Re: [Captive-portals] Robert Wilton's No Objection on draft-ietf-capport-api-07: (with COMMENT)
"Rob Wilton (rwilton)" <rwilton@cisco.com> Mon, 22 June 2020 16:18 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F9E3A0EF6; Mon, 22 Jun 2020 09:18:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ay405IOS; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Zkxlz69T
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsY02hD5-uPM; Mon, 22 Jun 2020 09:18:34 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E05683A0EF3; Mon, 22 Jun 2020 09:18:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7128; q=dns/txt; s=iport; t=1592842714; x=1594052314; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Y1IwdCbriJFIaanHai4HhhJuVRjV3yXiAiBfip9v03c=; b=Ay405IOShyDzK/aP6tHNedosBZoNhaTgDRc0zT+Xr+AtQ61t+UyLxUXe nr+hfwwE4Rdb7u9mO46ne2m1QDfrj7WWsZJFPpQc9naxK4DKikgaJsLt0 68USy+wQWoxg2x/3pVdAqTqYmjQaUjZIhASNt/zfRNMZLaWPGLvfu7+O2 U=;
IronPort-PHdr: 9a23:wjnaLRGrnj+IM4njNVCTE51GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e401QObVJ3D7/8CgO3T4OjsWm0FtJCGtn1KMJlBTAQMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8/mf1nf5Ha16G1aFhD2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A3AABr2PBe/5ldJa1mGwEBAQEBAQEBBQEBARIBAQEDAwEBAUCBOAQBAQELAYFRUQdvWC8sCoQag0YDjUSYVIEuFIEQA1ULAQEBDAEBIwoCBAEBhEcCF4IUAiQ2Bw4CAwEBCwEBBQEBAQIBBgRthVsMhXIBAQEBAgESEREMAQElEgELBAIBCA4CAQEDAQEBAgImAgICMBUCBggCBA4FCBMHgwWCSwMOIAEDC6tdAoE5iGF2gTKDAQEBBYFGQYM4GIIOAwaBDioBgmaJXx0agUE/gRFDgk0+glwBAQECAYEmAQsHAQcCGoMSM4Itjn0cBoJOPKIuCoJaiEKMAIUHgnGJJIUcjUqbQJQzAgQCBAUCDgEBBYFaCihmWBEHcBWDJFAXAg2OHoNxgmSCMIVCdAI1AgYBBwEBAwl8jSKBNQGBEAEB
X-IronPort-AV: E=Sophos;i="5.75,267,1589241600"; d="scan'208";a="790720185"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jun 2020 16:18:32 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 05MGIW5p031423 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 22 Jun 2020 16:18:32 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 11:18:31 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 11:18:31 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 22 Jun 2020 11:18:31 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TzmS0OQ7fPsfD/wy1dQI9jMT7prEuMX9bSwn1KDInFP97wptxhlA4N4KVX1pXQWh6Cva3mVh2zFa/g18hTAE9q3yTN4fLNctO5F3VGe75hUKWdhYxtx/zmaKbU6itwGSZnWlbp/1Y3J8p+5BmTDZoNFo00sVnaz5/3RUEsdrYtXnkyAT+34JkC93VlHPPYyIVx4bkhJVRSNkCfgCjawrePzntYdS/gfmOHL+H+MIMK18QezW66zvXb+OMsvdbyjUg+5NaNiIpZlcgNyWj/ZtzBdE7MahO6WDR+LSoyv3PFyk5oRJAsfGryUHkOcMEvH10roEf61UTLLyRXegNMAcbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y1IwdCbriJFIaanHai4HhhJuVRjV3yXiAiBfip9v03c=; b=hUs4c76ZlIz8uW5slTwrpRIwN/BR2bWej+j+TdQjtDp/asSOcnOfTQb1/uj1adkTA645akTARUMnL2cTWIAi1P10oUCGYelt0tBUsCAuzicqaL7qBZ/AKHwlFLE/PniiOVzopl9R1w0tlDP8mElaQEqXEmdeHIKssUA7wKcEOv6F5KVEQi/nKCrqKb9eLVsL8YzHqc1Xn2xSKSSNBfANmxupv1lTR2gmL/oIPqBNgjbxTP/OzcNaTNoedG2IDV7QToSyXOVUDYSmNYMOCsESGm8y6tXlRYRsj2ZKC8A1/Zw1to7OATy+0CAXzqoVsQWJBDyCyp8b8iVym/m1v9HVrQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y1IwdCbriJFIaanHai4HhhJuVRjV3yXiAiBfip9v03c=; b=Zkxlz69T0EGPY2U+y0s98pEABgxbwSJamwE0/cm2L4XOn2dU1Zwj/EXnLsK8PZxb3YWNGR97gYfpn/bIf11loOOm7N0ML0n8BZNmsUh70GnSXmPgTTIRuCzKcjLhC1OMMpLqE1A/3gww6w9911yWCoO2DVOkZ495dfi+ZKjge+o=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by BL0PR11MB3361.namprd11.prod.outlook.com (2603:10b6:208:6d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.23; Mon, 22 Jun 2020 16:18:30 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::e9d4:79b5:aef1:be18]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::e9d4:79b5:aef1:be18%5]) with mapi id 15.20.3109.027; Mon, 22 Jun 2020 16:18:30 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Tommy Pauly <tpauly@apple.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-capport-api@ietf.org" <draft-ietf-capport-api@ietf.org>, "capport-chairs@ietf.org" <capport-chairs@ietf.org>, "captive-portals@ietf.org" <captive-portals@ietf.org>, Martin Thomson <mt@lowentropy.net>
Thread-Topic: Robert Wilton's No Objection on draft-ietf-capport-api-07: (with COMMENT)
Thread-Index: AQHWP+H0ka3by6GQ+E+FT7GfXM/r56jTpS+AgAAAy4A=
Date: Mon, 22 Jun 2020 16:18:30 +0000
Message-ID: <MN2PR11MB436632CA83692B16C923938AB5970@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <159187426163.11035.11823958603457067416@ietfa.amsl.com> <F01F66DF-E679-47ED-BCBF-75CD9DC5C470@apple.com>
In-Reply-To: <F01F66DF-E679-47ED-BCBF-75CD9DC5C470@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: apple.com; dkim=none (message not signed) header.d=none;apple.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.15.79.32]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7293f76f-2883-4ec5-3e8f-08d816c7e741
x-ms-traffictypediagnostic: BL0PR11MB3361:
x-microsoft-antispam-prvs: <BL0PR11MB336109C454A2BAA5FAF95780B5970@BL0PR11MB3361.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0442E569BC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Eio/z88JmoB8mbuQAkW9VJFyLxEt9H6XcWqe2ZMgyTEXfcDLXPfWrFPo98LzvkrY92pMZ8ODHOTVr7MITCw/ffQIczUypIjB3QAYji8OwuDpSb6Qc02Fp0c66nPNEj9nT9GhbPQDvePnG58aHROWl9L2gJ9RAyn7nt3mXTylB4TCun+NCQt32MFOypIQbcjqRfzxgztBsP/f+2GNwrQvZA42DcT4D9slqvzNXsQPE1GW5a0IcqkxAV6LpDJzmpz2X7NBhiuOFtBdCm0JiTcWNiuWQmHMEn7Xp1/OwLUYkJH61ctoJ9H0nsdHvxJyJSijhcxwlXQ2r+SRykqoRM6afF8qmKVF51A65udSGSwC3XdpSjpKcM48jCG50RpfR0HRJs0M9LU8VSTzdTkvhybWhA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(396003)(376002)(39860400002)(366004)(86362001)(33656002)(8936002)(478600001)(4326008)(76116006)(83380400001)(66946007)(66556008)(66476007)(64756008)(66446008)(55016002)(9686003)(966005)(316002)(26005)(5660300002)(83080400001)(2906002)(186003)(52536014)(6506007)(7696005)(53546011)(6916009)(54906003)(71200400001)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: OESFq0PKD85135qJX59wdtVtSoDzlPJeC0mvXio9/YdusfOnFmvx3QzxiIBHWvPQLMvFFAZCxn34o2syu1uA+mPDNeliiDhlkfsHJLod7AkxWRrl60wlaKnXx71hr3CJgzauTGsVbNG2n6MfRiMz0upH4r2U+9MNBoMF9FYtiNZh3lgQbyRzST0OFMkIcUzNF+YyZQXUwnWpETJFikttuVE0v6Id7qcq4ZNxBQInertTDeolKORlAxKSQaU62dZoIMq1B0BxzA8GR1ARBiCNEPwsd003VjAkjjzlk1oygYqH6tqGUPPl4Erc49+ZpYh0D+EIvi+LRRDbN44EIYBjXk2VtLqlt0hr5KuQU9KpCep365NOGfyno5ZIN3kvXHQkCGtwSbCUdEmiBtiLGNQ67berSThVYt/6bfaax+CUx9k7/SJjzc4TFxwKVAbl0vXxF5v0vgZE8M/Zs0x0zzcroLxK4ZP8GXBYDJmM/qjLgl8=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7293f76f-2883-4ec5-3e8f-08d816c7e741
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2020 16:18:30.4592 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lWZl82EAHMcQ3vu/CiqpG9dLxU4UCW0aV7dYjWqlsyS4BdkjHXOahOx4xN6BYD5w/MQ4xR2a/RK8hdqBfJMcpQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3361
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/wBmDe9hI2oWz1ZOe_JBheUJtjv8>
Subject: Re: [Captive-portals] Robert Wilton's No Objection on draft-ietf-capport-api-07: (with COMMENT)
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2020 16:18:36 -0000
Hi Tommy, Just one (belated) comment at the end ... > -----Original Message----- > From: Tommy Pauly <tpauly@apple.com> > Sent: 11 June 2020 18:05 > To: Rob Wilton (rwilton) <rwilton@cisco.com> > Cc: The IESG <iesg@ietf.org>; draft-ietf-capport-api@ietf.org; capport- > chairs@ietf.org; captive-portals@ietf.org; Martin Thomson > <mt@lowentropy.net> > Subject: Re: Robert Wilton's No Objection on draft-ietf-capport-api-07: > (with COMMENT) > > Hi Rob, > > Thanks for the review! > > Responses inline. You can also see updates in our working copy here: > > https://capport-wg.github.io/api/draft-ietf-capport-api.html > > > On Jun 11, 2020, at 4:17 AM, Robert Wilton via Datatracker > <noreply@ietf.org> wrote: > > > > Robert Wilton has entered the following ballot position for > > draft-ietf-capport-api-07: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-capport-api/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Hi, > > > > I found this document straight forward and easy to read. > > > > Linda's comment in the Opsdir review is interesting. I would have > expected the > > CAPPORT architecture document to discuss/reference the problem being > solved, > > but it seems to be mostly silent on this. I will redirect Linda's > comment to > > the CAPPORT architecture. > > > > In section 5. "API State Structure", it does not state whether a > connection > > could be both time and data limited. My reading of the spec is that > this would > > be allowed, assuming that is the case, the current text is fine. > > Correct, there is no requirement that time and data limits are mutually > exclusive. > > > > 6. Example Interaction > > > > Upon receiving this information the client will use this information > > direct the user to the the web portal (as specified by the user- > > portal-url value) to enable access to the external network. Once the > > user satisfies the requirements for extenal network access, the > > client SHOULD query the API server again to verify that it is no > > longer captive. > > > > Nit: information direct => information to direct > > Fixed on latest working copy. > > > > 7. Security Considerations > > > > I'm slightly concerned about the third paragraph in the security > > considerations. Ideally I would like a solution that doesn't require > humans to > > potentially spot potentially dubious spoofed domain names. But I can > > appreciate that is probably out of scope here. > > This has been removed and reworded in our working copy, from addressing > Ben’s comments. > > > > 7.1. Privacy Considerations > > > > Possibly worth adding a comment about the necessity to keep personal > > information secure. In addition, should there be any comments about > GDPR like > > constraints (if they apply)? > > This section has also be reworded slightly to make this more clear. I’m > not sure if there’s anything we can state for GDPR or similar constraints > here. I think that would mainly apply to what is shown in the user portal, > not the API interaction. [RW] FWIW, I saw this text in another document that I'm reviewing now, and is was something along these lines that I was originally thinking of when I posted the original comment: When sharing personally identifiable information or information that is otherwise considered confidential to affected users, SET Transmitters and Recipients MUST have the appropriate legal agreements and user consent or terms of service in place. Furthermore, data that needs confidentiality protection MUST be encrypted, at least with TLS and sometimes also using JSON Web Encryption (JWE) [RFC7516]. In some cases, subject identifiers themselves may be considered sensitive information, such that their inclusion within a SET may be considered a violation of privacy. SET Issuers should consider the ramifications of sharing a particular subject identifier with a SET Recipient (e.g., whether doing so could enable correlation and/or de- anonymization of data) and choose appropriate subject identifiers for their use cases. I.e. if user identifiable information is being carried over the CAPPORT API, then IANAL, etc, but I think that GDPR would require that the user had given consent in some way before any personally identifiable information is transmitted. I'll leave it to you to decide if that is a valid consideration for the privacy section. Regards, Rob > > Best, > Tommy > > > > Thanks, > > Rob > > > > > >
- [Captive-portals] Robert Wilton's No Objection on… Robert Wilton via Datatracker
- Re: [Captive-portals] Robert Wilton's No Objectio… Tommy Pauly
- Re: [Captive-portals] Robert Wilton's No Objectio… Rob Wilton (rwilton)
- Re: [Captive-portals] Robert Wilton's No Objectio… Tommy Pauly
- Re: [Captive-portals] Robert Wilton's No Objectio… Rob Wilton (rwilton)