Re: [lamps] AD review of draft-ietf-lamps-rfc7030est-clarify-05
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 14 June 2020 18:07 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C3B43A0365 for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 11:07:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MZwnqM6pwmWU for <spasm@ietfa.amsl.com>; Sun, 14 Jun 2020 11:07:41 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 029DD3A02BE for <spasm@ietf.org>; Sun, 14 Jun 2020 11:07:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 704B5389FD; Sun, 14 Jun 2020 14:05:05 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id rzRyjS-sZM0e; Sun, 14 Jun 2020 14:05:04 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 34CBB389FB; Sun, 14 Jun 2020 14:05:04 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id C9B55608; Sun, 14 Jun 2020 14:07:36 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Roman Danyliw <rdd@cert.org>, LAMPS WG <spasm@ietf.org>
CC: max pritikin <pritikin@cisco.com>
In-Reply-To: <7cba97541fbd435b94192d23f966b363@cert.org>
References: <7cba97541fbd435b94192d23f966b363@cert.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 14 Jun 2020 14:07:36 -0400
Message-ID: <30816.1592158056@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/qSZ_O2Bb_KyK_B2hHsSO-PMUFPM>
Subject: Re: [lamps] AD review of draft-ietf-lamps-rfc7030est-clarify-05
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jun 2020 18:07:45 -0000
WG and Max, I have changed the section 3 (in this document) edits for the RFC7030 section 4 edits to Replace/New. I could change the 4.5.2 change to be more explicit about what has changed. I found that section very difficult to read in rfc7030, so I prefer to have the changes applied in the update. Roman Danyliw <rdd@cert.org> wrote: > I conducted an AD review of draft-ietf-lamps-rfc7030est-clarify-05. > Thanks for the work on this document to address issues that had arisen > in RFC7030. Below is my feedback: Thank you. > (1) From idnits: > == The 'Updates: ' line in the draft header should list only the _numbers_ > of the RFCs which will be updated by this document (if approved); it > should not include the word 'RFC' in the list. Fixed. kramdown puts whatever I put in the header into the output. I had "RFC7030" > This is likely an artifact of the document build chain you are using, > but can you please recompile it to spit out the following s/Updates: > RFC7030/Updates: 7030/ > (2) From idnits: > == Unused Reference: 'RFC8179' is defined on line 377, but no explicit > reference was found in the text That's BCP14. I see it in the BCP14 paragraph. > == Unused Reference: 'X681' is defined on line 385, but no explicit > reference was found in the text > == Unused Reference: 'X682' is defined on line 389, but no explicit > reference was found in the text I believe that I got a request to please include them all. The reference is: This annex provides the normative ASN.1 definitions for the structures described in this specification using ASN.1 as defined in [X680] through [X683]. I will write them all out. > (3) Section 1. Editorial. > "[RFC7030] defines the Enrollment over Secure Transport, or EST protocol. > This specification defines a number ..." > Because of the paragraph break, I initially read "This specification > defines a ..." to mean this document when you really mean RFC7030. Changed to: -{{RFC7030}} defines the Enrollment over Secure Transport, or EST protocol. - -This specification defines a number of HTTP end points for certificate enrollment and management. +Enrollment over Secure Transport (EST) is defined in {{RFC7030}}. +The EST specification defines a number of HTTP end points for certificate enrollment and management. > (4) Section 1. Per "Changes to [RFC7030] to bring it inline with > typical HTTP processing risk changes the on-wire protocol in a way > that is not backwards compatible. However, reports ..." > -- I had difficulty parsing this first sentence due to the use of > "changes" twice. > -- Calling something "typical HTTP processing" begs for a reference > describing that baseline behavior. > Maybe saying something like: > Any updates to [RFC7030] to bring it inline with HTTP processing per [RFC7231] risks changing the on-wire protocol in a way that is not backwards compatible. Done. > (5) Section 1. Editorial. There is no canonical set of implementers > (so the definite article shouldn't suggest that). s/However, reports > from the implementers .../However, reports from implementers/ done. > (6) Section 1. Typo. s/extranous/extraneous/ fixed. > (7) Section 1. Editorial. Per "This document deals with errata numbers > [errata4384], [errata5107], [errata5108], and [errata5904]", this is > helpful to point out that these errata are getting addressed. They are > even cited as normative references. However, by my read, the text only > every explains how [errata5108] is being addressed. The other three > are not mentioned in the text at all. Please make the text more > explicit on which changes are addressing which errata. I have listed in the introduction how each of the four errata are closed. > (8) Section 3, 4, and 5. I found it confusing that each section used a > different patch style. Is there a reason to do that? I see your point, but I think that we used the right style each time. > ** Section 3 summarizes the behavior of 4.1.3, 4.3.1, 4.3.2, 4.4.2 and > 4.5.2 without providing specific references to exact text, and then > provides a general updated behavior (again without providing exact text > updates) Yes. I don't think that patching the text of each of those would make it easier to read. We could cross-off the text of 4.1.3 if that would be easier. > ** Section 4. Provides an outright new blob of text to drop into a > section with high redundancy to the original The CSR Attribute text would have the base64 edit applied to it as well. I personally thought that we might have edited that text a bit more to clarify how CSRs are made. > ** Section 5. Uses an OLD vs. NEW convention. > Minimally, since the style of Section 4 and 5 are similar and are > precise, I'd recommend making Section 3 look like one of these style > (i.e., being clear on exactly what text is being updated/deprecated). okay, I'll change section 3. Please see next email/diff. > (a) Section 1. "However, reports from the implementers suggest that > many implementations do not send the Content-Transfer-Encoding, and > many of them ignore it. The consequence is that simply deprecating the > header would remain compatible with current implementations." - this > commentary suggests that dropping the header would cause no issues if > that approach is taken. That's what we have done. > (b) Section 3. "This document updates [RFC7030] to require the POST > request and payload response of all endpoints use Base64 encoding as > specified in Section 4 of [RFC4648]." - this updated guidance doesn't > explicitly rule out the use of the header Correct, current implementations do not set the header, and ignore it upon receipt. If there are lurking implementations that did not response that do include the header, then they will continue to operate. If someone ran into such an implementation that required the header, then it could work around by continuing to include it. > (c) Section 3. "This format is to be used regardless of any > Content-Transfer-Encoding header, and any value in such a header MUST > be ignored." - this doesn't say anything about sending the header, only > that it should be ignored on processing; this seems important for > backwards compatibility. Yes. Liberal in what you accept. Not, no need to send it. > Why drop the header from one section per (d) but not from the others > per (e)? Under what circumstances should a header be sent - > specifically, if (c) says the header should be dropped, why do we still > send it per (e)? I don't think we do, and maybe your request for explicit patches is waranteed. > (10) Section 3.1. Per "This specification clarifies that despite > [RFC2616], that white space including CR, LF, spaces (ASCII 32) and, > tabs (ASCII 9) should be tolerated by receivers", is there a reason > that there isn't a normative SHOULD here? Agreed. SHOULD now. > (11) Section 4. > "Section 4.5.2 of [RFC7030] is to be replaced with the following text: > 4.1. CSR Attributes Response" > ** Editorial. I suspect there is a tool chain rendering issue. The > section header to drop into RFC7030 needs to read "4.5.2 CSR Attributes > Response" (not 4.1 which is the next section of this document). > Editorial alternative would be to drop the header entirely or following > convention used in Sections 5.1 and 5.2. Yeah, I'll render it without the markup. > ** Editorial. It might also be valuable to explain what is getting > changed instead of just providing an updated blob. I'll defer to the WG here. > (12) Section 4. Editorial. For consistency with RFC7090, consider s/[X609]/[X.609]/. Okay. > (13) Section 5. The updates here drop the normative MUST to a "must" > regarding the "response data must ...". The Errata text explains that > "Note that the MUST was reduced to a must because no content-type is > specified" but I'm still not following why we lost the normative MUST. > What am I missing? Editorial mistake -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [lamps] AD review of draft-ietf-lamps-rfc7030est-… Roman Danyliw
- Re: [lamps] AD review of draft-ietf-lamps-rfc7030… Michael Richardson
- Re: [lamps] AD review of draft-ietf-lamps-rfc7030… Michael Richardson
- Re: [lamps] AD review of draft-ietf-lamps-rfc7030… Roman Danyliw