Ben: thank you for the review! AUthors - do you have a comment on the expired key suggestion? I think I agree with it…
Jari On Nov 19, 2013, at 5:46 PM, Ben Campbell <[email protected]> wrote: > > I am the assigned Gen-ART reviewer for this draft. For background on > Gen-ART, please see the FAQ at > < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Please wait for direction from your document shepherd > or AD before posting a new version of the draft. > > Document: draft-ietf-karp-ops-model-09 > Reviewer: Ben Campbell > Review Date: 2013-11-19 > IESG Telechat date: 2013-11-21 > > Summary: This draft is ready for publication as an informational RFC. All the > issues from my last call review, have been addressed, save 1 below. > > Major issues: > > None > > Minor issues: > > -- My last call review included a concern about a possible need for > additional guidance around the idea of continuing to operate with an expired > key. The author mentioned that the draft reflect working group consensus, and > I'm okay with that. But I still think there might be value in documenting the > tradeoffs that the working group considered reaching that consensus. I'm not > sure that our correspondence on that matter reached a conclusion. I'm pasting > the relevant discussion below: > >>> >>> genart> -- section 3.2, last paragraph: "Implementations SHOULD >>> genart> permit a configuration i n which if no unexpired key is >>> genart> available, existing security associations continu e using >>> genart> the expired key with which they were established." >>> >>> genart> This may need further guidance. For example, it seems risky >>> genart> to do this silently. >>> >>> I think this was explicitly discussed in the WG and is where we got in >>> our discussions. >>> There's discussion of alerts for security events elsewhere. >>> However I think the current text represents a fairly informed WG >>> consensus. >> >> You are correct that there is separate text on notification of security >> events (section 6.2), and that even mentions certificate expiration. But it >> doesn't explicitly mention continuing to use an expired key. I think that's >> important enough that it should be explicitly considered. >> >> If it was explicitly discussed in the working group, it would be helpful to >> document the trade-offs that were discussed. > > > Nits/editorial comments: > > -- idnits reports some outdated references, please check. > > -- section 1, paragraph 4, 2nd sentence: > > s/routers/Routers > _______________________________________________ > Gen-art mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/gen-art _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
