Issues

Document Sample
Issues Powered By Docstoc
					                                                              KEYPROV Issues



  ID    Category                       Action                          Assigned To          Status
                   Provide text for re-phrasing Usage Scenario,
                   "Session Time-Out Policy", Section 1.1.3, so
  1       DSKPP    that it is clearer                                        Salah          Complete
                   Provide text for re-phrasing Usage Scenario,
                   "Outsource Provisioning", Section 1.1.4, so that
                   it is less about a deployment scenario, and more
                   about the need for user authentication within the
  2       DSKPP    protocol.                                            Hannes Tschofenig    Open
                   Rename term “Key Container” to “Key Package”
  3       DSKPP    throughout the DSKPP document.                        Andrea Doherty      Open
                   In “Determining which Protocol Variant to Use”,
                   Section 1.4:
                   - Remove references to “near real-time
                   communication”, and “workflow approval process”
                   as justifications for the two-pass protocol (also
                   found in Section 1.0)
                   - Do mention joint key control
                   - Fix typo on 4th bullet in Sec 1.4.2.
                   - Change term “transport key” to “manufacturing
                   key”, and add to Definitions Section (2.2).
                   - Note that ability to support pre-existing (legacy)
                   keys is a key differentiator between four- and two-
                   pass.
                   - Make clear which design aspects are common
                   to 4- and 2-pass protocol variants, e.g.,
  4       DSKPP    Algorithm Agility                                     Andrea Doherty      Open
                   Add definitions of individual keys to Section 2.2,
  5       DSKPP    "Definitions"                                         Andrea Doherty      Open
                   Rename "Server Authorization" in MAC
                   Calculations sections, e.g., Sections 3.1.3.1 and
  6       DSKPP    3.2.3.2, to "Server Authentication"                   Andrea Doherty      Open
                   Explain how K_MAC fits in the DSKPP key
                   hierarchy and how it is derived? Same for
  7       DSKPP    K_MAC'.                                               Andrea Doherty      Open



Andrea Doherty                                                    Page 1 of 16                         12/30/2013
                                                           KEYPROV Issues



  ID    Category                      Action                       Assigned To         Status
  8       DSKPP    Add K_PROV to the Notations Section (2.3)          Andrea Doherty   Open
                   o Rework Section 3.3, “User Authentication”:
                    Remove heading “User Authentication”.
                    Rename Section 3.3.1, “Device Identifier” to
                   “Device Identification” and make it its own
                   Section heading (i.e., Section 3.3), rather than a
                   Sub-Section of “Client Authentication”.
                    Rename “Authentication Data” to “User
                   Authentication” and make it its own heading
                   (Section 3.4) incorporating text from previous
                   Section 3.3.
  9       DSKPP     Cleanup description of Authentication Code,      Andrea Doherty   Open
                   including conformance requirements as per
                   Move Section 3.5, “Encryption of Pseudorandom
                   Magnus’s comments.
                   Nonces Sent from the DSKPP Client” to the
                   section on the Four-Pass Protocol since the
  10      DSKPP    contents only relate to that variant.              Andrea Doherty   Open
                   Rename “Extensibility”, Section 5.0, to “Protocol
                   Extensions”, and explain why the two extension
                   types are important? For what would we expect
                   them to be used? Also explain how the protocol
  11      DSKPP    is extended in general.                            Andrea Doherty   Open
                   Section 9.6.5, “Key Protection in the Two-Pass
                   Passphrase Profile”, mention dependence on the
  12      DSKPP    security of the key package.                       Andrea Doherty   Open
                   Rename “Additional Considerations” (Section
  13      DSKPP    9.6) to “Miscellaneous Considerations”.            Andrea Doherty   Open
                   Review status codes and make sure list is
  14      DSKPP    complete.                                          Andrea Doherty   Open
                   IANA Considerations are incomplete (Section
                   11). Discuss this with IANA folks and make a
  15      DSKPP    recommendation for re-phrasing of the section. Hannes Tschofenig    Open



Andrea Doherty                                                 Page 2 of 16                     12/30/2013
                                                             KEYPROV Issues



  ID    Category                       Action                           Assigned To          Status
                   Remove Key Protection Profiles, Section 3.2.2,
                   from the DSKPP document, and make sure that
                   the profiles are completely covered in the PSKC
  16      DSKPP    and ASN.1 documents                                  Andrea Doherty        Open




                   Chat with Donald Eastlake about Algorithm
                   URIs.
         DSKPP,
         PSKC,     Determine whether a normative reference to
  17      ASN.1    Eastlake's document is required.                   Hannes Tschofenig     In-Progress
         DSKPP,    Ask IANA to post algorithm URIs to their Web
         PSKC,     site. Find out whether it would be possible to
  18      ASN.1    register OTP algorithm URI's.                      Hannes Tschofenig       Open




        PSKC and                                                        Salah Machani,
         ASN.1                                                         Mingliang Pei, and
  19    Alignment Define mandatory-to-implement algorithms.               Philip Hoyer        Open




        PSKC and
         ASN.1
  20    Alignment Define mandatory-to-implement algorithms.               Sean Turner         Open




Andrea Doherty                                                      Page 3 of 16                          12/30/2013
                                                              KEYPROV Issues



  ID    Category                        Action                           Assigned To         Status
        DSKPP and
           PSKC
  21     Alignment Change serial number data type to string              Andrea Doherty      Open
  22      DSKPP    Update conformance section per Issue #32              Andrea Doherty      Open
  23      DSKPP    Re-phrase Authentication Code Format section          Andrea Doherty      Open
                   Makes PSKC language agnostic to the type of
                   system (e.g., OTP authentication servers) that
        PSKC and will make use of it. For example, avoid terms           Salah Machani,
          DSKPP    "validation system", and change "credential" to      Mingliang Pei, and
  24     Alignment "key" as was done in the DSKPP document.                Philip Hoyer      Open
                                                                         Salah Machani,
                                                                        Mingliang Pei, and
  25       PSKC      Remove Logo types from PSKC                           Philip Hoyer      Open
                                                                         Salah Machani,
                                                                        Mingliang Pei, and
  26       PSKC   Incorporate schema changes made during mtg               Philip Hoyer      Open
                  Draft an explanation for the DSKPP document
                  explaining the criteria by which one would use
  27     DSKPP    PSKC vs. ASN.1 formats.                          Salah Machani             Open
                  Update Issue Tracker, e.g., items closed during
                  interim meeting. Add issues from http://
                  www.tschofenig.com/twiki/bin/viewfile/KeyProv/
                  KeyprovInterim2008?rev=1;filename=PSKC_Issu
                  e_List_updated.doc to Issue Tracker, and mark
  28      PSKC    them "Done-cbb".                                  Mingliang Pei            Open
                  Add support for 1 set of attributes per key to
        PSKC and PSKC. For example, could add                      Salah Machani,
         ASN.1    EncryptionMethod and DigestMethod to            Mingliang Pei, and
  29    Alignment KeyType.                                           Philip Hoyer            Open




Andrea Doherty                                                       Page 4 of 16                     12/30/2013
                                                             KEYPROV Issues



  ID    Category                        Action                        Assigned To          Status

                  PSKC does not require a key to be included in
                  the container; it can just transport key metadata.
        PSKC and However, ASN.1 requires a key to be included in
          ASN.1   the container. Change ASN.1 to not require a
  30    Alignment key for support of DSKPP four-pass.                   Sean Turner         Open
                  Change Section 3.2.3 to make it more generic
        PSKC and and describe the case where the attributes           Salah Machani,
         DSKPP    (without the key) are carried in DSKPP (e.g., for Mingliang Pei, and
  31    Alignment four-pass).                                           Philip Hoyer        Open
                                                                       Sean Turner,
        PSKC and                                                      Salah Machani,
         DSKPP    Ensure that attributes are the same for both         Mingliang Pei,
  32    Alignment PSKC and ASN.1.                                       Philip Hoyer        Open
                  Clarify that the “Credential upload case”, Section Salah Machani,
                  3.1.4, could be used to convey the key from the Mingliang Pei, and
  33      PSKC    end host to the provisioning server.                  Philip Hoyer        Open
                                                                      Salah Machani,
                                                                     Mingliang Pei, and
  34      PSKC    Restructure DATA element (Section 5.1.1)              Philip Hoyer        Open
                  Cleanup KeyAlgorithm (Section 5.1.2):
                  - Reference D. Eastlake's document
                  - Only list Mandatory-to-implement algorithms
                  - Remove 5.1.2.1 (OTP Algorithms should be          Salah Machani,
                  added to D. Eastlake's doc); OTP algorithms are Mingliang Pei, and
  35      PSKC    not mandatory-to-implement)                           Philip Hoyer        Open
                  Determine whether any work was already done
  36      PSKC    to integrate SecurID with PKCS7                     Andrea Doherty      In-Progress
        PSKC and Draft IANA Considerations sections for both
  37     DSKPP    documents.                                         Hannes Tschofenig      Open




Andrea Doherty                                                    Page 5 of 16                          12/30/2013
                                                              KEYPROV Issues



  ID    Category                       Action                            Assigned To         Status
                   Change "Usage", Section 5.1.3:
                    Change label for bullet 4 from “Sign” to
                   “Integrity”
                                                                         Salah Machani,
                    Change text to say, “the key will be used to       Mingliang Pei, and
  38       PSKC    generate a keyed message digest for data                Philip Hoyer      Open
                   integrity or authentication purposes.”                Salah Machani,
                   Change "Issuer", Section 5.1.5, from                 Mingliang Pei, and
  39       PSKC    MANDATORY to OPTIONAL                                   Philip Hoyer      Open
                   Change "Access Rules", Section 5.1.7:
                    Add a description regarding the extensibility
                   of this attribute.
                                                                         Salah Machani,
                    Add mention that if the recipient does not         Mingliang Pei, and
  40       PSKC    understand an Access Rule, then the recipient           Philip Hoyer      Open
                   fails.




                   Change "EncryptionMethod", Section 5.1.8:
                    Agreement reached to only specify
                   mandatory-to-implement algorithms, rather than
                   everything. Reference a separate document
                   (e.g., xmlenc).                                       Salah Machani,
                    Mandatory-to-implement algorithms are              Mingliang Pei, and
  41       PSKC    aes128 and pbes2.                                       Philip Hoyer      Open




Andrea Doherty                                                       Page 6 of 16                     12/30/2013
                                                             KEYPROV Issues



  ID    Category                       Action                           Assigned To         Status
                   Change "OTP and CR specific Attributes,
                   Section 5.1.10:
                    Relate to Usage Type.
                    Add a description of UsageType here to
                   include:
                   • OTP: ResponseFormat
                   • CR: ChallengeFormat+ResponseFormat                 Salah Machani,
                                                                       Mingliang Pei, and
                   • Integrity: ResponseFormat
  42       PSKC                                                           Philip Hoyer      Open
                   • Encrypt: ResponseFormat
                                                                        Salah Machani,
                   • Unlock: -
                   Change "AppProfileID", Section 5.1.10.3 to make     Mingliang Pei, and
  43       PSKC    it more general.                                       Philip Hoyer      Open
                   Provide sample outline for how to restructure
  44       PSKC    document so that it is more readable.               Hannes Tschofenig    Open
                   Change "UserType Type", Section 6.1.5, to only
                   include "UserID". Mention that it could take any
                   form, including Distinguished Names. Remove          Salah Machani,
                   other attributes (e.g., FirstName, LastName,        Mingliang Pei, and
  45       PSKC    etc.)                                                  Philip Hoyer      Open

                   Change "KeyContainerType", Section 6.1.6:
                   o Rely on XMLEnc, utilizing Magnus's proposal.
                   Remove Section 6.1.7 (EncryptionMethodType)
                   and Section 6.1.8 (DigestMethodType) should be
                   removed).
                   o Conformant profile to be defined with help from
                   Magnus. Must make sure this profile is
                   consistent with the Key Protection Profiles
                   contained in the -02 version of DSKPP.
                   o At least one keywrap profile that is FIPS 140-2
                   compliant is required.
                   o Philip Hoyer to send a commonly used
  46       PSKC    algorithm id used in HSMs.                             Philip Hoyer      Open



Andrea Doherty                                                    Page 7 of 16                       12/30/2013
                                                            KEYPROV Issues



  ID    Category                       Action                        Assigned To          Status
                   PIN Policy
                   - Draft a proposal based on presentation given at
                   IETF70
                   - Incorporate it into the document and present at
  47       PSKC    IETF-71                                             Philip Hoyer        Open
  48       PSKC    Review description of PIN Usage Modes              Andrea Doherty       Open
                   Regarding Issue25 and how to indicate whether a
                   child is encrypted, present options for review to
  49       PSKC    the AppsArea XML experts.                         Hannes Tschofenig   In-Progress
  50       PSKC    Remove schemaLocation from schema                   Mingliang Pei        Open




Andrea Doherty                                                  Page 8 of 16                           12/30/2013
                           KEYPROV Issues



                 Comment




Andrea Doherty                Page 9 of 16   12/30/2013
                           KEYPROV Issues



                 Comment




Andrea Doherty               Page 10 of 16   12/30/2013
                                                   KEYPROV Issues



                  Comment




D. Eastlake told Hannes that he received
several requests from others for URI's to be
added, and is ok with including KEYPROV
requests. After he finishes next
draft, he plans on requesting publication of the
draft as an RFC.

A question still remains as to whether we
would require a normative reference to that
document.



Reference Issue #20 in tracker. Values
proposed have to be confirmed on the mailing
list.

Note that there is not a need to include OTP
algorithms in the Mandatory-to-Implement list.
This means that section 5.1.2.1 can be
removed.

Reference Issue #20 in tracker. Values
proposed have to be confirmed on the mailing
list.

Note that there is not a need to include OTP
algorithms in the Mandatory-to-Implement list.




Andrea Doherty                                       Page 11 of 16   12/30/2013
                                                  KEYPROV Issues



                 Comment



Reference Issue #32 in tracker
Reference Issue #34 in tracker




Refer to schema file that Hannes sent out after
the meeting.




This change would align capabilities with
ASN.1 format in support of bulk import of keys.




Andrea Doherty                                      Page 12 of 16   12/30/2013
                                                  KEYPROV Issues



                  Comment




The attributes do not have to be convertible,
e.g., PSKC to ASN.1 and ASN.1 to PSKC.




Refer to schema file that Hannes sent out after
the meeting.




Decision reached that aes-128-cbc is
mandatory to implement.




Andrea Doherty                                      Page 13 of 16   12/30/2013
                                              KEYPROV Issues



                 Comment




From interim meeting, wording could say to
specify one for:
- asymmetric:
http://www.w3.org/2001/04/xmlenc#rsa-1_5
- symmetric:
http://www.w3.org/2001/04/xmlenc#aes128-cbc
- passwd:
<EncryptionMethodAlgorithm="http://
www.rsasecurity.com/rsalabs/pkcs/schemas/
pkcs-5#pbes2">

<PBEEncryptionParamEncryptionAlgorithm="h
ttp://www.w3.org/2001/04/xmlenc#kw-aes128-
cbc"></>




Andrea Doherty                                  Page 14 of 16   12/30/2013
                                            KEYPROV Issues



                 Comment




Consider incorporating the changes Hannes
made to the schema during the meeting.




Andrea Doherty                                Page 15 of 16   12/30/2013
                           KEYPROV Issues



                 Comment




Andrea Doherty               Page 16 of 16   12/30/2013

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:12/30/2013
language:Latin
pages:16