Closed HBrock closed 1 month ago
primetomas
commented
5 months ago I support removing the normative language in 4.2.2. This can be handled in profiles, and is in many cases already. I.e. 3GPP 33.310, Lightweight CMP profile, Unisig ERTMS, etc.
HBrock
commented
5 months ago @johngray-dev @ounsworth @DDvO What do you think of removing normative text from Section 4.2.2 and leave this to the respective profiles?
johngray-dev
commented
5 months ago Yes I agree. Our end-entities can connect to our CA, but it is always end-entity driven. The keys are generated at either the CA, the client or 3rd party. I agree the text only says 4.2.2.2 is mandatory, but I see how it can be confusing since it is all under 4.2.2 titled "Mandatory Schemes". Maybe just changing the title of 4.2.2 to "Registration / Certification Schemes", take out the normative language, then then add the MUST in 4.2.2.2 directly would make it more clear.
HBrock
commented
5 months ago As there are several profiles of CMP available, like
Therefore, RFC 4210 developed more to a framework and a generic protocol specification. RFC 5280 also defines the X.509 certificate and CRL content and path validation mechanism in a generic manner, and there are many protocol specific profiles available.
When looking at RFC 4210 there are more section using normative language that may hinder claiming compliance when using one of the above listed profiles or when using CMP with a proprietary profile. If we support the development of rfc4210bis to such a generic certificate management protocol framework, I feel like, we must also also look at other sections, e.g., Section 6, and reconsider the usage of normative language there. Currently this was out-of-scope of the tasks we got from the LAMPS WG.
DDvO
commented
5 months ago I agree the text only says 4.2.2.2 is mandatory, but I see how it can be confusing since it is all under 4.2.2 titled "Mandatory Schemes". Maybe just changing the title of 4.2.2 to "Registration / Certification Schemes", take out the normative language, then then add the MUST in 4.2.2.2 directly would make it more clear.
I support this and am confident that the WG will be fine with this. It is essentially just an editorial change that prevents needless confusion.
HBrock
commented
4 months ago The following slide was presented at IETF 119:
Remove normative language from Section 4.2.2, by Tomas Gustavsson
There are various profiles that specify initial registration and certification in much more detail, e.g., Appendix C and D, RFC 9483, 3GPP TS 33.310, UNISIG Subset 137. Therefore, today rfc4210bis is more of a framework and Section 4.2 is more a guidance.
Option 1: Adapt headline of Section 4.2.2 to avoid confusion and keep text as of RFC 4210 retaining backward compatibility. Option 2: Adapt headline of Section 4.2.2 to avoid confusion and remove normative language. Option 3: Rework Section 3, 4, and 6 to modernize it and remove normative where not needed.
HBrock
commented
3 months ago With V10 the following changes were addresses:
I will address proposals for the remaining ToDos on the LAMPS list.
As @primetomas proposed:
[HB] I fully support your point. As you know, RFC 9483 also addresses PKI Management Operations between RA and CA. But as I read Section 4.2.2 the only mandators scheme is specified in Section 4.2.2.2. The Centralizes Scheme specified in Section 4.2.2.1 is optional. But I can envision this scheme for example in a factory with a local CA providing key generation and certificate issuance on behalf of the device. But you are perfectly right, this is not a scenario CMP would be used for. I see Section 4.2 more as a first illustration how enrollment could look like. As there is the profile for enrollment of person-certificate in the Appendix and the profile for machine-to-machine enrollment in RFC 9483, it would be fine removing normative language from Section 4.2 completely, if the WG agrees.