Paul Hoffman <[email protected]> wrote on 01/19/2011 01:28:30 PM: > On 1/19/11 9:21 AM, Keith Welter wrote: > > > > I submitted draft-welter-ipsecme-ikev2-reauth-03 with the rewording > > shown below. I'd like to ask the working group to accept this as a work > > item but I am unfamiliar with the process. What next? > > I have Cc'd Yaron on this because he is the co-chair. I have Cc'd Yoav > on this because he replied on-list but missed two very salient points in
> his response (it's not in the charter, and there is almost no energy > left in the WG). > > Instead of making this a WG document (which would require a recharter > *and* enough people to give responses), I propose that you simply make > this an Individual Submission to an AD. For that, you just need to > approach the appropriate AD (Sean Turner, in this case) and tell him the > history of the draft. You get extra points if you can say "and I already > have a proposed document shepherd who is credible"; that could be Yaron > or Yoav or me. FWIW, there is no difference between you going through > the WG and Individual Submission for the document being on standards track. > > You could ask the WG if they want to re-charter; my personal preference > would be that you don't. I worry that people will say "yes" and then be > as dead as they are now for our current documents. > > Let Yaron and I know what you think of this prospect. This may be a naive answer, but I'm not opposed to the idea of Individual Submission. I do have some comments/questions: 1. My draft depends on RFC 6023 and cites it as a normative reference. Since I'd like to get my draft on the standards track, does that mean that RFC 6023 needs to get on the standards track too? 2. There is one point I'd still like technical input on, namely the security considerations of signing the previous AUTH payload sent by the host in the modified IKE_AUTH exchange (section 5 of the draft). Yoav suggested this approach, it sounded fine to me, I ran it by a couple of my colleagues (Scott Moonen and David Wierbowski) who thought it sound fine too so I used it in the new draft. I'd feel better if another subject matter expert said, "yes, that is fine." Bonus points if the SME can offer a sentence or two justifying why this mechanism is as secure as the authentication operation that takes place during the initial exchanges. It would be nice to include that information in the security considerations section of my draft. More specifically, RFC 5996 section 2.15 "Authentication of the IKE SA" says, "It is critical to the security of the exchange that each side sign the other side's nonce." Is it necessary to include nonces in the signed data in the proposed modified IKE_AUTH exchange? I don't think so, but since I don't know why it was necessary as part of the signed data in the initial exchanges I don't feel qualified to assert that formally. 3. In practice, is an Individual Submission less likely to be widely adopted than a document that is sponsored by a working group? I realize that is probably a moot point, given the lack of energy in the WG that Paul noted, but I thought I'd ask anyway. Thanks, Keith Welter IBM z/OS Communications Server Developer 1-415-545-2694 (T/L: 473-2694)
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
