Docstoc

Issues

Document Sample
Issues Powered By Docstoc
					                                                             KEYPROV Issues



  ID    Category                        Action                          Assigned To         Status
                   Provide text for re-phrasing Usage Scenario,
                   "Session Time-Out Policy", Section 1.1.3, so that it
  1      DSKPP     is clearer                                                Salah          Complete
                   Provide text for re-phrasing Usage Scenario,
                   "Outsource Provisioning", Section 1.1.4, so that it
                   is less about a deployment scenario, and more
                   about the need for user authentication within the
  2      DSKPP     protocol.                                            Hannes Tschofenig    Open
                   Rename term “Key Container” to “Key Package”
  3      DSKPP     throughout the DSKPP document.                        Andrea Doherty      Open
                   In “Determining which Protocol Variant to Use”,
                   Section 1.4:
                   - Remove references to “near real-time
                   communication”, and “workflow approval process”
                   as justifications for the two-pass protocol (also
                   found in Section 1.0)
                   - Do mention joint key control
                   - Fix typo on 4th bullet in Sec 1.4.2.
                   - Change term “transport key” to “manufacturing
                   key”, and add to Definitions Section (2.2).
                   - Note that ability to support pre-existing (legacy)
                   keys is a key differentiator between four- and two-
                   pass.
                   - Make clear which design aspects are common to
                   4- and 2-pass protocol variants, e.g., Algorithm
  4      DSKPP     Agility                                               Andrea Doherty      Open
                   Add definitions of individual keys to Section 2.2,
  5      DSKPP     "Definitions"                                         Andrea Doherty      Open
                   Rename "Server Authorization" in MAC
                   Calculations sections, e.g., Sections 3.1.3.1 and
  6      DSKPP     3.2.3.2, to "Server Authentication"                   Andrea Doherty      Open
                   Explain how K_MAC fits in the DSKPP key
                   hierarchy and how it is derived? Same for
  7      DSKPP     K_MAC'.                                               Andrea Doherty      Open



Andrea Doherty                                                    Page 1 of 16                         3/5/2010
                                                               KEYPROV Issues



  ID    Category                         Action                          Assigned To      Status
  8      DSKPP     Add K_PROV to the Notations Section (2.3)             Andrea Doherty   Open
                   o Rework Section 3.3, “User Authentication”:


                   “Device Identification” and make it its own Section
                   heading (i.e., Section 3.3), rather than a Sub-
                   Section of “Client Authentication”.

                   Authentication” and make it its own heading
                   (Section 3.4) incorporating text from previous
                   Section 3.3.

                   including conformance requirements as per
  9      DSKPP     Magnus’s comments.                                    Andrea Doherty   Open

                   Move Section 3.5, “Encryption of Pseudorandom
                   Nonces Sent from the DSKPP Client” to the
                   section on the Four-Pass Protocol since the
  10     DSKPP     contents only relate to that variant.              Andrea Doherty      Open
                   Rename “Extensibility”, Section 5.0, to “Protocol
                   Extensions”, and explain why the two extension
                   types are important? For what would we expect
                   them to be used? Also explain how the protocol is
  11     DSKPP     extended in general.                               Andrea Doherty      Open
                   Section 9.6.5, “Key Protection in the Two-Pass
                   Passphrase Profile”, mention dependence on the
  12     DSKPP     security of the key package.                       Andrea Doherty      Open
                   Rename “Additional Considerations” (Section 9.6)
  13     DSKPP     to “Miscellaneous Considerations”.                 Andrea Doherty      Open
                   Review status codes and make sure list is
  14     DSKPP     complete.                                          Andrea Doherty      Open
                   IANA Considerations are incomplete (Section 11).
                   Discuss this with IANA folks and make a
  15     DSKPP     recommendation for re-phrasing of the section.    Hannes Tschofenig    Open



Andrea Doherty                                                      Page 2 of 16                   3/5/2010
                                                              KEYPROV Issues



  ID    Category                         Action                            Assigned To         Status
                    Remove Key Protection Profiles, Section 3.2.2,
                    from the DSKPP document, and make sure that
                    the profiles are completely covered in the PSKC
  16     DSKPP      and ASN.1 documents                                    Andrea Doherty       Open




                    Chat with Donald Eastlake about Algorithm URIs.
         DSKPP,
         PSKC,      Determine whether a normative reference to
  17      ASN.1     Eastlake's document is required.                   Hannes Tschofenig      In-Progress
         DSKPP,     Ask IANA to post algorithm URIs to their Web site.
         PSKC,      Find out whether it would be possible to register
  18      ASN.1     OTP algorithm URI's.                               Hannes Tschofenig        Open




        PSKC and                                                          Salah Machani,
          ASN.1                                                          Mingliang Pei, and
  19    Alignment   Define mandatory-to-implement algorithms.               Philip Hoyer        Open




        PSKC and
          ASN.1
  20    Alignment   Define mandatory-to-implement algorithms.               Sean Turner         Open




Andrea Doherty                                                        Page 3 of 16                          3/5/2010
                                                               KEYPROV Issues



  ID    Category                         Action                           Assigned To         Status
       DSKPP and
          PSKC
  21    Alignment Change serial number data type to string                Andrea Doherty      Open
  22     DSKPP    Update conformance section per Issue #32                Andrea Doherty      Open
  23     DSKPP    Re-phrase Authentication Code Format section            Andrea Doherty      Open
                  Makes PSKC language agnostic to the type of
                  system (e.g., OTP authentication servers) that will
       PSKC and make use of it. For example, avoid terms                  Salah Machani,
         DSKPP    "validation system", and change "credential" to        Mingliang Pei, and
  24    Alignment "key" as was done in the DSKPP document.                  Philip Hoyer      Open
                                                                          Salah Machani,
                                                                         Mingliang Pei, and
  25      PSKC      Remove Logo types from PSKC                             Philip Hoyer      Open
                                                                          Salah Machani,
                                                                         Mingliang Pei, and
  26      PSKC      Incorporate schema changes made during mtg              Philip Hoyer      Open
                    Draft an explanation for the DSKPP document
                    explaining the criteria by which one would use
  27     DSKPP      PSKC vs. ASN.1 formats.                               Salah Machani       Open
                    Update Issue Tracker, e.g., items closed during
                    interim meeting. Add issues from
                    http://www.tschofenig.com/twiki/bin/viewfile/KeyPr
                    ov/KeyprovInterim2008?rev=1;filename=PSKC_Is
                    sue_List_updated.doc to Issue Tracker, and mark
  28      PSKC      them "Done-cbb".                                       Mingliang Pei      Open

        PSKC and    Add support for 1 set of attributes per key to Salah Machani,
          ASN.1     PSKC. For example, could add EncryptionMethod Mingliang Pei, and
  29    Alignment   and DigestMethod to KeyType.                     Philip Hoyer             Open




Andrea Doherty                                                      Page 4 of 16                       3/5/2010
                                                              KEYPROV Issues



  ID    Category                         Action                          Assigned To          Status

                    PSKC does not require a key to be included in the
                    container; it can just transport key metadata.
        PSKC and    However, ASN.1 requires a key to be included in
          ASN.1     the container. Change ASN.1 to not require a key
  30    Alignment   for support of DSKPP four-pass.                       Sean Turner          Open

        PSKC and    Change Section 3.2.3 to make it more generic and Salah Machani,
         DSKPP      describe the case where the attributes (without the Mingliang Pei, and
  31    Alignment   key) are carried in DSKPP (e.g., for four-pass).       Philip Hoyer        Open

        PSKC and                                                       Sean Turner, Salah
         DSKPP      Ensure that attributes are the same for both PSKC Machani, Mingliang
  32    Alignment   and ASN.1.                                          Pei, Philip Hoyer      Open
                    Clarify that the “Credential upload case”, Section  Salah Machani,
                    3.1.4, could be used to convey the key from the    Mingliang Pei, and
  33      PSKC      end host to the provisioning server.                  Philip Hoyer         Open
                                                                        Salah Machani,
                                                                       Mingliang Pei, and
  34      PSKC      Restructure DATA element (Section 5.1.1)              Philip Hoyer         Open
                    Cleanup KeyAlgorithm (Section 5.1.2):
                    - Reference D. Eastlake's document
                    - Only list Mandatory-to-implement algorithms
                    - Remove 5.1.2.1 (OTP Algorithms should be          Salah Machani,
                    added to D. Eastlake's doc); OTP algorithms are    Mingliang Pei, and
  35      PSKC      not mandatory-to-implement)                           Philip Hoyer         Open
                    Determine whether any work was already done to
  36     PSKC       integrate SecurID with PKCS7                        Andrea Doherty       In-Progress
        PSKC and    Draft IANA Considerations sections for both
  37     DSKPP      documents.                                         Hannes Tschofenig       Open




Andrea Doherty                                                     Page 5 of 16                            3/5/2010
                                                               KEYPROV Issues



  ID    Category                        Action                             Assigned To        Status
                   Change "Usage", Section 5.1.3:

                   “Integrity”
                                                                       Salah Machani,
                   generate a keyed message digest for data integrity Mingliang Pei, and
  38      PSKC     or authentication purposes.”                          Philip Hoyer         Open
                                                                       Salah Machani,
                   Change "Issuer", Section 5.1.5, from               Mingliang Pei, and
  39      PSKC     MANDATORY to OPTIONAL                                 Philip Hoyer         Open
                   Change "Access Rules", Section 5.1.7:

                   this attribute.
                                                                          Salah Machani,
                   understand an Access Rule, then the recipient         Mingliang Pei, and
  40      PSKC     fails.                                                   Philip Hoyer      Open




                   Change "EncryptionMethod", Section 5.1.8:

                   to-implement algorithms, rather than everything.
                   Reference a separate document (e.g., xmlenc).          Salah Machani,
                                                                         Mingliang Pei, and
  41      PSKC     and pbes2.                                               Philip Hoyer      Open




Andrea Doherty                                                        Page 6 of 16                     3/5/2010
                                                              KEYPROV Issues



  ID    Category                        Action                             Assigned To        Status

                   Change "OTP and CR specific Attributes, Section
                   5.1.10:


                   • OTP: ResponseFormat
                   • CR: ChallengeFormat+ResponseFormat
                   • Integrity: ResponseFormat                            Salah Machani,
                   • Encrypt: ResponseFormat                             Mingliang Pei, and
  42      PSKC     • Unlock: -                                              Philip Hoyer      Open
                                                                          Salah Machani,
                   Change "AppProfileID", Section 5.1.10.3 to make       Mingliang Pei, and
  43      PSKC     it more general.                                         Philip Hoyer      Open
                   Provide sample outline for how to restructure
  44      PSKC     document so that it is more readable.                 Hannes Tschofenig    Open

                   Change "UserType Type", Section 6.1.5, to only
                   include "UserID". Mention that it could take any       Salah Machani,
                   form, including Distinguished Names. Remove           Mingliang Pei, and
  45      PSKC     other attributes (e.g., FirstName, LastName, etc.)       Philip Hoyer      Open

                   Change "KeyContainerType", Section 6.1.6:
                   o Rely on XMLEnc, utilizing Magnus's proposal.
                   Remove Section 6.1.7 (EncryptionMethodType)
                   and Section 6.1.8 (DigestMethodType) should be
                   removed).
                   o Conformant profile to be defined with help from
                   Magnus. Must make sure this profile is consistent
                   with the Key Protection Profiles contained in the -
                   02 version of DSKPP.
                   o At least one keywrap profile that is FIPS 140-2
                   compliant is required.
                   o Philip Hoyer to send a commonly used algorithm
  46      PSKC     id used in HSMs.                                         Philip Hoyer      Open



Andrea Doherty                                                     Page 7 of 16                        3/5/2010
                                                              KEYPROV Issues



  ID    Category                        Action                          Assigned To           Status
                   PIN Policy
                   - Draft a proposal based on presentation given at
                   IETF70
                   - Incorporate it into the document and present at
  47      PSKC     IETF-71                                                  Philip Hoyer       Open
  48      PSKC     Review description of PIN Usage Modes                  Andrea Doherty       Open
                   Regarding Issue25 and how to indicate whether a
                   child is encrypted, present options for review to the
  49      PSKC     AppsArea XML experts.                                 Hannes Tschofenig   In-Progress
  50      PSKC     Remove schemaLocation from schema                       Mingliang Pei        Open




Andrea Doherty                                                     Page 8 of 16                            3/5/2010
                           KEYPROV Issues



                 Comment




Andrea Doherty                Page 9 of 16   3/5/2010
                           KEYPROV Issues



                 Comment




Andrea Doherty               Page 10 of 16   3/5/2010
                                                   KEYPROV Issues



                  Comment




D. Eastlake told Hannes that he received several
requests from others for URI's to be
added, and is ok with including KEYPROV
requests. After he finishes next
draft, he plans on requesting publication of the
draft as an RFC.

A question still remains as to whether we would
require a normative reference to that document.




Reference Issue #20 in tracker. Values
proposed have to be confirmed on the mailing
list.

Note that there is not a need to include OTP
algorithms in the Mandatory-to-Implement list.
This means that section 5.1.2.1 can be removed.

Reference Issue #20 in tracker. Values
proposed have to be confirmed on the mailing
list.

Note that there is not a need to include OTP
algorithms in the Mandatory-to-Implement list.




Andrea Doherty                                       Page 11 of 16   3/5/2010
                                                  KEYPROV Issues



                  Comment



Reference Issue #32 in tracker
Reference Issue #34 in tracker




Refer to schema file that Hannes sent out after
the meeting.




This change would align capabilities with ASN.1
format in support of bulk import of keys.




Andrea Doherty                                      Page 12 of 16   3/5/2010
                                                  KEYPROV Issues



                   Comment




The attributes do not have to be convertible,
e.g., PSKC to ASN.1 and ASN.1 to PSKC.




Refer to schema file that Hannes sent out after
the meeting.




Decision reached that aes-128-cbc is mandatory
to implement.




Andrea Doherty                                      Page 13 of 16   3/5/2010
                                                KEYPROV Issues



                 Comment




From interim meeting, wording could say to
specify one for:
- asymmetric:
 http://www.w3.org/2001/04/xmlenc#rsa-1_5
- symmetric:
http://www.w3.org/2001/04/xmlenc#aes128-cbc
- passwd:
<EncryptionMethodAlgorithm="http://www.rsasec
urity.com/rsalabs/pkcs/schemas/pkcs-
5#pbes2">
<PBEEncryptionParamEncryptionAlgorithm="htt
p://www.w3.org/2001/04/xmlenc#kw-aes128-
cbc"></>




Andrea Doherty                                    Page 14 of 16   3/5/2010
                                            KEYPROV Issues



                 Comment




Consider incorporating the changes Hannes
made to the schema during the meeting.




Andrea Doherty                                Page 15 of 16   3/5/2010
                           KEYPROV Issues



                 Comment




Andrea Doherty               Page 16 of 16   3/5/2010

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:17
posted:3/6/2010
language:English
pages:16