDQ+Tgc/LTp1Ov7CaElrzedCmHaosfapUW13TeCE5f1B6LMMxlACG+8BDSS6hghBPD65OrcIsakhwtXCjeVtAsi+gWZhNyh1S9Qr/NdmmP3haBgfidR+GwbKvnoetpGuOPYJDbDR/22nvRV8RpdV7Ys0OLyPGjRS1kzFMNQJ2JL1yT5bSwuk7zhUSVUTzpsk3h/eSKlU3H13ufdrLpYUq73iAjWQzj1mAGNmnZBx/OVT7EkPozD3A/+s0kCocqgZvlP0kiHPX71oV+wpnJeI5UslvUVp0unFpoOvyAwZ91WLeZFfC+eN9721euq9cRmN/5IjlC8VEpqXlBjTSIgYiVVUDShbrdh4SFY5qVRszrvwgZjDy1nnfp7l2ncBVJgt9XiKQ61REXzDmJAGY2kEpl72SXm51zhViBPIyxfd08PDQDETz2z7kSOgzXDzeJEMQId3Gnrj/ons6vGlP9aY393dG/KaOd8fPDwIDAxnS/fFpvLpPw6DZJdtU6k0yK5Wcl6BjZutElEK8OddBN5+ZOWwPuuXdVnuilNusUruB6qh/GM43kcUlncF/ISaxtpkmGebHvudXfkmKH9toc8xyHUFj5ldGo0RJDcvTx8/K14B1Ym6pGa51Dx+lEL3CZRORccqYtS6Q2WotgXspbxhJd7vR9H5ASVP3xKAM6DRB/lcmI6AP0i294w0WpHCdMz7hUYftFapfL4MafJMIj+9Fz0q0HQvJ6is5DYIF7IBUZjKd7v49ge4VC4oXHTDIq+BOgG90Cv7nOiTImB9hYaoM8/va19lyhAvyAcLfZ4ZKtWndSzJOYtoXOQBTeeRhcWA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR10MB6204.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(66946007)(76116006)(64756008)(66556008)(66446008)(8676002)(8936002)(52536014)(4326008)(86362001)(66476007)(122000001)(71200400001)(45080400002)(38070700005)(966005)(508600001)(91956017)(82960400001)(5660300002)(7696005)(186003)(38100700002)(316002)(110136005)(166002)(33656002)(9686003)(26005)(55016003)(83380400001)(54906003)(15650500001)(2906002)(6506007)(30864003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DpZu/5TwRMtRWZ6Gco717vbXGTv6Zpfu1cDLeA7Yg35Lbm99XUKb6IYTP2QtvrXkO33+vNBGXiXTjrw+pu6xCjWyBlpH1ekLLHJ7rNxtVKqrAE+FY7bIu+qzQrr3+cXKMhYkHrF0aQAWBnXRHCb10MF1HoelS9UuHYXDKYpe+CNsm/4xmTffvT4azoBydCtUsAzPIIV6EqG+Bec/YK7Np2pwkC2M35C08LrrmYsjaJHUKBQ8ZzvbTAvem3Yqt8PfDGgmMsyRKXObUywV0yDmFfKt5vYwyiJO24m6E62n+vAat5uo546qE+ZHKGID4q6xCFyfb5MvRfON4kT5BxFuxJXUKXbdQrfzW5HXD0Y+qNNtsOBH25aGWKS/lz1RH+fOte1G3+WTT0pjxx2JZHicuetTZEOi1JFM0Nv1lh7zd+Wed/pP1SqLOFgnkS6Z3xgIgKQdtmtHZ1duOFo+7ZxM8AT4gSS7WKIV/RtsUz+PDXVfyqAcT9RXbPwZzEGvI9kgB++BIbg3xR7dZNmE9lk75Mw5gpP+AGb3hvrQUtC3ZnvWcGAgl9N8W/Gnzz9TmS9uwg986XrUe2xcyRNxpeJOaSHtthMP9xp6GBATc1kP2dIFgy/abf5okuzzvAF2DIAfbZlPEsaQAi6G6fecaOEYWx4z6Mm4/jvB06Y+9AAVkwoE24GXr8ym/m2o1cFjoQpNuY4T+mtW3AagHUg4xr2wp1z5oAz/uAFh8ZlZ8kt6HsNOXXCjWnwD5CKGlv8Bdbqetm/ExWGpDSATOgs0+jIT++9FpEGyEi+pznB60w34XIn3eLTle9IoSwKOksw28j8rEPGe7bFerI55ygJoY+seJB9cc3pNLkMpZ2u/Dp1k1aLaFdHf6K9ChKBzo7RmgXg+LjaP7nSttlWrCLmZtI9bmw7voTD+/XqC8RQIDFH4mXinokt9qLgtePNp28txGN+G4+fXlz500o1sNzPzOKKrl+Iml+0LYgU9HDHsD5IlvKSKoIoO4YNL4Uctlog7OlfhUIiYUljM7FA25SQCme3ikaQ4Tlle9XdroUkzGOgqmfNULgDFj1M7YGcp1ssetUeqa0fWNXfpYdeG9d8wf8obssnhni1cdYmODS7REx1KoP47xGSLKFk22IMguMpclfXH6+6MElBWFK0nSPmnKrpSsPcBFKQRPzHmP3FiagkJPPTCA+5/w2uNMTiupFFntvZDurYh09On0t9zb9Fgu7N1Fol94KguKgMzrQ5d/IGHvzRieW/nc7VtvgxUzzD6Ye+4Cyruu1Z9trM4gyG5aI3dcDoPhd8LaliOr4JwCGVnZYDPRR+LwMG9Qf/h3Q61PxqhWgpYZiNVgoobCXNkL2A/mManzEX9rJQ9HfKyiiAh8VQgG+YzEWSk8aFpYUBX+iRA1DkSJ4Kv/EYIximckYDN/b1ne1cHNXiX5PHKjh16PsGopM+0maCXaHjr9gP1+G57+fgMQxqyaf/2taU3bF1U4hVmogsTVsRx7xKF82j5s+1Ww0YpASHD+Ol8au6w2r5UtDQtElyIP7ZDK8mkiVxAZGHxXV3uVO2+y8uBhr+uKuHf0GGmrHVY989bnuZSK6xdWj3waehZT3wTdBgaFUP5rVwawGGRAQB2mrYIc3/Arz/7kUfTxPQeAL/qkygs7phCgW867xjXxhUWat4X/fHhbI7jlvnr0FluhpsKnlWhgbMZiBkmI+il5YUQC4kx1kH4xyMaG1FNo/QogqZf7h8gc+RZZqfjQzzS2sYswNHhOYJoO7ldfZl+VRcPM9XGIZgd
Content-Type: multipart/alternative; boundary="_000_DU0PR10MB6204338981B44D443B036B86FEA99DU0PR10MB6204EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6204.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 09920d77-3d4d-429c-1842-08da4b72a6b8
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2022 06:21:42.1315 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: t3g8MbdovtyZGgUyH5ck7UezG5LvyztX7E6EHehGsQVLDRXMVCFxZkWLrlqgig0kdd5Mi35oBN3aAyewplBPRLGwZ9KdIGAULddbiLKoW1M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3206
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/hjG7a-KK3Co8OgdD4kew9ym6Uno>
Subject: Re: [lamps] Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jun 2022 06:21:55 -0000
Paul Many thanks for your detailed review and your comments. Currently I am on vacation and will provide feedback after my return on June 20th. Hendrik ________________________________ Von: Paul Wouters via Datatracker <noreply@ietf.org> Gesendet: Friday, June 10, 2022 8:42:45 PM An: The IESG <iesg@ietf.org> Cc: draft-ietf-lamps-cmp-updates@ietf.org <draft-ietf-lamps-cmp-updates@ietf.org>; lamps-chairs@ietf.org <lamps-chairs@ietf.org>; spasm@ietf.org <spasm@ietf.org>; housley@vigilsec.com <housley@vigilsec.com>; housley@vigilsec.com <housley@vigilsec.com> Betreff: Paul Wouters' Discuss on draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT) Paul Wouters has entered the following ballot position for draft-ietf-lamps-cmp-updates-21: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&data=05%7C01%7Chendrik.brockhaus%40siemens.com%7C82d56eb761c0488dd79f08da4b110393%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637904833709102651%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CAjQmh3nWmgTPMVcb3EICuQcw%2BlggelRo6f9EKGMf3o%3D&reserved=0 for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-lamps-cmp-updates%2F&data=05%7C01%7Chendrik.brockhaus%40siemens.com%7C82d56eb761c0488dd79f08da4b110393%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637904833709102651%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OGPjLGaIHUn8edJ3yUJvg5xppea9%2FjS1HkM7OnYrX6U%3D&reserved=0 ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- As a reviewer, and therefor I suspect also implementors, needing to read current + old and then compare it to new is very confusing. If this is for a few paragraphs I can see the point but throughout the entire long document? It prevented me from doing a full review. The document also “updates” the IANA Considerations which is not a real process we have. We only have new IANA Considerations and I don’t think we should tell IANA to decode their instructions based on a diff with another rfc. Please tell me how this document would not be simply better if the diffing and replacing is done for the reader by obsoleting the old documents and creating one new clear readable document? If the WG could not do this, how can we expect an implementer to do this ? This deliverable might have been good for the WG for tracking purposes but I don’t think it works as an RFC for the intended target audience. UPDATE: I've completed my review of -21: #1: This is a very sensitive service and therefore needs specific authorization. This authorization is with the CA certificate itself. Alternatively, the CA MAY delegate the authorization by placing the id-kp-cmKGA extended key usage in the certificate used to authenticate the origin of the generated private key or the delegation MAY be determined through local configuration of the end entity. These two MAYs are related, you MUST do one or the other. The text as it can be interpreted to not perform either MAYs. #2 Such validity periods SHOULD NOT be used for protection of CMP messages and key generation. Certificates containing one of the above EKUs SHOULD NOT use indefinite expiration date. This leaves a rather unspecified part on the implementer. What time period is too much? Clearly something between a few seconds and indefinite, but what is it? Can this document make a recommendation ? #3 Throughout the document, Section references for the to-be-patched RFC are turned into links for this RFC, eg in the text "Replace Section 5.1.3.4 - Multiple Protection" in Section 2.6 where the section title has a bad link but the section body has the right link. Please verify all of these references and fix where needed. #4 It MAY include the original PKIMessage from the EE in the generalInfo field of PKIHeader of a nested message (to accommodate, for example, cases in which the CA wishes to check POP or other information on the original EE message). If a CA wishes to do so, it would REQUIRE this original PKIMessage. Would it not be better to say "It MUST include the original PKIMessage" ? It seems also generally better to send the originals along with the modification so that the next step can (optionally!) authenticate the previous step. Otherwise, there is a lot of implied trust that should be modeled in the Security Considerations. #5 In Section 2.20, it talks abot updating 4210's Section 7. It suggests removing the first 3 paragraphs with replacement text. However, the text removed describes the behaviour in a version agnostic way that I think is more clear than the replacement text. If the client does not accept EnvelopedData, but EncryptedValue, then it MUST use cmp2000. Why not cmp1999? Because EncryptedValue is valid for cmp1999 RFC2510 as well? Are we assuming cmp1999 is completely dead and no longer deployed? In general I would clarify section 2.20 better. More clearly subdivide client and server, and leave a version of the text in Section 7 before section 7.1 intact. Also, it seems the into in the original Section 7 really covers the protocol behaviour. I am not sure why there are subsections with specific version numbers in 4210 nor do I understand why this has to be patched to an even more elaborate versioning, and mentioning EncryptedValue vs EncryptedEnvelope. It seems the section 7 overview covers all behaviour already. #6 Section 3.4 "patches" the IANA Considerations. I'd rather we didn't do this and add a clear new IANA Considerations section with clear complete instructions to IANA as to what changes to make, but I understand perhaps why to do this from a readability point of view. But at the very least leave a note to the RFC Editor to confirm all IANA Actions for this document are summarized in this document's IANA Considerations. < TBD: The temporary registration of cmp URI suffix must be updated from provisional to permanent. > IANA will do this when the document goes from draft to RFC. So this comment can safely be removed. < TBD: A new protocol registry group "Certificate Management Protocol (CMP)" (at https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fcmp&data=05%7C01%7Chendrik.brockhaus%40siemens.com%7C82d56eb761c0488dd79f08da4b110393%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637904833709102651%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZWPWJjKMrxeNsAKR8FepXTymrv4pQohGYwnQBo%2FYzNw%3D&reserved=0) and an initial entry 'p' must be registered. > Same here. Section 4 IANA Considerations should contain a copy of the "patch" instructions as a clear instruction to IANA so they can make the changes without them needing to "patch" the old RFC to obtain the instructions. Even if this sounds redundant in this document. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- As a next step, the LAMPS Working Group will consider providing RFC4210bis and RFC6712bis documents in order to offer the reader self-contained updated documents for CMP. I don't think these kind of "instructions to the WG or IETF" should appear in the document. But also, I would really like to see a commitment from the WG that these bis documents will be created. But again, such a response should not be stated within the document. The following updates are made in [thisRFC]: I assume thisRFC refers to the current document being reviewed. But if that text is replaced it would still be confusing. Maybe use: "[thisRFC] (this RFC)" where [thisRFC] is replaced for the actual RFC and "(this RFC)" is literal text. a PKI management entity such as an RA MAY forward that message adding its own protection (which MAY be a MAC or a signature, depending on the information and certificates shared between the RA and the CA) More confusing use of MAY. Was the intension to say "which MUST be a MAC or a signature" ? If I am wrong, it perhaps need to say "MAY be a MAC or a signature or nothing". But that seems unlikely to me. The first MAY also wouldn't need all caps. A client not supporting cmp2021 will not be able to handle this situation and will fail or reject the certificate. I don't understand the "or" here. Doesn't it fail because it rejects the certificate? Can it reject a certificate and not fail ? When a CA acts as a CMP endpoint, it should not use the same private key for issuing certificates and for protecting CMP responses, to reduce the number of usages of the key to the minimum required. What is "the key". It makes me read "CA" as the "CA certificate/key pair" but since there can be multiple keys, I should read "CA" as the Certificate Agency in general, not the single CA cert. Perhaps use "to reduce the different type of usages of a particular key to a minimum" ? (Are we worried about different types of usage, or actual just number of signing operations?) a CA certificate for use as a trust anchor, it MUST properly authenticate the message sender without already trusting any of the CA certificates given in the message. If the EE already trusts CA X, and CA X is included in the message, the EE is suddenly not allowed to use its preconfigured CA? Maybe rewrite to say "it MUSt properly authenticate the message sender with existing trust anchors without requiring new trust anchors included in the message". -- * that the contents of "thisMessage" MUST be encoded either as -- * "EnvelopedData" or "EncryptedValue" (only for backward -- * compatibility) and then wrapped in a BIT STRING. This -- * allows the necessary conveyance and protection of the -- * private key while maintaining bits-on-the-wire compatibility -- * with RFC 4211 [RFC4211]. As EnvelopedData is only added in "this document" I think the last line should be modified to say: with RFC 4211 [RFC4211] and [thisRFC] (note, using TBDx instead of thisRFC might be helpfull to the RFC Editor) -- AlgId for a One-Way Function (SHA-1 recommended) Can the part about recommending SHA-1 be removed, or does this document really want to state SHA-1 is still recommended. I guess this might be okay since it is describing the 1988 ASN.1 Module ? Note: This appendix will be deleted in the final version of the document. Please rewrite as an instruction to the RFC Editor and put in [ square braces ] for clarity. Nits: It updates RFC 4210, RFC 5912, and RFC 6712, but skimming the ToC one can only find a section on updates for 4210 and for 6712. It turns out updates to 5912 are in Appendix B. Perhaps change the title so this becomes more obvious in the ToC? Such delegation MAY also be expressed by other means, e.g., explicit configuration. I don't think that MAY needs to be in all caps? It is not part of the protocol to implement, but a directive to a human operator. these OIDs MAY be re-used. Same here, it explains why the authors of the RFC did this, so this MAY seems silly at best 5.1.3.4. Multiple Protection multiple proction what? I guess Multiple Proction in a message (or in a request) ? To indicate support for EnvelopedData the pvno cmp2021 is introduced by this document. The use of "this document" is super confusing due to this being a "patch document". Use "has been introduced" instead? Note: To indicate support for EnvelopedData the pvno cmp2021 is introduced by this document. Similar issue with "this document". Moreover Maybe use "additionally" instead of Moreover? see CVE-2008-0166 [CVE-2008-0166]; Maybe just use the link instead of doubling the name in these references cannot be measure -> cannot be measured the security of the shared secret information should exceed the security strength of each key pair. I would say "of each individual key pair", so people are not confused in thinking they might need to add up all the key strength bits. using pollReq and pollReq messages That second pollReq should be pollRep. No changes are made to the existing security considerations of RFC 6712 [RFC6712]. I think what is meant is "no security considerations updates of RFC 6712 were required".
- [lamps] Paul Wouters' Discuss on draft-ietf-lamps… Paul Wouters via Datatracker
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Tomas Gustavsson
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Paul Wouters
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Russ Housley
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Brockhaus, Hendrik
- Re: [lamps] Paul Wouters' Discuss on draft-ietf-l… Carl Wallace