Re: [abfab] comments on draft-ietf-abfab-arch
Leif Johansson <leifj@mnt.se> Wed, 18 September 2013 06:37 UTC
Return-Path: <leifj@mnt.se>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A5011E8145 for <abfab@ietfa.amsl.com>; Tue, 17 Sep 2013 23:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.524
X-Spam-Level:
X-Spam-Status: No, score=-3.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FJfpikvex+Mz for <abfab@ietfa.amsl.com>; Tue, 17 Sep 2013 23:37:20 -0700 (PDT)
Received: from mail-ea0-f178.google.com (mail-ea0-f178.google.com [209.85.215.178]) by ietfa.amsl.com (Postfix) with ESMTP id C743111E8180 for <abfab@ietf.org>; Tue, 17 Sep 2013 23:37:19 -0700 (PDT)
Received: by mail-ea0-f178.google.com with SMTP id a15so3240026eae.9 for <abfab@ietf.org>; Tue, 17 Sep 2013 23:37:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=GwjH+9tqdWhytlVUq6cDeJEb0tVDaID+EWeqLxnqulg=; b=M2hSAxi66LDsUR8wwg9oaf8rmJgWr8wT1rwQGegSnEU36HM04Mom+aLa6/UnaWQlUR /QQqaPjqV+2RDcEXMXnEi9huqvkovzcfZAwMpHAVGQfaeV9g66vSFCNiTzbRpJg5wzMk /77YbL0oZSqgQcaqZws4dEX/lRcBOZWBWQQO31jiWNCbjO8EAAvRWLcU5o2Uc57wybCE 7uFLRjYXd3Y4EAxVAV5Ug7uzw2kocemEokGutfeHgN+jI+xNrbYA+8dooiYjExdddJqi UL4RMqMxym1tX/ghqPnuj+hIxHx6HpNCJVrhVNYmhAXptZD6ENTyQ1By1Vh1GRcEK/dT mcng==
X-Gm-Message-State: ALoCoQnYMhfBAZOWRHNJYvG1/CpsWMM8YwhSw0s+jYK+A+B46OXlNNfpsXiBB6sEnOwZNUpfaKPz
X-Received: by 10.15.98.194 with SMTP id bj42mr57226851eeb.12.1379486238507; Tue, 17 Sep 2013 23:37:18 -0700 (PDT)
Received: from [109.105.104.183] (dhcp49.se-tug.nordu.net. [109.105.104.183]) by mx.google.com with ESMTPSA id h52sm140815eez.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Sep 2013 23:37:17 -0700 (PDT)
Message-ID: <52394A1B.10805@mnt.se>
Date: Wed, 18 Sep 2013 08:37:15 +0200
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: abfab@ietf.org, Jim Schaad <ietf@augustcellars.com>
References: <5227A18B.8070007@painless-security.com> <5228DF58.3030206@sunet.se>
In-Reply-To: <5228DF58.3030206@sunet.se>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [abfab] comments on draft-ietf-abfab-arch
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2013 06:37:24 -0000
On 09/05/2013 09:45 PM, Leif Johansson wrote: > On 09/04/2013 11:09 PM, Mark Donnelly wrote: >> Hello all! >> >> I work with Sam, who asked me to read the arch draft as background to >> implementing some software around ABFAB. > As usual its preferable to get good reviews *before* WGLC but I guess > we'll not stand on form. > > Jim - your views? poke... >> * Section 1.1.1 (Channel Binding) mentions "the authenticator" without >> referencing that anywhere earlier. Sam tells me that is the EAP term >> for what ABFAB calls the RP, but that's not included in the table in >> section 1.1. >> * In section 1.2, it would be nice for a break to be inserted before >> the ASCII art graph. >> * Also in section 1.2, in the section about Federation, there are two >> almost identical sentences: >> The federation relationship is governed by a federation agreement. >> A federation is governed by a federation agreement. >> If these say the same thing, one should be removed. If they say >> different things, then the difference is entirely unclear, and it >> should be explained. >> * In section 1.4, points 8, 10, and 12 talk about the Master Session >> Key. As someone new to this, the MSK was referenced here without any >> text suggesting why it exists. Perhaps a forward reference to >> Section 4.2.2 or 5 would help, but there really doesn't seem to be a >> good explanation in the document. >> * Section 3.2, in the fourth paragraph, has a sentence saying: >> The client and the TLS need to share a common trust point for the >> certificate used in validating the server. >> "TLS" doesn't make sense to me here at all. >> * Later in section 3.2 there's a sentence: >> Even when it is checked, if the trust infrastructure behind >> the TLS authentication is different from the trust infrastructure >> behind the GSS-API mutual authentication then confirming the end- >> points using both trust infrastructures is likely to enhance >> security. >> The lead-in to that sentence made me expect the opposite result. In >> essence, this sentence says, "Even when we do the right thing, the >> right thing happens." I was expecting one of them to be the wrong >> thing after a lead-in of "Even when." >> * Section 3.3, paragraph 8 contains a sentence: >> When Service Records (SRV) and Naming >> Authority Pointer (NAPTR) records are used to help find a host that >> provides a service, the security requirements on the referrals is >> going to interact with the information used in the service name. >> The minor quibble here is that the subject (requirements) disagrees >> in number with the verb (is). My larger difficulty is that I have no >> idea how security requirements might interact with service name >> information. >> * The next sentence: >> If a host name is returned from the DNS referrals, and the host >> name is to be validated by GS-EAP, then it makes sense that the >> referrals themselves should be secure. >> This sentence establishes the need for secure referrals, but nothing >> is said about how that is to be achieved. >> Also, the typo of "GS-EAP" should be corrected to "GSS-EAP." >> * The last sentence of section 3.4 has a typo - 'probably' should be >> 'probable.' >> >> Thanks, >> --Mark Donnelly >> _______________________________________________ >> abfab mailing list >> abfab@ietf.org >> https://www.ietf.org/mailman/listinfo/abfab > > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab
- [abfab] [Sam Hartman] comments on draft-ietf-abfa… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Leif Johansson
- [abfab] comments on draft-ietf-abfab-arch Mark Donnelly
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Jim Schaad
- Re: [abfab] comments on draft-ietf-abfab-arch Leif Johansson
- Re: [abfab] comments on draft-ietf-abfab-arch Leif Johansson
- Re: [abfab] comments on draft-ietf-abfab-arch Jim Schaad
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Jim Schaad
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Leif Johansson
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Rhys Smith
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Jim Schaad
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Klaas Wierenga (kwiereng)
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Rafa Marin Lopez