Please find attached the authors final edits to RFC-to-be 9763 as file <rfc9763_bgj.xml>.
Most RFC Editor suggested changes were made. For Q12, note that the term "traditional" with reference to pre-PQC algorithms is a term-of-art; see draft-ietf-pquip-pqt-hybrid-terminology. Nearly all edits were editorial. There are two substantial ones that we want to bring to your attention (these are also fully described in situ): * In Section 4.1, "The RelatedCertificate Extension", a substantive change was made that had been raised and resolved on the LAMPS (spasm) mail-list after WGLC. The change agreed was not security-relevant and was in fact a reversion to an earlier version of the same document. * Section 6, "CA Organization Considerations", has been extensively edited for clarity. Significantly, we found it difficult to tell that the first paragraph discussed to the CSR attribute and the second paragraph discussed the certificate extension. We feel that the new text is equivalent to the old text but much clearer. Please let us know if you have any questions regarding changes made. -----Original Message----- From: rfc-edi...@rfc-editor.org <rfc-edi...@rfc-editor.org> Sent: Friday, March 28, 2025 22:19 To: Alison Becker (GOV) <aebe...@uwe.nsa.gov>; Rebecca Guthrie (GOV) <rmgu...@uwe.nsa.gov>; Michael Jenkins (GOV) <mjje...@cyber.nsa.gov> Cc: rfc-edi...@rfc-editor.org; lamps-...@ietf.org; lamps-cha...@ietf.org; tim.holleb...@digicert.com; r...@cert.org; auth48archive@rfc-editor.org Subject: Re: AUTH48: RFC-to-be 9763 <draft-ietf-lamps-cert-binding-for-multi-auth-06> for your review Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. 1) <!--[rfced] May we update the short title that spans the header of the PDF file to more closely match the document title as shown below? Original: Related Certificates Perhaps: Related Certificates for Protocol Authentications --> 2) <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> 3) <!--[rfced] Please clarify "different to" in the following sentence. Is the intended meaning perhaps "different than"? Original: If the request for (new) Cert B is to a CA organization different to the CA organization that issued the certificate (existing) Cert A referenced in the CSR... Perhaps: If the request for (new) Cert B is to a CA organization that is different than the CA organization that issued the certificate (existing) Cert A referenced in the CSR... --> 4) <!-- [rfced] FYI: We have added a citation for the NIST SP mentioned in this sentence, with a corresponding reference entry in the informative reference section. Original: If the related certificate is a key establishment certificate (e.g., using RSA key transport or ECC key agreement), use the private key to sign one time for POP (as detailed in NIST SP 800-57 Part 1 Rev 5 Section 8.1.5.1.1.2) Current: If the related certificate is a key establishment certificate (e.g., using RSA key transport or Elliptic Curve Cryptography (ECC) key agreement), use the private key to sign one time for proof of possession (POP) (as detailed in Section 8.1.5.1.1.2 of [NIST-SP-800-57]). --> 5) <!--[rfced] Is "mechanism" intended to be singular (perhaps A) or plural (perhaps B) in this sentence? And may we rephrase "have to be to the satisfaction of the verifier" to "have to be satisfactory to the verifier"? Original: The means and strength of mechanism for authentication have to be to the satisfaction of the verifier. Perhaps A: The means and strength of an authentication mechanism have to be to satisfactory to the verifier. Perhaps B: The means and strength of mechanisms for authentication have to be satisfactory to the verifier. --> 6) <!--[rfced] Can "and to assess that it got what it needed" be rephrased for clarity? Please let us know if the suggested text is agreeable or if you prefer otherwise. Original: For more promiscuous online protocols, like TLS, the ability for the verifier to express what is possible and what is preferred - and to assess that it got what it needed - is important. Perhaps: For more promiscuous online protocols, like TLS, the ability for the verifier to express what is possible and what is preferred - and to assess that its requirements were met - is important. --> 7) <!--[rfced] We updated "it may be advisable" to "it is advisable". If that is incorrect, please let us know. Original: CAs should be aware that retrieval of existing certificates may be subject to observation; if this is a concern, it may be advisable to use the dataURI option described in Section 3.1. Current: CAs should be aware that retrieval of existing certificates may be subject to observation; if this is a concern, it is advisable to use the dataURI option described in Section 3.1. --> 8) <!--[rfced] We have included a clarification about the IANA text below. In addition to responding to that question, please review all of the IANA-related updates carefully and let us know if any further updates are needed. a) FYI: For all three registrations, we replaced the OIDs enclosed in <artwork> with entries that exactly match the IANA registries at <https://www.iana.org/assignments/smi-numbers/>. One example Original: id-pe-relatedCert OBJECT IDENTIFIER ::= { id-pe TBD2 } Current: | Decimal | Description | References | +=========+===================+============+ | 36 | id-pe-relatedCert | RFC 9763 | --> 9) <!-- [rfced] We note that the "IssuerAndSerialNumber type" is mentioned in [RFC5912] and [RFC6268, and the "BinaryTime type" is mentioned in [RFC6019]. Considering that, may we update the following sentence for clarity as shown below? Original: It pulls definitions from modules defined in [RFC5912], and [RFC6268], and [RFC6019] for the IssuerAndSerialNumber type, and BinaryTime type, respectively. Perhaps: It pulls definitions from modules defined in [RFC5912] and [RFC6268] for the IssuerAndSerialNumber type and in [RFC6019] for the BinaryTime type. --> 10) <!-- [rfced] We updated artwork to sourcecode in Sections 3.1 and 4.1 and in Appendix A. Please confirm that this is correct. In addition, please consider whether the "type" attribute of any sourcecode element should be set and/or has been set correctly. The current list of preferred values for "type" is available at <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>. If the current list does not contain an applicable type, feel free to suggest additions for consideration. Note that it is also acceptable to leave the "type" attribute not set. --> 11) <!-- [rfced] FYI: We have added expansions for the following abbreviations per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. Cryptographic Message Syntax (CMS) Certificate Signing Request (CSR) Elliptic Curve Cryptography (ECC) extended key usage (EKU) Internet Key Exchange Protocol Version 2 (IKEv2) key usage (KU) proof of possession (POP) (per NIST-SP-800-57) post-quantum (PQ) post-quantum cryptography (PQC) --> 12) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Updates of this nature typically result in more precise language, which is helpful for readers. For example, please consider whether "native" should be updated. In addition, please consider whether "traditional" should be updated for clarity. While the NIST website <https://web.archive.org/web/20250214092458/https://www.nist.gov/ nist-research-library/nist-technical-series-publications-author-instructions#table1> indicates that this term is potentially biased, it is also ambiguous. "Tradition" is a subjective term, as it is not the same for everyone. --> Thank you. RFC Editor/kc On Mar 28, 2025, at 7:16 PM, RFC Editor via auth48archive <mailto:auth48archive@rfc-editor.org> wrote: *****IMPORTANT***** Updated 2025/03/28 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP - https://trustee.ietf.org/license-info). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using 'REPLY ALL' as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * mailto:rfc-edi...@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * mailto:auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, mailto:auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file - OR - An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use 'REPLY ALL', as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9763.xml https://www.rfc-editor.org/authors/rfc9763.html https://www.rfc-editor.org/authors/rfc9763.pdf https://www.rfc-editor.org/authors/rfc9763.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9763-diff.html https://www.rfc-editor.org/authors/rfc9763-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9763-xmldiff1.html Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9763 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9763 (draft-ietf-lamps-cert-binding-for-multi-auth-06) Title : Related Certificates for Use in Multiple Authentications within a Protocol Author(s) : A. Becker, R. Guthrie, M. Jenkins WG Chair(s) : Russ Housley, Tim Hollebeek Area Director(s) : Deb Cooley, Paul Wouters -- auth48archive mailing list -- mailto:auth48archive@rfc-editor.org To unsubscribe send an email to mailto:auth48archive-le...@rfc-editor.org
rfc9763_bgj.xml
Description: rfc9763_bgj.xml
-- auth48archive mailing list -- auth48archive@rfc-editor.org To unsubscribe send an email to auth48archive-le...@rfc-editor.org
