Re: [abfab] comments on draft-ietf-abfab-arch
Leif Johansson <leifj@sunet.se> Thu, 05 September 2013 19:46 UTC
Return-Path: <leifj@sunet.se>
X-Original-To: abfab@ietfa.amsl.com
Delivered-To: abfab@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6130811E8200 for <abfab@ietfa.amsl.com>; Thu, 5 Sep 2013 12:46:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QukS+43qtFzm for <abfab@ietfa.amsl.com>; Thu, 5 Sep 2013 12:45:58 -0700 (PDT)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) by ietfa.amsl.com (Postfix) with ESMTP id 7ABF911E824D for <abfab@ietf.org>; Thu, 5 Sep 2013 12:45:55 -0700 (PDT)
Received: from smtp1.sunet.se (smtp1.sunet.se [IPv6:2001:6b0:8:2::214]) by e-mailfilter01.sunet.se (8.14.3/8.14.3/Debian-9.4) with ESMTP id r85JjYLX009476 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Sep 2013 21:45:34 +0200
Received: from kerio.sunet.se (kerio.sunet.se [192.36.171.210]) by smtp1.sunet.se (8.14.4/8.14.4) with ESMTP id r85JjUpn007139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Sep 2013 21:45:33 +0200 (CEST)
X-Footer: c3VuZXQuc2U=
Received: from [10.0.0.244] ([62.102.145.131]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.1.2) (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)); Thu, 5 Sep 2013 21:45:28 +0200
Message-ID: <5228DF58.3030206@sunet.se>
Date: Thu, 05 Sep 2013 21:45:28 +0200
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: abfab@ietf.org, Jim Schaad <ietf@augustcellars.com>
References: <5227A18B.8070007@painless-security.com>
In-Reply-To: <5227A18B.8070007@painless-security.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, sunet-se:default, base:default, @@RPTN)
X-CanIt-Geo: ip=192.36.171.210; country=SE; latitude=62.0000; longitude=15.0000; http://maps.google.com/maps?q=62.0000,15.0000&z=6
X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default)
X-Canit-Stats-ID: 09KlvJynO - 643088d21151 - 20130905
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
X-Scanned-By: CanIt (www . roaringpenguin . com)
Subject: Re: [abfab] comments on draft-ietf-abfab-arch
X-BeenThere: abfab@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Application Bridging, Federated Authentication Beyond \(the web\)" <abfab.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/abfab>, <mailto:abfab-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/abfab>
List-Post: <mailto:abfab@ietf.org>
List-Help: <mailto:abfab-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/abfab>, <mailto:abfab-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2013 19:46:03 -0000
On 09/04/2013 11:09 PM, Mark Donnelly wrote: > Hello all! > > I work with Sam, who asked me to read the arch draft as background to > implementing some software around ABFAB. As usual its preferable to get good reviews *before* WGLC but I guess we'll not stand on form. Jim - your views? > > * Section 1.1.1 (Channel Binding) mentions "the authenticator" without > referencing that anywhere earlier. Sam tells me that is the EAP term > for what ABFAB calls the RP, but that's not included in the table in > section 1.1. > * In section 1.2, it would be nice for a break to be inserted before > the ASCII art graph. > * Also in section 1.2, in the section about Federation, there are two > almost identical sentences: > The federation relationship is governed by a federation agreement. > A federation is governed by a federation agreement. > If these say the same thing, one should be removed. If they say > different things, then the difference is entirely unclear, and it > should be explained. > * In section 1.4, points 8, 10, and 12 talk about the Master Session > Key. As someone new to this, the MSK was referenced here without any > text suggesting why it exists. Perhaps a forward reference to > Section 4.2.2 or 5 would help, but there really doesn't seem to be a > good explanation in the document. > * Section 3.2, in the fourth paragraph, has a sentence saying: > The client and the TLS need to share a common trust point for the > certificate used in validating the server. > "TLS" doesn't make sense to me here at all. > * Later in section 3.2 there's a sentence: > Even when it is checked, if the trust infrastructure behind > the TLS authentication is different from the trust infrastructure > behind the GSS-API mutual authentication then confirming the end- > points using both trust infrastructures is likely to enhance > security. > The lead-in to that sentence made me expect the opposite result. In > essence, this sentence says, "Even when we do the right thing, the > right thing happens." I was expecting one of them to be the wrong > thing after a lead-in of "Even when." > * Section 3.3, paragraph 8 contains a sentence: > When Service Records (SRV) and Naming > Authority Pointer (NAPTR) records are used to help find a host that > provides a service, the security requirements on the referrals is > going to interact with the information used in the service name. > The minor quibble here is that the subject (requirements) disagrees > in number with the verb (is). My larger difficulty is that I have no > idea how security requirements might interact with service name > information. > * The next sentence: > If a host name is returned from the DNS referrals, and the host > name is to be validated by GS-EAP, then it makes sense that the > referrals themselves should be secure. > This sentence establishes the need for secure referrals, but nothing > is said about how that is to be achieved. > Also, the typo of "GS-EAP" should be corrected to "GSS-EAP." > * The last sentence of section 3.4 has a typo - 'probably' should be > 'probable.' > > Thanks, > --Mark Donnelly > _______________________________________________ > abfab mailing list > abfab@ietf.org > https://www.ietf.org/mailman/listinfo/abfab
- [abfab] [Sam Hartman] comments on draft-ietf-abfa… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Leif Johansson
- [abfab] comments on draft-ietf-abfab-arch Mark Donnelly
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Jim Schaad
- Re: [abfab] comments on draft-ietf-abfab-arch Leif Johansson
- Re: [abfab] comments on draft-ietf-abfab-arch Leif Johansson
- Re: [abfab] comments on draft-ietf-abfab-arch Jim Schaad
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Jim Schaad
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Leif Johansson
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Rhys Smith
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Jim Schaad
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Klaas Wierenga (kwiereng)
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… David Chadwick
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Sam Hartman
- Re: [abfab] [Sam Hartman] comments on draft-ietf-… Rafa Marin Lopez