Group Security Policy Token v1
draft-ietf-msec-policy-token-sec-06
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Brian Carpenter |
2006-01-26
|
06 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2006-01-26
|
06 | Amy Vezza | IESG state changed to Approved-announcement sent |
2006-01-26
|
06 | Amy Vezza | IESG has approved the document |
2006-01-26
|
06 | Amy Vezza | Closed "Approve" ballot |
2006-01-26
|
06 | Russ Housley | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Russ Housley |
2006-01-25
|
06 | Brian Carpenter | [Ballot comment] The extra words in the introduction in -06 sort-of take care of the protocol problem (3) but I can foresee difficulties if this … [Ballot comment] The extra words in the introduction in -06 sort-of take care of the protocol problem (3) but I can foresee difficulties if this ever comes up for consideration as Draft Standard. I think the changes in the -06 version are at the absolute minimum level to deal with the ASN.1 extensibility problems (1) and (2). I'm sure Sam is correct that there may be future scenarios where the ASN.1 parse fails in some implementations attempting to join a group. However, my expertise in this area is fairly limited, so I will switch to no-objection and wish the implementors and users the best of luck. |
2006-01-25
|
06 | Brian Carpenter | [Ballot Position Update] Position for Brian Carpenter has been changed to No Objection from Discuss by Brian Carpenter |
2006-01-24
|
06 | (System) | New version available: draft-ietf-msec-policy-token-sec-06.txt |
2006-01-20
|
06 | (System) | Removed from agenda for telechat - 2006-01-19 |
2006-01-19
|
06 | Amy Vezza | State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Amy Vezza |
2006-01-19
|
06 | Brian Carpenter | [Ballot discuss] Picking up Sam's points 1) Misuse of ASN.1. The document cites the 1997 ASN.1, but has a number of choices and structures that … [Ballot discuss] Picking up Sam's points 1) Misuse of ASN.1. The document cites the 1997 ASN.1, but has a number of choices and structures that seem like they are intended to be extended in the future. Without extensibility markers, a conforming implementation will reject a sequence or choice with elements not permitted by the abstract syntax. 2) There is no extensibility or versioning strategy described in the document. How do we add fields? What should recipients of a token do if they do not understand part of it? 3) It's not clear that the GSAKMP document combined with this document provides enough mandatory to implement features that any two implementations of this specification will work together. The GSAKMP document specifies mandatory to implement mechanisms for GSAKMP. However the policy token allows for a wide variety of combinations of protocols. For example, a policy token could specify one protocol for registration, one protocol for rekey, and a completely different protocol for de-registration. If only one of these is GSAKMP, what happens? Where is it specified what combinations a GM, a GC/KS etc must support in terms of policy token contents? |
2006-01-19
|
06 | Brian Carpenter | [Ballot Position Update] New position, Discuss, has been recorded for Brian Carpenter by Brian Carpenter |
2006-01-19
|
06 | Allison Mankin | [Ballot Position Update] New position, No Objection, has been recorded for Allison Mankin by Allison Mankin |
2006-01-19
|
06 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2006-01-19
|
06 | Bert Wijnen | [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen |
2006-01-19
|
06 | Jon Peterson | [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson |
2006-01-19
|
06 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
2006-01-19
|
06 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner |
2006-01-18
|
06 | Michelle Cotton | IANA Comments: The IANA Considerations section requests that 13 object identifiers be assigned. In which registry should these be assigned? IANA needs clarification. |
2006-01-18
|
06 | Mark Townsley | [Ballot Position Update] New position, No Objection, has been recorded for Mark Townsley by Mark Townsley |
2006-01-17
|
06 | Ted Hardie | [Ballot Position Update] New position, No Objection, has been recorded for Ted Hardie by Ted Hardie |
2006-01-17
|
06 | Sam Hartman | [Ballot comment] I'm abstaining on this draft because I believe that the mechanism described is fundamentally too complicated for reasonable implementation. I think this mechanism … [Ballot comment] I'm abstaining on this draft because I believe that the mechanism described is fundamentally too complicated for reasonable implementation. I think this mechanism embodies an extension of a design philosophy we tried with the first version of IPsec: very extensible. Implementation experience has caused us to back off from that design philosophy significantly with RFC 3401 and surrounding documents. I believe that multicast security is more complicated and thus requires more effort spent avoiding unnecessary complexity and testing all the options not less. The following are issues that would probably justify a discuss. At least at this point I'm not going to hold a discuss on these issues because I think the document would still be a incorrect approach if these issues are fixed and because I do not want to spend the time fixing these issues. Other ADs may wish to consider whether they wish to file a discuss on these issues. 1) Misuse of ASN.1. The document cites the 1997 ASN.1, but has a number of choices and structures that seem like they are intended to be extended in the future. Without extensibility markers, a conforming implementation will reject a sequence or choice with elements not permitted by the abstract syntax. 2) There is no extensibility or versioning strategy described in the document. How do we add fields? What should recipients of a token do if they do not understand part of it? 3) It's not clear that the GSAKMP document combined with this document provides enough mandatory to implement features that any two implementations of this specification will work together. The GSAKMP document specifies mandatory to implement mechanisms for GSAKMP. However the policy token allows for a wide variety of combinations of protocols. For example, a policy token could specify one protocol for registration, one protocol for rekey, and a completely different protocol for de-registration. If only one of these is GSAKMP, what happens? Where is it specified what combinations a GM, a GC/KS etc must support in terms of policy token contents? However my concern with the document is deeper than these actionable discuss issues. It seems that there are too many options for this system to be reasonably configured by operators or users. Here are some questions to guide thought about where there might be too many options. Why do you need the ability to use completely different registration, de-registration and rekey protocols? Wouldn't it be sufficient to say that you use GSAKMP (or some other protocol) for all the operations. Possibly you would have a way to say that some operations are not needed. Why do you need to specify separate signing algorithms and hashes for every operation? Why would you want the ability to have a different signature for parts of de-registration than for registration? Why are there so many different points at which a single trust anchor CA is specified yet no mechanism is provided to get the key corresponding to the key identifier? Why do you need different CA trust anchors at every point? What's wrong with using a single trust infrastructure for registration and de-registration? Why does the policy token need to be so generic; would we not be better off making it GSAKMP specific? Is the naming architecture and authorization architecture the right balance of flexible and easy to use? |
2006-01-17
|
06 | Sam Hartman | [Ballot Position Update] New position, Abstain, has been recorded for Sam Hartman by Sam Hartman |
2006-01-17
|
06 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2006-01-13
|
06 | Russ Housley | State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Russ Housley |
2006-01-04
|
06 | Russ Housley | Placed on agenda for telechat - 2006-01-19 by Russ Housley |
2006-01-04
|
06 | Russ Housley | [Ballot Position Update] New position, Yes, has been recorded for Russ Housley |
2006-01-04
|
06 | Russ Housley | Ballot has been issued by Russ Housley |
2006-01-04
|
06 | Russ Housley | Created "Approve" ballot |
2006-01-03
|
06 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2005-12-20
|
06 | Amy Vezza | Last call sent |
2005-12-20
|
06 | Amy Vezza | State Changes to In Last Call from Last Call Requested by Amy Vezza |
2005-12-19
|
06 | Russ Housley | State Changes to Last Call Requested from AD Evaluation::AD Followup by Russ Housley |
2005-12-19
|
06 | Russ Housley | Last Call was requested by Russ Housley |
2005-12-19
|
06 | (System) | Ballot writeup text was added |
2005-12-19
|
06 | (System) | Last call text was added |
2005-12-19
|
06 | (System) | Ballot approval text was added |
2005-12-16
|
06 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2005-12-16
|
05 | (System) | New version available: draft-ietf-msec-policy-token-sec-05.txt |
2005-11-13
|
06 | Russ Housley | State Changes to AD Evaluation::Revised ID Needed from AD Evaluation by Russ Housley |
2005-11-13
|
06 | Russ Housley | AD Review comments from Russ Housley on 28-Oct-2005. |
2005-10-21
|
06 | Russ Housley | State Changes to AD Evaluation from Publication Requested by Russ Housley |
2005-10-04
|
06 | Russ Housley | Draft Added by Russ Housley in state Publication Requested |
2005-09-30
|
04 | (System) | New version available: draft-ietf-msec-policy-token-sec-04.txt |
2005-07-08
|
03 | (System) | New version available: draft-ietf-msec-policy-token-sec-03.txt |
2005-03-08
|
02 | (System) | New version available: draft-ietf-msec-policy-token-sec-02.txt |
2005-01-03
|
01 | (System) | New version available: draft-ietf-msec-policy-token-sec-01.txt |
2004-06-24
|
00 | (System) | New version available: draft-ietf-msec-policy-token-sec-00.txt |