ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

comments on draft-ietf-smime-symkeydist-03.txt

2001-05-01 11:24:57
from [Sean P. Turner] [Permanent Link]
All,

Here are the comments I received off-line on the draft-03 version that were rolled into the -04 version (-04 version is out for WG last call):

  • Use new CMC structures for success and failure codes.
    • Yuck, but okay.  End up obsoleting glFailInfo oid and messages syntax.  Defined new OID for error codes to be returned in the new CMC structure.  Moved the delete error code attribute to be in the CMC requirements section.  Deleted the success message, as it is no longer needed.  Moved the error codes to section 3.2.4.  Had to rewrite section 3.2.3.  But basically ended up replacing "glFailInfo.errorCode" with "cMCStatusInfoEx.otherInfo.extendedFailInfo.SKD-FailInfo value of ", "cMCStatusInfo" with "cMCStatusInfoEx", and "glSuccessInfo" with "cMCStatusInfoEx.cMCStatus.success".  Added error codes to ASN.1 module.  Need to get OID for the error codes (but that should be done by the time you're reading this).
  • Add a "certificates" field to glOwnerInfo.
    • I did this and it's similar to the certificates field from glMember.  certificates.pKC MUST be included if the name is not the signer of the message.
  • In section 3.1.1, remove the last line from glAdministration.closed.  If the GLO wanted to review the request the list is set up as "managed."
  • In section 3.1.6, change the glIdentifier to be KEKIdentifier (from CMS) as opposed to OCTET STRING.  The reason is that people may want to include parameters here.
  • In section 3.1.6, replace the lat sentence in the glkAlgorithm with the following "Since no encrypted data content is being conveyed at this point, the parameters encoded with the algorithm should be the structure defined for SMIMECapabilities rather than encrypted content."  It clarifies how/where the parameters are used.
  • Reorganize 3.1.10 to have three sections.  One to describe the general request, one of the general response, and one for the request/response combinations defined in this document.
  • Add in to section 3.2.12 the requirement to support "Content-Hints" if a signature outside of an encryption layer is added.
  • In sections 4 and 5 "failure" response are returned to "failure" responses.  This will lead to loops.  If an invalid signature is received you shouldn't just keep sending back a failure response - it's probably better to generate a new request.
    • What I ended up deciding was that any message with content whose signature fails should return a response, but a cMCStatusInfoEx failed signature shouldn't return a badMessageCheck error. para 4.1 #3.a, para 4.2 #3.a, para 4.3.1 #3.a and #4.a, para 4.4.1 #3.a and #4.a, para 4.5.1 #3.a, para 4.5.2 #2.a, para 4.6 #3.a
  • In section 5.1 add a response message from the GL member to indicate that they received the distributed KEK.
  • Replace algorithm references to CMS in paragraph 6 with new draft for SMIME algorithms.
  • Add text in the security considerations to indicate that there are concerns about distributing shared KEKs with previously shared KEKs.
    • How about: "Assume that two or more parties have a shared KEK, and the shared KEK is used to encrypt a second KEK for confidential distribution to those parties.  The second KEK might be used to encrypt a third KEK; the third KEK might be used to encrypt a fourth KEK; and so on.  If any of the KEKs in such a chain is compromised, all of the subordinate KEKs in the chain MUST also be considered compromised."
  • Update references for PKIX to son-of-RFC2459, CMC to 2797bis, CMS to TBD, ESS to TBD, MSG to TBD.
  • Fix the following ASN.1 mistakes:
    • Get OID for module: iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) symkeydist(12) }
    • Import GeneralName from new pkix1 implicit module
    • Import certificate and algorithm identifier from new PKIX Explicit module
    • Import attribute certificate from ACProf module
    • CMS3DESWrap should be CMS3DESwrap in imports
    • Include CertificateSet import from CMS module
    • Add id-skd OBJECT IDENTIFER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) skd(8) }
    • Remove parentheses from all DEFAULTs
    • duration's "default" is spelt incorrectly
    • Added tags to Certificates sub-structures
    • glkRefresh is missing "SEQUENCE"
    • add "SIZE" to dates definition
    • Date is missing "SEQUENCE"
    • Rename GLAQuertRequest's glaRequestValue to be "ANY DEFINED BY glaRequestType"
    • Added oid arc for request/response type
    • Added oids for algorithmSupported request/response
Cheers,

spt

     
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • comments on draft-ietf-smime-symkeydist-03.txt, Sean P. Turner <=
Previous by Date:  WG Last Call Extended: draft-ietf-smime-rcek-02.txt, Housley, Russ
Next by Date:  RE: S/MIME version number and Attribute Certificates, Pawling, John
Previous by Thread:  WG Last Call Extended: draft-ietf-smime-rcek-02.txt, Housley, Russ
Next by Thread:  RE: S/MIME version number and Attribute Certificates, Pawling, John
Indexes:  [Date] [Thread] [Top] [All Lists]