IETF conflict review for draft-turner-sodp-profile
conflict-review-turner-sodp-profile-00
Yes
No Objection
Erik Kline
Murray Kucherawy
(Alvaro Retana)
(Barry Leiba)
(Deborah Brungard)
(Martin Duke)
(Martin Vigoureux)
Note: This ballot was opened for revision 00 and is now closed.
Ballot question: "Is this the correct conflict review response?"
Roman Danyliw
Yes
Comment
(2020-08-27)
Sent for earlier
To remove confusion about HTTP header usage, please make this edit in Section 3.1 OLD: Clients include an HTTP Accept header with each HTTP GET request to indicate the PAL Package Types supported ([RFC8295], Section 2.1.1). NEW Per Section 2.2 of [RFC8295], clients indicate the format ("application/xml" or "application/json") of the PAL information ([RFC8295], Section 2.1.1) via the HTTP Accept header.
Erik Kline
No Objection
Murray Kucherawy
No Objection
Alvaro Retana Former IESG member
No Objection
No Objection
()
Not sent
Barry Leiba Former IESG member
No Objection
No Objection
()
Not sent
Benjamin Kaduk Former IESG member
No Objection
No Objection
(2020-08-27)
Sent
Thanks for the changes in flight to clarify how HTTP's Accept header field is used to indicate PAL content types. Section 1.1 o CNSA-related (Commercial National Security Algorithm) drafts [RFC8603], [RFC8755], [RFC8756], and [ID.cnsa-tls-profile]. The profile defined herein does not support RSA-based or DHE-based key establishment algorithms. If we're going ECC+AES+SHA384-only, it might be more readable to just say that. Section 1.2 o Section 2 specifies the version of ASN.1 (Abstract Syntax Notation One) version used. nit: double "version". Section 1.3 (side note) I'm kind of curious where (if anywhere) a Kerberos KDC or similar entity would fit into the KTA hierarchy. distribute PKI-related information through the /cacerts, /crls, /eecerts, /fulcmc, /simpleenroll, /simplereenroll, /csrattrs EST and EST extension services. nits: s/fulcmc/fullcmc/; s%/csrattrs% and /csrattrs% Section 3.2 TLS implementations are configured as specified in [ID.cnsa-tls-profile]; the notable exceptions are that RSA-based and DHE-based key establishment algorithms are not used. So that puts us at ECDHE-only? Might as well just say so. Section 3.6.3 CSRs follow the specifications in Section 5.1 of [RFC8756], with two exceptions. First, the Change Subject Name and the POP Link Witness V2 attributes, which are CMC-specific requirements do not apply. Second, RSA-based algorithms are not used. Section 4.2 of 8756 looks more relevant than Section 5.1 does. Client requests include the tls-unique value in the challenge- Sigh, tls-unique. Section 3.6.6 PFXs [RFC7292] are exchanged using both password privacy mode and integrity password mode. The PRF algorithm for both the PBES2 and PBMAC1 is HMAC-SHA-384 and the PBES2 encryption scheme is AES-256. I see PBES2 needing a KDF function, but is that the same as the PRF algorithm? Section 3.6.9 Clients that claim to support SODP-interoperation will be able to process the following messages from a SODP server: additional encryption and origin authentication ([RFC8295], Section 5); server- provided Symmetric Key Content Type [RFC6032] encapsulated in an Encrypted Key Content Type using the EnvelopedData choice [RFC6033] with a SOA certificate that includes the CMS Content Constraints extension (see Section 7.1). I see that a previous reviewer noted some disparity between the introduction's "need not implement all of the interfaces specified herein [...] free to choose which interfaces" and some more specific requirements in the text; this seems to be another such instance. /serverkeygen/return is not used at this time. This is the /symmetrickeys section; is this statement still relevant? Section 4.1 Clients use only the HTTPS-based transport; the TLS implementation and configuration is as specified in [ID.cnsa-tls-profile]; the notable exceptions are that RSA-based and DHE-based key establishment algorithms are not used. (same as above) Section 5 Issuer and subject names are composed of only the following naming attributes: country name, domain component, organization name, organizational unit name, common name, state or province name, distinguished name qualifier, and serial number. Just to confirm: this is the serial number name component, distinct from the issuer's serial number for tracking its issued certificates? In the Subject Key Identifier extension, the keyIdentifier is the 64 low-order bits of the subject's subjectPublicKey field. This seems to be compatible with RFC 5280, but is a little surprising to me, since it seems to needlessly risk collisions when a digest of the full public key could incorporate more entropy into the SPKI. [both of these comments have relevance in the later sections as well] Section 7 I assume it is deliberate that nothing is mentioned about extendedKeyUsage?
Deborah Brungard Former IESG member
No Objection
No Objection
()
Not sent
Martin Duke Former IESG member
No Objection
No Objection
()
Not sent
Martin Vigoureux Former IESG member
No Objection
No Objection
()
Not sent