[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Hipsec] draft-ietf-hip-cert-02-pre00

To: Samu Varjonen <samu.varjonen at HIIT.FI>
Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00
From: Tobias Heer <heer at cs.rwth-aachen.de>
Date: Thu, 22 Oct 2009 10:47:36 +0200
Cc: HIP <hipsec at ietf.org>
Delivered-to: hipsec at core3.amsl.com
In-reply-to: <4ADFF8D3.4030602 at hiit.fi>
List-archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-help: <mailto:hipsec-request@ietf.org?subject=help>
List-id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-post: <mailto:hipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
References: <4ADC1B4D.6010608 at hiit.fi> <E330FAC0AD42A34E90F3467F5A37AA372546211D2D at XCH-NW-11V.nw.nos.boeing.com> <AAF2CBF9D2573B45A7ED75C4FFD9883F4B9515A10E at XCH-NW-10V.nw.nos.boeing.com> <4ADFF8D3.4030602 at hiit.fi>

Hi.

Comments inline.

Am 22.10.2009 um 08:16 schrieb Samu Varjonen:

Henderson, Thomas R kirjoitti:
2) elements of procedure for exchanging CERTs, or requesting thatthe peer provide a CERT.
This has been discussed but for some reason we put it into hip-service-00. Do you think hip-cert should have its own way of askingthe certificates or could it use hip-service-00? The functionalitywould overlap with the hip-service-00.

The HIP hip-service-00 draft presents a general way of notifying end-hosts about requirements and properties of a service and allows somesimple negotiations. Requesting certain certificates was one of themain reasons for writing the draft. However, we felt that more generalnegotiations would be out of scope for the hip-crt draft. The drafthas not been advanced because we got very little comments on whichservices people would/could use. If needed we can narrow down thetypes of services that can be negotiated and focus on the signaling ofthe certificate first but I wouldn't really want to abandon a moregeneral use of the HIP service parameter.

So, I'm guessing that David has the first use case in mind, thatthe CA need not even be HIP aware but is just asked to sign thebinding between key and name, and then the host can use the subjectkey as a host identity.Regarding elements of procedure, it seemed to me that it would bein scope to specify how to ask the end host to provide a CERT, plushow to handle failure cases (e.g. "I don't recognize the CA", "Badcertificate signature", etc.). In addition, I agree with David'scomment that a HIP-aware middlebox ought to be able to challenge ahost to provide a CERT. I don't know whether just a genericchallenge would be needed, or whether the middlebox would be ableto identify the CAs that it recognizes in the challenge.
Sounds like hip-service-00 :)
- Is SPKI the right choice for the default format?
Do we need a default for this? What does it mean that "Allimplementations MUST support the X.509v3 format." This is anoptional, non-critical parameter.It seems to me that implementations ought to be RECOMMENDED tosupport one or both formats, and we specify what happens when oneside of the exchange does not understand CERT at all, or when itunderstands CERT but does not support the Type number.
It was supposed to be like: If you implement this non-criticalparameter you should at-least implement support for thiscertificate. But I can see your point and I am leaning towards itand here I should refer to the hip-service-00 again.

If needed we can flesh out the certificate handling in the hip-servicedraft to support the hip-cert draft. So far, the hip-service-00 draftwas discussed in the RG. Should we expand this to the WG and procesship-cert and hip-service as a bundle?


BR,
Tobias

- Are the hash and URL encodings needed? At least with on-path

middleboxes they are problematic.

I think the hash and URL encodings are important and would
even like to see them expanded to include http URL,
Distinguished Name, and LDAP path.

Agree.


Looking into this and agreeing.

- Are the examples in the appendixes sufficient?

It would be nice to see an example with sending a certificate chain.

Agree (a non-self-signed example).


OK. can be done.

A few small editorial comments are that in section 2, thecapitalization is not consistent in paragraph 3, and it seems likethe last sentence before the figure should be the lead sentence ofparagraph three, so the reader doesn't infer from the existingparagraph three lead sentence that any HIP packet (e.g. I1) carriesCERT.


OK, will fix this.

Regards,
Tom


Thanks for the helpful comments.

--
BR,
Samu

"Programmer is an organism that changes caffeine into code"
_______________________________________________
Hipsec mailing list
Hipsec at ietf.org
https://www.ietf.org/mailman/listinfo/hipsec

--

Dipl.-Inform. Tobias Heer, Ph.D. Student
Distributed Systems Group
RWTH Aachen University, Germany
tel: +49 241 80 207 76
web: http://ds.cs.rwth-aachen.de/members/heer

Follow-Ups:
- Re: [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Henderson, Thomas R

References:
- [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Varjonen Samu
- Re: [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Mattes, David
- Re: [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Henderson, Thomas R
- Re: [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Samu Varjonen

Prev by Date: Re: [Hipsec] draft-ietf-hip-cert-02-pre00
Next by Date: Re: [Hipsec] draft-ietf-hip-cert-02-pre00
Previous by thread: Re: [Hipsec] draft-ietf-hip-cert-02-pre00
Next by thread: Re: [Hipsec] draft-ietf-hip-cert-02-pre00
Index(es):
- Date
- Thread