PKCS #12: Personal Information Exchange Syntax v1.1
draft-moriarty-pkcs12v1-1-05

[Ballot discuss]
A hopefully very quick DISCUSS that I can immediately clear, and mostly for the shepherd: The shepherd report says that consultation with the IETF Trust took place and they were fine with the idea that RSA transferred copyright through Kathleen assertion, but it doesn't specifically say whether the Trust folks had a look at what copyrights RSA had reserved to itself in the Abstract. I'm no lawyer, but I'm worried that conflicts with the standard copyright template. If the answer is, "Yeah, we (the Trust) will work with the RFC Editor to make sure it says the right thing", I'm fine with this going forward. I just want to make sure that everyone is on-board.

[Ballot comment]
I don't think I've seen an answer to Bert Wijnen's OPS DIR review (note that a mistake in the OPSDIR address might explain it)
Here is Bert's feedback:

From an operational and NM aspect, I do not see any issues.

I do have some general questions/comments though.
(None of them blocking though)

- The documents iften says "this standard".
  That feels weird. It is targeted for INFORMATIONAL document
  and if with "this standard" it is meant to say "ietf standard", then
  that status is something that may change over the liftime of an RFC.
  I think it might be better to use "this document" or "this memo".
- IN the security considerations section it syas:
    and relevant guidelines (e.g., SP 800-61-1) should be taken
  And in the change log it says:
    A reference was added to SP 800-132 for its recommendations...
  But I am missing the "citation" and the item in the REFERENCES section.
  I guess those active in security AREA all know where to find this,
  but for other readers it might be handy to have that refeneces in the
  list of references.

[Ballot comment]
I'm making this a COMMENT for now, and will chat with Sean about it.  Depending upon how that chat goes, it might morph into a DISCUSS.  Or not.  We'll see:

I wonder why this is being published in the IETF stream, rather than the Independent stream, given that it's Informational, and not Standards Track.  And given that it's Informational, and not Standards Track, I have an issue with the many times it calls itself "this standard" all through the document.

Apart from that, I certainly have no objection to the publication of this as an RFC, and I'm glad to see that change control is being given to the IETF, so future versions could be put on Standards Track.

IESG/Authors:

IANA has reviewed draft-moriarty-pkcs12v1-1-03, which is currently in Last Call, and has the following comments:

We understand that, upon approval of this document, there are no IANA Actions that need completion. IANA requests that the IANA Considerations section of the document remain in place upon publication.

If this assessment is not accurate, please respond as soon as possible.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (PKCS #12: Personal Information Exchange Syntax v1.1) to Informational RFC


The IESG has received a request from an individual submitter to consider
the following document:
- 'PKCS #12: Personal Information Exchange Syntax v1.1'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2014-01-10. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document represents a republication of PKCS #12 v1.1
  (Republication) From RSA Laboratories' Public Key Cryptography
  Standard (PKCS) series.  Change control is transferred to the IETF,
  and generally all rights in the copyright are hereby assigned from
  RSA to IETF, except that RSA reserves the internal right to continue
  publishing, with the right to modify, and distributing the
  Republication and its predecessors internally to RSA and its parent
  company EMC, including the right to make modifications to the
  Republication and its predecessors (the "RSA Internal Right").  For
  avoidance of doubt, RSA's Internal Right includes the right to post
  on its public website for use by other parties.  The body of this
  document, except for the security considerations section, is taken
  directly from the PKCS #12 v1.1 specification.  The list of
  references and the in-line cites have been updated or added where
  appropriate to cite the most current documents in addition to those
  current at the original publication of PKCS #12 v1.1.

  PKCS #12 v1.1 describes a transfer syntax for personal identity
  information, including private keys, certificates, miscellaneous
  secrets, and extensions.  Machines, applications, browsers, Internet
  kiosks, and so on, that support this standard will allow a user to
  import, export, and exercise a single set of personal identity
  information.  This standard supports direct transfer of personal
  information under several privacy and integrity modes.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-moriarty-pkcs12v1-1/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-moriarty-pkcs12v1-1/ballot/


No IPR declarations have been submitted directly on this I-D.

This is the document shepherd write-up for
draft-moriarty-pkcs12v1-1-03.txt.  It follows the format described at
http://www.ietf.org/iesg/template/doc-writeup.html



(1) The document is an RFC'ized version of the original PKCS12 V1.1
document and is presented for publication as an Informational RFC as
part of the transfer of copyright from RSA/EMC to the IETF trust.
Given the history of other PKCS series documents transferred to the
IETF, publication as an Informational RFC is appropriate and the
document is marked for proposed status as Informational.

(2) The suggested document announcement is as follows:

  'Technical Summary
     
      The content of the document is substantially the same as the
      source PKCS12 document with the necessary changes to publish it
      as an IETF RFC and to correct a few minor technical issues.  The
      document describes an ASN1-based transfer syntax for personal
      identity information, including private keys, certificates,
      miscellaneous secrets, and extensions.  Machines, applications,
      browsers, Internet kiosks, and so on, that support this standard
      will allow a user to import, export, and exercise a single set
      of personal identity information.  This standard supports direct
      transfer of personal information under several privacy and
      integrity modes.

  'Working Group Summary

      The document action is primarily a publication to document the
      transfer of copyright from RSA/EMC to the IETF.  As such, this
      has been handled as an individual submission from the current
      copyright holder with AD input.  The security area AD's believe
      this specification to be a useful addition to the set of IETF
      documents and expect it to be the basis for the publication of
      future IETF standards based on the original PKCS12 work, similar
      to what has previously happened with PKCS7.

  'Document Quality

      PKCS12-based implementations are wide spread and well
      understood. This document is a comprehensive and complete
      discussion of the current PKCS12 framework with the addition of
      code points to support more recently defined cryptographic
      mechanisms.  The document references are up to date and appear
      to be complete.



(3) Document review.  The current form of the document was compared to
the existing PKCS12 document, and barring minor changes for formatting
and for the addition of a few code points it is substantially
identical in content to the source document.  As the publication of
this document is primarily to document transfer of copyright, no
substantive changes were contemplated or desired.

(4)-(6) I have no concerns with the document as presented.  Given that
it is presented as a copyright transfer from RSA/EMC to the IETF, and
given that it is being published in its first form as Informational,
it would mostly defeat the purpose of the copyright transfer to allow
substantive changes to the text being transferred.


(7, 8) The primary document author (K Moriarty) has asserted she has been
given permission by RSA/EMC to transfer PKCS12 to the IETF.  I have
consulted with the security AD's and the IAOC/IETF Trust in the person
of Scott Bradner and their opinion is that this is sufficient for the
IETF to accept the transfer.

(9) As this is an individual submission, WG consensus is not
relevant.  The Security AD's have indicated agreement with the
publication of the document.

(11) There are no actual NITS.  The ones identified by the automated
process are mis-identifications of ASN1 constructs (E.g. an ASN1
'OPTIONAL' keyword and a '[0]' ASN1 explicit tag).

(12) There is no specific formal review of contained
code/BNF/ASN.1/MIBs required for a document of this type at this
stage.  If and when standards track documents are derived from this
document I would recommend a formal review of the contained ASN1.

(13) The references have been reviewed and are up to date and
appropriately labeled as normative or informative.

(14) There are no normative references waiting for advancement on
which this document is dependent.

(15) There are no downward normative references in this document.

(16) The publication of this document will not affect the status of
any existing RFCs.

(17) As an Informational submission, this document does not contain any
items that should be referred to the IANA.

(18) No new IANA registries are required by this document.

(19) No automated checks have been performed on the contained ASN.1 as
any changes to fix issues (if any were identified) could have an
adverse affect with respect to the transfer of copyright.  As noted in
(12) above, I would recommend doing such checks if and when a document
derived from this document enters the standards track.

This is the document shepherd write-up for
draft-moriarty-pkcs12v1-1-03.txt.  It follows the format described at
http://www.ietf.org/iesg/template/doc-writeup.html



(1) The document is an RFC'ized version of the original PKCS12 V1.1
document and is presented for publication as an Informational RFC as
part of the transfer of copyright from RSA/EMC to the IETF trust.
Given the history of other PKCS series documents transferred to the
IETF, publication as an Informational RFC is appropriate and the
document is marked for proposed status as Informational.

(2) The suggested document announcement is as follows:

  'Technical Summary
     
      The content of the document is substantially the same as the
      source PKCS12 document with the necessary changes to publish it
      as an IETF RFC and to correct a few minor technical issues.  The
      document describes an ASN1-based transfer syntax for personal
      identity information, including private keys, certificates,
      miscellaneous secrets, and extensions.  Machines, applications,
      browsers, Internet kiosks, and so on, that support this standard
      will allow a user to import, export, and exercise a single set
      of personal identity information.  This standard supports direct
      transfer of personal information under several privacy and
      integrity modes.

  'Working Group Summary

      The document action is primarily a publication to document the
      transfer of copyright from RSA/EMC to the IETF.  As such, this
      has been handled as an individual submission from the current
      copyright holder with AD input.  The security area AD's believe
      this specification to be a useful addition to the set of IETF
      documents and expect it to be the basis for the publication of
      future IETF standards based on the original PKCS12 work, similar
      to what has previously happened with PKCS7.

  'Document Quality

      PKCS12-based implementations are wide spread and well
      understood. This document is a comprehensive and complete
      discussion of the current PKCS12 framework with the addition of
      code points to support more recently defined cryptographic
      mechanisms.  The document references are up to date and appear
      to be complete.



(3) Document review.  The current form of the document was compared to
the existing PKCS12 document, and barring minor changes for formatting
and for the addition of a few code points it is substantially
identical in content to the source document.  As the publication of
this document is primarily to document transfer of copyright, no
substantive changes were contemplated or desired.

(4)-(6) I have no concerns with the document as presented.  Given that
it is presented as a copyright transfer from RSA/EMC to the IETF, and
given that it is being published in its first form as Informational,
it would mostly defeat the purpose of the copyright transfer to allow
substantive changes to the text being transferred.


(7, 8) The primary document author (K Moriarty) has asserted she has been
given permission by RSA/EMC to transfer PKCS12 to the IETF.  I have
consulted with the security AD's and the IAOC/IETF Trust in the person
of Scott Bradner and their opinion is that this is sufficient for the
IETF to accept the transfer.

(9) As this is an individual submission, WG consensus is not
relevant.  The Security AD's have indicated agreement with the
publication of the document.

(11) There are no actual NITS.  The ones identified by the automated
process are mis-identifications of ASN1 constructs (E.g. an ASN1
'OPTIONAL' keyword and a '[0]' ASN1 explicit tag).

(12) There is no specific formal review of contained
code/BNF/ASN.1/MIBs required for a document of this type at this
stage.  If and when standards track documents are derived from this
document I would recommend a formal review of the contained ASN1.

(13) The references have been reviewed and are up to date and
appropriately labeled as normative or informative.

(14) There are no normative references waiting for advancement on
which this document is dependent.

(15) There are no downward normative references in this document.

(16) The publication of this document will not affect the status of
any existing RFCs.

(17) As an Informational submission, this document does not contain any
items that should be referred to the IANA.

(18) No new IANA registries are required by this document.

(19) No automated checks have been performed on the contained ASN.1 as
any changes to fix issues (if any were identified) could have an
adverse affect with respect to the transfer of copyright.  As noted in
(12) above, I would recommend doing such checks if and when a document
derived from this document enters the standards track.