Re: [alto] SECDIR review of draft-ietf-alto-new-transport-07
Donald Eastlake <d3e3e3@gmail.com> Fri, 31 March 2023 00:43 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D76EC14CE24; Thu, 30 Mar 2023 17:43:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3rfyklDiCvc; Thu, 30 Mar 2023 17:43:35 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4507C14CE4A; Thu, 30 Mar 2023 17:43:35 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id ew6so83478997edb.7; Thu, 30 Mar 2023 17:43:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680223414; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gX4jAy410mGcjsqZ0FHWrxzeQ/gVE/7ZOegzeWTtfXQ=; b=RlqhCJUlGgly69F+igXCsDbp1ojYCV1v1TgDrx9i+BYjKplEumvAShIHa1sYReDB4W BVCDrafgh53ZAiCIjBmSeThgJ+0BEr4NkuoJ4dtHd0H8ExOomOAJnbWbO4cudHIFvCC+ CP0SQfrLs/niK7tY0JOz5NH+ESAVVG/1+Yq/FZ2uofHMKI/ArV8R3ha5cUoPJJklDZea 0YfqMtXad9EKGgDWa9ckBJZIdErB54OTanO2UFb5o2CqlFNuyJHW37n3AuHcq4F5+ZN3 CeXTSX41g7w4IglwsWKbNxf1eAOZbWKJTjTo2EZcsUPtkifl3E667aFPdMCE9w+BoSxw INtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680223414; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gX4jAy410mGcjsqZ0FHWrxzeQ/gVE/7ZOegzeWTtfXQ=; b=weQx/GUIIQIA+ETsu2TQHcqpLsTtFbXYJe/4qMKYi1PBoKKIl/at5d24zJKSoezglD VRNRGcoKKiN0zfQbaCvUXozIxWQQNpdEDqbrzN9V6Qs0TGU1cfaVqYNAP0CnwtG6qBKE 5JwBD/UIdkfSVArkO4m/JEbDgNbZJYQgpz2hh1q7tOfb5Cg0BfbWkfUBi0U2vY1VeJFw M+0Kd3vEZShKnoOl3nEYqWeuZvfqMAqgulEyJq+V+hIm2WCouPTQ03gmBygEcGSq7Tnd i13a2D9x+8F/cIN2UWqZ9Gta7sutKCO4P5cjK9HnWDNL61bdmbgNkn5hdNFdAV2u6l+S bpRw==
X-Gm-Message-State: AAQBX9cAA914Pvu96m52jpBdJ+2rTQ6V3594GWKuj+Le9LK8QMOumNmh IAytrg777Wo99vC3al7D1Epc6H2Cl68DUZJIfqU=
X-Google-Smtp-Source: AKy350b75vBhaPR0EegGz4JTbgqccD5MRNkz6irDaBSw+3xF7BdW0qj2SXww7f049s1muFB/HyJkaSfvosru6kJgKYU=
X-Received: by 2002:a17:907:3f1b:b0:90a:33e4:5a69 with SMTP id hq27-20020a1709073f1b00b0090a33e45a69mr12877119ejc.3.1680223413576; Thu, 30 Mar 2023 17:43:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAF4+nEHvsgTs3DKz99sa3Uqxz2wkbpXcChqiknUtA4WQLcxvqg@mail.gmail.com> <CAOj3RjYk51ev2FwJtBRrr1LTuSLyZdFaEnkdPoWuiq+0ExXaOg@mail.gmail.com>
In-Reply-To: <CAOj3RjYk51ev2FwJtBRrr1LTuSLyZdFaEnkdPoWuiq+0ExXaOg@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Thu, 30 Mar 2023 20:43:18 -0400
Message-ID: <CAF4+nEF3JkzJfepPV0i0gOX+TiuHoF=K+PmYe=Z1j58UZgsh5g@mail.gmail.com>
To: Lachlan Keller <lachlan.keller@yale.edu>
Cc: "iesg@ietf.org" <iesg@ietf.org>, secdir <secdir@ietf.org>, draft-ietf-alto-new-transport.all@ietf.org, IETF ALTO <alto@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b5a70005f8277f15"
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/KaXJsTAmgSrKLRGR7oITVkv1584>
Subject: Re: [alto] SECDIR review of draft-ietf-alto-new-transport-07
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2023 00:43:40 -0000
Hi Lachlan, I'm happy with all of your responses and consider my comments to have been resolved. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com On Thu, Mar 30, 2023 at 5:46 PM Lachlan Keller <lachlan.keller@yale.edu> wrote: > Hi Donald, > > Thank you so much for your review and comments. Please see the responses > inline. > > Best, > Lachlan > > On Tue, Mar 28, 2023 at 11:10 AM Donald Eastlake <d3e3e3@gmail.com> wrote: > >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the IESG. >> Document editors and WG chairs should treat these comments just like any >> other comments. >> >> The summary of the review is Ready with Nits. >> >> *Security:* >> >> While I'm not all that into ALTO, it seems to me that this draft is all >> about messages and message exchanges between ALTO entities where the >> security (authentication, encryption, ...) has been specified in previous >> standards track documents such as RFC 7285. There are a few additional >> security considerations which seem to be well covered by the Security >> Considerations section of this draft. >> >> *Nits:* >> >> Section 1.0, Page 4: >> OLD >> functioning for HTTP/1.x. TIPS also provides an ALTO server to >> NEW >> functioning for HTTP/1.x. TIPS also provides for an ALTO server to >> > > LACHLAN: fixed > >> >> Section 2.1.1, Page 8: Seems too vague. A sentence about tips-view-uri >> wouldn't hurt. At the bottom it says "Use the URI as above". Which URI >> above? What exactly does "use" mean? >> > > LACHLAN: Thanks for this comment - propose changing "Use the URI as above" > to "Construct same URIs as with client pull for push promise URIs." As for > the tips-view-uri clarification, propose adding "<tips-view-uri> // > relative URI to TIPS view (see Section 4.2)" > >> >> Section 2.2, Page 9, Figure 3: Figure looks kind of incomplete. Shouldn't >> there be arrows from R1 to R2/R3? >> > > LACHLAN: You are right that figure 3 is technically incomplete. We will > move it to the appendix as it was supposed to just show the thought process > of part of the design decisions we made. > >> >> Section 2.3, Page 10: In the text on "Information Resource Directory" the >> first sentence is confusing. What is the thing that is requested to >> discover? Maybe you should replace "Requested" at the start of the sentence >> with "Produced when a server is requested"... >> > > LACHLAN: Propose changing text to "Contains a list of available > information resources provided by an ALTO server that can be requested by > ALTO clients" to clarify the section. > >> >> Section 2.3, Page 11 at top: That's Figure 4, not 1. >> > > LACHLAN: good catch > >> >> Section 2.4, Page 12, 1st paragraph: I think a service runs "over" a >> connection, not "inside" a connection. >> > > LACHLAN: fixed > >> >> Section 4.4, Page 23: Seems kind of feeble. How about, given that a >> disconnect is treated as a DELETE, something like the following, which >> probably implies that the server maintains a use count. (This document need >> not mention such a count.) >> OLD >> set associated with the TIPS view. A server will not want to delete >> NEW >> set associated with the TIPS view. A server MUST NOT delete >> >> > LACHLAN: Great point. Because there are actually multiple options with how > to treat the DELETE, we’ve now added a new considerations section that > discusses management of shared TIPS views for clarity. See Kai’s response > to the ART ART review for more details, where this was pointed out as well. > > >> >> Thanks, >> Donald >> =============================== >> Donald E. Eastlake 3rd +1-508-333-2270 (cell) >> 2386 Panoramic Circle, Apopka, FL 32703 USA >> d3e3e3@gmail.com >> >
- [alto] SECDIR review of draft-ietf-alto-new-trans… Donald Eastlake
- Re: [alto] SECDIR review of draft-ietf-alto-new-t… Lachlan Keller
- Re: [alto] SECDIR review of draft-ietf-alto-new-t… Donald Eastlake