Re: [TLS] Francesca Palombini's No Objection on draft-ietf-tls-subcerts-14: (with COMMENT)
Nick Sullivan <nick@cloudflare.com> Tue, 14 June 2022 19:49 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E92DCC13A23A for <tls@ietfa.amsl.com>; Tue, 14 Jun 2022 12:49:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jePruzBYHmLU for <tls@ietfa.amsl.com>; Tue, 14 Jun 2022 12:49:28 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20DEC055842 for <tls@ietf.org>; Tue, 14 Jun 2022 12:48:13 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id p128so10546730iof.1 for <tls@ietf.org>; Tue, 14 Jun 2022 12:48:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gaHX63BKT/M3YDQr/lY0BR94Q12fg3tOuGBokGr8+6s=; b=ZCRGXM0qjWJJ3c1iJ2lvgwd8mRZ5luYPJQ7KYgj1Vdw+xmVdsXjg5p2LcvT99SbHy7 uxBcYgGJPXvjS5bU4b8g41a1bdiFDXHEfI+RH6TF+tYOUMa1xkkmdNTItFb71nRyzOKO Y4I6BcoBlDYczQnduarCF3PEQuSZRUI9fl5TI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gaHX63BKT/M3YDQr/lY0BR94Q12fg3tOuGBokGr8+6s=; b=jot/8T73XxRh9qZK2aIOt77ndW3zkWW32Ac6Gkm+COQ2w5XttSWh3zt05W7wxCeLzA YtM7eMTMsWbi69IuDpFt3xUwozmK2YEVIXMcqjoupbHBI6Zl7E8yqVLrOi1ia5EF2Asm 6YdExjjIZspYOMeQG6LwNNTcgT+4x0MyQ+mzwuz5Gc9Fxg16Vtvhq4Ji5vMjDj77UK3Q yL4DXjTqCrIt5DLTTdUDRawcKniDSvpSLCc+5OgW3B6+vDn2ymNsLhi9AtDRxQdglolO pCmFgjg2o8RHBBCB6clXlutwDHkdaF8925NyB4r2zoogcuQUiwRjmCrjqvbM9fliPUnN j/QQ==
X-Gm-Message-State: AOAM532crq7xIvTxC+qRZKQQcOlp2CmHNEWqquuq25ULRpErsPq1INyv h95j9fbKSS3We12vx28RE/+p6NBHnj8XPbYmi57vWg==
X-Google-Smtp-Source: ABdhPJwWeJtEldUz8M9z7NFS7J67OlD7nkkp/zOFlzX4BXD3LI7wB1HN12zKHlGvs8F8jhAk2Nh9ZEgBOU6SfhEbIeA=
X-Received: by 2002:a05:6638:f95:b0:314:58f9:5896 with SMTP id h21-20020a0566380f9500b0031458f95896mr3711701jal.228.1655236092507; Tue, 14 Jun 2022 12:48:12 -0700 (PDT)
MIME-Version: 1.0
References: <165401218657.5016.5043058093425274464@ietfa.amsl.com>
In-Reply-To: <165401218657.5016.5043058093425274464@ietfa.amsl.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Tue, 14 Jun 2022 15:47:56 -0400
Message-ID: <CAFDDyk9G+TBy4MpkrOMUA47FsDViYJ2FNhVp5Dkyi2JJbJh05w@mail.gmail.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-subcerts@ietf.org, tls-chairs <tls-chairs@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>, Joseph Salowey <joe@salowey.net>, christian@amsuess.com
Content-Type: multipart/alternative; boundary="000000000000506f1205e16dafad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gODk2_VeinH-YPsEHivqLoinmVs>
Subject: Re: [TLS] Francesca Palombini's No Objection on draft-ietf-tls-subcerts-14: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2022 19:49:32 -0000
Francesca and Christian, Thank you for the review. Answers inline below and changes in Github ( https://github.com/tlswg/tls-subcerts/pull/108/files). Best, Nick On Tue, May 31, 2022 at 11:49 AM Francesca Palombini via Datatracker < noreply@ietf.org> wrote: > Francesca Palombini has entered the following ballot position for > draft-ietf-tls-subcerts-14: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for the work on this document. > > Many thanks to Christian Amsüss for his ART ART review: > https://mailarchive.ietf.org/arch/msg/art/7lzdOaiccRnXFtSuX3aUyh9ffV8/. > Authors, please take a look at Christian's comments (also reported below), > especially the one about the "delegated_credential" usage in the > Certificate > message. > > Francesca > > -- > > Reviewer: Christian Amsüss > Review result: Ready with Nits > > Thanks for this well-written document > > ART topics: > > The document does not touch on any of the typical ART review issues; times > are > relative in well understood units, and versioning, formal language (ASN.1, > which is outside of my experience to check) and encoding infrastructure > (struct) follows TLS practices. > > General comments: > > * The introduction of this mechanism gives the impression of a band-aid > applied > to a PKI ecosystem that has accumulated many limitations as outlined in > section > 3.1. The present solution appears good, but if there is ongoing work on the > underlying issues (even experimentally), I'd appreciate a careful > reference to > it. > Unfortunately, there are no good references for alternative approaches. > > * Section 7.6 hints at the front end querying the back-end for creation of > new > DCs -- other than that, DC distribution (neither push- nor pull-based) is > discussed. If there are any mechanisms brewing, I'd appreciate a reference > as > well. > There are no formal mechanisms moving towards standardization at this time. > > Please check: > > * The IANA considerations list "delegated_credential" for CH, CR and CT > messages. I did not find a reference in the text for Ct, only for CH and > CR. > See section 4.1.2, where it states: "The client MUST send the DC as an extension in the CertificateEntry of its end-entity certificate" which is where CT extensions live. > > Editorial comments: > > * (p5) "result for the peer.." -- extraneous period. > * (p9, p15, p16) The "7 days" are introduced as the default for a > profilable > prarameter, but later used without further comment. > > Addressed
- [TLS] Francesca Palombini's No Objection on draft… Francesca Palombini via Datatracker
- Re: [TLS] Francesca Palombini's No Objection on d… Nick Sullivan