Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)

Christian Amsüss <christian@amsuess.com> Tue, 03 November 2020 17:27 UTC

Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 927233A0DF9; Tue, 3 Nov 2020 09:27:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEVvABCVBX3r; Tue, 3 Nov 2020 09:27:47 -0800 (PST)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC3F3A0DF6; Tue, 3 Nov 2020 09:27:46 -0800 (PST)
Received: from poseidon-mailhub.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by prometheus.amsuess.com (Postfix) with ESMTPS id 1604A40013; Tue, 3 Nov 2020 18:27:44 +0100 (CET)
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 723CEAB; Tue, 3 Nov 2020 18:27:40 +0100 (CET)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:be1b:33a0:9df5:4f6f]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 3D08C34; Tue, 3 Nov 2020 18:27:40 +0100 (CET)
Received: (nullmailer pid 54167 invoked by uid 1000); Tue, 03 Nov 2020 17:27:39 -0000
Date: Tue, 3 Nov 2020 18:27:39 +0100
From: Christian =?iso-8859-1?Q?Ams=FCss?= <christian@amsuess.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-core-resource-directory@ietf.org, jaime.jimenez@ericsson.com, core-chairs@ietf.org, core@ietf.org
Message-ID: <20201103172739.GE45088@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TD8GDToEDw0WLGOL"
Content-Disposition: inline
In-Reply-To: <159730632066.12379.5174560093789503034@ietfa.amsl.com> <20201103170958.GA45088@hephaistos.amsuess.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Krs6nOQjyzn3NkRLd61GJ_dHQLQ>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 17:27:52 -0000

(This is one of the point-to-point follow-up mails on the RD -25
reviews; for the preface, please see the preceding mail on "The various
positions on draft-ietf-core-resource-directory-25" at
<https://mailarchive.ietf.org/arch/msg/core/xWLomwwhovkU-CPGNxnvs40BhaM/>).

As DISCUSS:

> I agree with Roman that the authorization model seems under-developed.
> While I recognize that there is need for flexibility across various
> deployments, I think that we should be providing a default model (and
> procedures for it) that will apply in many cases, and let
> deployments specify alternate models if needed.  This stuff is hard
> enough to get right that we should have a secure option that people can
> use if they don't need to have customized details.  (To be clear, I
> agree with the change of focus from -24 to -25 on the properties that a
> security policy needs to provide and/or consider, as that is
> fundamentally the important thing.  I just want a fallback/default
> option that "does something reasonable in most cases" in addition.
> Doing that by reference to some other existing thing would be fine, if
> such a thing exists.)

response:

There is no external policy we could reference, so a new section was created.
The First-Come-First-Remembered policy implements one of the candidates that
were considered for this role, and was picked because unlike its "endpoint name
comes from the certificate" it is a mode which an implementation can use
without any further configuration whatsoever.

The related changes can be viewed in
https://github.com/core-wg/resource-directory/issues/258.

> In particular, the current text seems to rely on the authorization
> model including:
> 
> (1) the RD knowing how clients will be using it (and thus what
> properties the RD needs to enforce), which in the general case cannot be
> known (though for static networks it could be), yet I don't see any
> discussion that indicates this as a prerequisite; and
> 
> (2) the client either knowing out-of-band that an entity is authorized
> to act as a RD or just blindly trusting any of the unauthenticated (*)
> advertisement mechanisms.  (* Yes, there may be some protection in the
> network on subscribing to the relevant multicast address, DNS-SD, etc.,
> but the client cannot a priori know that such protections are in place.)
>
> Relatedly, the naming model and naming authority should have some
> clearer discussion.  We do mention in Section 7 the possibility for a
> weak naming model where the RD is responsible for enforcing uniqueness
> of names but otherwise link attributes are the primary authorization
> criteria (vs. a traditional scheme with a naming authority and naming
> hierarchy), but with naming as a fundamental prerequisite of any
> authentication/authorization scheme, I think clearer discussion of how a
> naming model is to be selected (and, perhaps more importantly, that it
> must be fixed as part of a given deployment) for a given network is
> needed.

respond:

The responsibilities are the other way around. The RD does not need to know the
clients' expectations, the clients may only expect things they know to be true
of the RD.

See GENERIC-WHOPICKSMODEL.

> If I understand correctly, we have some codepoint squatting going on in
> the examples (e.g., for resource types).

response:

The rt=temperature-c, rt=light-lux and if=sensor are used where endpoints
mimick the examples of RFC6690; it is a point here to have things look just
like in direct discovery.

The if=core.a and if=core.p use values from the expired and partially abandoned
core-interfaces -- given its future is unclear, they've been replaced by
examples with tag URIs, as has the et=oic.d.sensor (a value that's registered,
but not to for et but for rt) and rt="light"; rt=sensor was dropped as it was
not essential to the example.

The individual changes are listed in
https://github.com/core-wg/resource-directory/pull/266.

> We should talk about the security properties of the various RD discovery
> mechanisms that are defined.

response:

A section was added in the security considerations on this topic (see
https://github.com/core-wg/resource-directory/pull/275 for text
changes). It does not go into the properties of each mechanism, as the host
discovery steps are generally unprotected; instead, it emphasizes the
importance of checking the RD's authorization for any security properties the
client would expect. In the context of the server authorization topic (see
OPEN-SERVER), it was added that if the authorization is conditional on the
resources being advertised with a particular resource type, that authorization
already needs to be checked during the discovery phase (details in
https://github.com/core-wg/resource-directory/pull/306).

As COMMENT:

> My apologies for where these comments diverge off into rambling
> incoherency, or where I'm misunderstanding something that's clearly laid
> out; this document had the misfortune of being the last one I got to
> this week.
> 
> Section 1
> 
>    [RFC6690] only describes how to discover resources from the web
>    server that hosts them by querying "/.well-known/core".  In many
>    constrained scenarios, direct discovery of resources is not practical
>    due to sleeping nodes, disperse networks, or networks where multicast
>    traffic is inefficient.  These problems can be solved by employing an
>    entity called a Resource Directory (RD), which contains information
>    about resources held on other servers, allowing lookups to be
>    performed for those resources.
> 
> nit(?): I'd consider specifying that the RD is "a trusted entity".
> (Even when the resources themselves are authenticated, a hostile RD can
> still deny existence of a given resource, so by choosing to use an RD
> there is some level of trust involved.)

response:

Putting it in there as a trusted entity would give the reader a wrong
impression of the general case. Any trust placed in the RD must be earned by a
security policy backed by the RD's credentials.

> Section 2
> 
>    Resource Directory (RD)
>       A web entity that stores information about web resources and
>       implements the REST interfaces defined in this specification for
>       discovery, for the creation, the maintenance and the removal of
>       registrations, and for lookup of the registered resources.
> 
> nit: the list structure is not parallel here.  Maybe "for discovery,
> creation, maintenance, and removal of registrations, and for lookup of
> the registered resources"?

response:

The intended structure that's linearized into the sadly untreeish structure of
written language was

* discovery
* of registrations
  - creation
  - maintenance
  - removal
* lookup

I think this is what the current text expresses, whereas the proposed one
groups discovery with "of registrations", while it's more a top-level thing.

>    Commissioning Tool
>       Commissioning Tool (CT) is a device that assists during the
>       installation of the network by assigning values to parameters,
>       naming endpoints and groups, or adapting the installation to the
>       needs of the applications.
> 
> Is "the installation of the network" a one-time event?   (Might a CT be
> involved when adding a new device to a network at a later time?)

response:

CTs can come back to help new devices into the network; the text has been
clarified to that point in
https://github.com/core-wg/resource-directory/pull/295.

There are remaining questions about how long a network can operate autonomously
while the CT is absent and can thus not refresh registrations, but those exceed
the scope of the document. (Discussed at
https://github.com/core-wg/resource-directory/issues/290).

> Section 3.1
> 
>    Information SHOULD only be stored in the RD if it can be obtained by
>    querying the described device's /.well-known/core resource directly.
> 
> When might that not be the case?

response:

The prime example here is with devices that don't even have a copy of what they
might want to (but can't for resource constraints) express there; those use a
CT to do their work.

The second example I can come up with is when devices have complex
confidentiality requirements on the links, but rely on the RD and thus publish
data to an authorized RD of which they don't even know who precisely might be
authorized to read them.

> Section 3.2
> 
>    The RD architecture is illustrated in Figure 1.  An RD is used as a
>    repository of registrations describing resources hosted on other web
>    servers, also called endpoints (EP).  An endpoint is a web server
>    associated with a scheme, IP address and port.  A physical node may
> 
> (side note) hmm, I feel like in the HTTP world an endpoint is more
> likely to be associated with a DNS name than an IP address, in common
> usage.  Also, we later go on to assert that the endpoint's name has
> primacy and that the IP address/port can be ephemeral.

response:

This is leading the reader from the CoAP definition of endpoints to the
endpoints as registrants as used in the RD.

>    An endpoint uses specific interfaces to register, update and remove a
>    registration.  It is also possible for an RD to fetch Web Links from
>    endpoints and add their contents to its registrations.
> 
>    At the first registration of an endpoint, a "registration resource"
>    is created, the location of which is returned to the registering
>    endpoint.  The registering endpoint uses this registration resource
>    to manage the contents of registrations.
> 
> Does the "RD fetches links unilaterally" case count as a "first
> registration of an endpoint"?  I'm having a hard time seeing how these
> two statements are consistent with each other, and a naive reading
> admits the possibility that a given endpoint could be "locked out" of
> the ability to manage the contents of its registrations.

response:

The act of the endpoint triggering the RD to fetch links from it is the
creation. And the "locking out" is the correct reading -- a client that uses
simple client has no way of managing the contents. If it were capable enough to
do that, it'd go the regular registration route.

> Section 4
> 
>    REST clients (registrant-EPs and CTs during registration and
>    maintenance, lookup clients, RD servers during simple registrations)
>    MUST be prepared to receive any unsuccessful code and act upon it
>    according to its definition, options and/or payload to the best of
>    their capabilities, falling back to failing the operation if recovery
>    is not possible.  In particular, they should retry the request upon
> 
> "MUST be prepared [...] to the best of their abilities" seems
> non-actionable.  The stuff after "In particular", on the other hand, is
> actual concrete guidance that could be mandated using normative
> language.

response:

Right; fixed in https://github.com/core-wg/resource-directory/pull/276.

> Section 4.1
> 
>    1.  In a 6LoWPAN, just assume the Border Router (6LBR) can act as an
>        RD (using the ABRO option to find that [RFC6775]).  Confirmation
>        can be obtained by sending a Unicast to "coap://[6LBR]/.well-
>        known/core?rt=core.rd*".
> 
> nit(?): I was unaware that "Unicast" was a proper noun.

response:

Addressed in https://github.com/core-wg/resource-directory/pull/277.

> Section 4.3
> 
>    "core.rd" in the query string.  Likewise, a Resource Type parameter
>    value of "core.rd-lookup*" is used to discover the URIs for RD Lookup
>    operations, core.rd* is used to discover all URI paths for RD
>    operations.  [...]
> 
> Is the distinction between URIs (for RD Lookup) and URI paths (for RD)
> important here?

response:

No, it isn't. Fixed in https://github.com/core-wg/resource-directory/pull/277.

>    While the link targets in this discovery step are often expressed in
>    path-absolute form, this is not a requirement.  Clients of the RD
>    SHOULD therefore accept URIs of all schemes they support, both as
>    URIs and relative references, and not limit the set of discovered
>    URIs to those hosted at the address used for URI discovery.
> 
> I'm not sure I see how the "not limit [...] to those hosted at the
> address used for URI discovery" follows from the non-requirement for
> expression of the link-targets from discovery in path-absolute form.
> (Given the ability to send the discovery query to a multicast address,
> the guidance seems okay; it's just the "therefore" that is puzzling me.)

response:

If it was a requirement on the server, the clients could rely on it and thus
implicitly limit the set by failing to parse the full URIs.

(It could say "explicitly or implicitly limit", but only the "implicitly
limit" case justifies the "therefore".)

>    It would typically be stored in an implementation information link
>    (as described in [I-D.bormann-t2trg-rel-impl]):
> 
>    Req: GET /.well-known/core?rel=impl-info
> 
> This seems to be depicting a link-relation type that is not registered
> at https://www.iana.org/assignments/link-relations/link-relations.xhtml
> , i.e., codepoint squatting.  Please put in a stronger disclaimer that
> this is an example link relation type, not just an example exchange.

response:

A note has been added that the type is just proposed in a WIP document (in
https://github.com/core-wg/resource-directory/pull/278).

> Section 5
> 
> These first few paragraphs give the impression that this is
> first-come-first-served with minimal authentication or authorization
> checking.  Mentioning that there are authorization checks, with a
> forward-reference, might be helpful.

response:

It's more a last-come-longest-remembered, but even the most minimal security
policies would ensure that the registration resources belong to the "same"
device (for whatever the policy defines as same).

Clarified in https://github.com/core-wg/resource-directory/pull/292.

>    further parameters (see Section 9.3).  The RD then creates a new
>    registration resource in the RD and returns its location.  The
> 
> Is this returned "registration resource" expected to function as a
> "capability URL" (https://www.w3.org/TR/capability-urls/) that would
> need to contain an appropriate amount of entropy to be reasonably
> unguessable by parties other than the registrant-ep/CT responsible for
> it?

response:

No, it is not a capability URL -- it will be discoverable through the endpoint
lookup interface.

Note that around ACE, bearer tokens (which capability URLs are) are generally
discouraged in favor of proof-of-possession tokens.

>    The registration request interface is specified as follows:
> 
>    Interaction:  EP -> RD
> 
> I thought that the CT could be a requestor as well as the EP.

response:

Yes it can be. The expression in the interaction tables is an artifact of the
CTs being a not-even-special case of EPs, but as we have both of them in the
rest of the text, so do we now in those lists. (Changes in
https://github.com/core-wg/resource-directory/pull/309).

>          well.  The endpoint name and sector name are not set when one
>          or both are set in an accompanying authorization token.
> 
> What should the RD do if they are set but also present in the
> accompanying authorization token?

response:

The wording has been updated in
https://github.com/core-wg/resource-directory/pull/273; it now (by
construction, but also explicitly) explains conflict handling.

>    Req: POST coap://rd.example.com/rd?ep=node1
>    Content-Format: 40
>    Payload:
>    </sensors/temp>;ct=41;rt="temperature-c";if="sensor",
> 
> (side note) XML for the sensors, not SenML?  With Carsten as an author,
> even? ;)

response:

This is clearly a mistake, and got removed in an emergency update in
https://github.com/core-wg/resource-directory/pull/279.

More seriously, though, these examples are from RFC6690 (which does not have
ct= entries for reasons of chronology), and keeping them aligned is a good
thing.

>    An RD may optionally support HTTP.  Here is an example of almost the
>    same registration operation above, when done using HTTP.
> 
>    Req:
>    POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1
>    Host: example.com
> 
> Wouldn't "Host: rd.example.com" be closer to "almost the same
> registration"?

response:

Fixed in https://github.com/core-wg/resource-directory/pull/277.

(I had brief qualms about introducing a protocol-negotiation situation here,
but performing "almost the same registration" over two protocols already
necessarily does that).

> Section 5.1
> 
> I'm a little uneasy about specifying new behavior for POST to the
> existin /.well-known/core that was defined by RFC 6690 for other uses.
> What factors go into using the same well-known URI vs. defining a new
> one for this usage?

response:

It-always-having-been-that-way, primarily. As no large deployments are known,
this is fixed in https://github.com/core-wg/resource-directory/pull/259
by switching to a standalone /.well-known/rd.

>    The sequence of fetching the registration content before sending a
>    successful response was chosen to make responses reliable, and the
>    caching item was chosen to still allow very constrained registrants.
> 
> I'm not sure what "the caching item" is supposed to be (if it's not a
> typo/misordering of words).

response:

Now phrased as "the point about caching" (in
https://github.com/core-wg/resource-directory/pull/277) which should
be easier to read. A few lines up we recommend that the RD caches the .wk/c,
and this provides the rationale.

> Section 5.3
> 
>    queries concerning this endpoint.  The RD SHOULD continue to provide
>    access to the Registration Resource after a registration time-out
>    occurs in order to enable the registering endpoint to eventually
>    refresh the registration.  The RD MAY eventually remove the
>    registration resource for the purpose of garbage collection.  If the
>    Registration Resource is removed, the corresponding endpoint will
>    need to be re-registered.
> 
> (This MAY is actually a MUST for the simple registration case, per §5.1,
> right?)

response:

No, it's a choice there as well. One server may keep them around forever, and
when the simple client comes back it'll show with the same registration
resource in the resource lookup. Another server may GC it and assign a
different registration resource when it returns.

> Section 5.3.1
> 
>    An update MAY update the lifetime or the base URI registration
>    parameters "lt", "base" as in Section 5.  Parameters that are not
> 
> What about the "extra-attrs"; are they inherently forbidden from
> updates?

response:

The introduction paragraph was overly specific and fixed in
https://github.com/core-wg/resource-directory/pull/294.

>                             base :=  Base URI (optional).  This
>          parameter updates the Base URI established in the original
>          registration to a new value.  If the parameter is set in an
>          update, it is stored by the RD as the new Base URI under which
>          to interpret the relative links present in the payload of the
>          original registration, following the same restrictions as in
>          the registration.  If the parameter is not set in the request
> 
> nit: is it the interpretation of relative links that is following the
> same restrictions as in the registration, or the new value of the
> parameter being supplied in the update?

response:

The restrictions apply to the new value, and were moved up there in
https://github.com/core-wg/resource-directory/pull/294.

>    The following example shows how the registering endpoint updates its
>    registration resource at an RD using this interface with the example
>    location value: /rd/4521.
> 
> The path component "4521" contains a worryingly small amount of
> unpredictableness; I would prefer examples that used longer random
> locations, as for capability URLs.  (Throughout the document, of
> course.)  See also draft-gont-numeric-ids-sec-considerations, that I'm
> AD sponsoring, though I do not see any clear issues on first glance.

response:

See comment on the original capability URL question -- they are not.

> (Also, it might be worth another sentence that this update is serving
> just to reset the lifetime, making no other changes, since this might be
> expected to be a common usage.)

response:

Stating purpose rather than mechanism now (since
https://github.com/core-wg/resource-directory/pull/294).

> Section 6
> 
> With "Resource Lookup" and "Endpoint Lookup" as (apparent) top-level
> siblings, would it make sense to put 6.2, or at least 6.3, as
> subsections under 6.1?

response:

It would from a hierarchical table-of-contents point of view, but given the
focus of lookup is on resource lookup, the existing sequence captures the
narrative of "With an RD, you can look up resources, here is how you use it,
here is what it looks like, and by the way if you really need it you can even
look at the registrations themselves".

> Section 6.1
> 
>    Resource lookup results in links that are semantically equivalent to
>    the links submitted to the RD.  The links and link parameters
>    returned by the lookup are equal to the submitted ones, except that
>    the target and anchor references are fully resolved.
> 
> Are the "submitted ones" the submissions at registration time, or during
> the lookup query itself?  (I assume registration-time, but being
> explicit costs little.)

response:

Some words added for clarity in
https://github.com/core-wg/resource-directory/pull/294.

>    If the base URI of a registration contains a link-local address, the
>    RD MUST NOT show its links unless the lookup was made from the same
>    link.  The RD MUST NOT include zone identifiers in the resolved URIs.
> 
> Same link as what?

response:

The link the endpoint sits on; clarified in
https://github.com/core-wg/resource-directory/pull/294.

> Section 6.2
> 
>    The page and count parameters are used to obtain lookup results in
>    specified increments using pagination, where count specifies how many
> 
> (We haven't introduced the page and count parameters yet.)

response:

Wording has been enhanced in
https://github.com/core-wg/resource-directory/pull/294.

>    operator as in Section 4.1 of [RFC6690].  Attributes that are defined
>    as "link-type" match if the search value matches any of their values
> 
> Where is it specified how an attribute might be "defined as
> 'link-type'"?  This is the only instance of the string "link-type" in
> this document, and it does not appear in RFC 6690 at all...

response:

That should have said "relation-types"; it does now, and also refers to
the 6690 ABNF (since
https://github.com/core-wg/resource-directory/pull/294.

>    references) and are matched against a resolved link target.  Queries
>    for endpoints SHOULD be expressed in path-absolute form if possible
>    and MUST be expressed in URI form otherwise; the RD SHOULD recognize
>    either.  The "anchor" attribute is usable for resource lookups, and,
>    if queried, MUST be for in URI form as well.
> 
> I don't see how it can be only a SHOULD to recognize either given these
> generation criteria.

response:

If the URI is on a different scheme/host, I assert things are clear. (Just to
ensure I didn't get your point wrong.)

Otherwise, in practice there can happen mistakes where server and client
disagree about the default values of the Uri-Scheme, Uri-Host and Uri-Port
options -- as anyone who's ever tried to set up an HTTP reverse proxy for a
WebDAV server can attest to. We're trying to avoid creating these situations,
but when they do happen. We don't automatically declare the offending party
broken by putting a MUST here, but encourage the peer to assist it. The client
can help by providing the relative reference (for then, disagreement passses
unnoticed), and the server by recognizing the full URI (for the client may have
obtained it and not know that it'd match what the server thinks is its Uri-Host
name).

(The "and MUST be expressed in URI form otherwise" sounds like a factual
necessity, but it is here to rule out the corner case of a client handing out
//hostname/path style references).

> Section 6.3
> 
>    The following example shows a client performing a lookup of all
>    resources of all endpoints of a given endpoint type.  It assumes that
>    two endpoints (with endpoint names "sensor1" and "sensor2") have
>    previously registered with their respective addresses
>    "coap://sensor1.example.com" and "coap://sensor2.example.com", and
>    posted the very payload of the 6th request of section 5 of [RFC6690].
> 
> Er, the 6th request is a GET; do we mean to say the response to the 6th
> request?

response:

Yes. Fixed in https://github.com/core-wg/resource-directory/pull/294.

> Section 6.4
> 
>    The endpoint lookup returns registration resources which can only be
>    manipulated by the registering endpoint.
> 
> This seems to leave it unclear whether the endpoint lookup is expected
> to return resources that the requestor will not have permission to
> manipulate (in addition to those it does have permission for).

response:

Clarified in https://github.com/core-wg/resource-directory/pull/294.

>    While Endpoint Lookup does expose the registration resources, the RD
>    does not need to make them accessible to clients.  Clients SHOULD NOT
>    attempt to dereference or manipulate them.
> 
> But why expose them at all if they're not going to be accessible?

response:

They serve as identifiers (think URI rather than URL), and may additionally be
used in implementation defined operations on the resource that could be allowed
for administrators. Last but not least, link-format (unlike the upcoming CoRAL)
does not have means of talking about something without naming it.

(I do see the point, and if we started RD anew with the benefit of having
CoRAL, chances are this would look a bit different, and the names would not be
exposed to just any lookup client).

The WG discussion of this did, however, lead to a point added to the security
considerations about the RD's choice of what to put in there (change in
https://github.com/core-wg/resource-directory/pull/267).

>    An RD can report endpoints in lookup that are not hosted at the same
>    address.  [...]
> 
> The "same address" as what?

response:

Sharpened in https://github.com/core-wg/resource-directory/pull/294.

> Section 7.1
> 
>    Whenever an RD needs to provide trustworthy results to clients doing
>    endpoint lookup, or resource lookup with filtering on the endpoint
> 
> How will the RD know whether the client is expecting trustworthy
> results?  (When would a client *not* expect trustworthy results?)

response:

It won't per-client, it is configured for one. See GENERIC-WHOPICKSMODEL.

>    name, the RD must ensure that the registrant is authorized to use the
>    given endpoint name.  This applies both to registration and later to
>    operations on the registration resource.  It is immaterial there
>    whether the client is the registrant-ep itself or a CT is doing the
>    registration: The RD can not tell the difference, and CTs may use
> 
> I suppose there might be plausible authorization models where a
> return-routability check to a given address constitutes authorization to
> use that address as an endpoint name, in which case the RD can tell the
> difference between a registrant-ep and a CT attempting to act on its
> behalf.

WGF-6
response:

The RD might do such checks, but then again the EP might just be using
different network interfaces simultaneously. At that point where the EP uses a
different (and usually dormant) network interface for registration, the line
between EP and the CT gets blurry; we tolerate that blurriness because the
distinction is not so much a technical one (the REST server does not care
whether the request originates at its network peer, is proxied through there or
sent from there on behalf of someone completely different) as long as the
credentials are good.

Frankly, I'm personally not too happy with distinguishing CTs in the first
place; it is more reflective of what I understand to be an industry practice
than a distinction in this CoAP application.

>    When certificates are used as authorization credentials, the
>    sector(s) and endpoint name(s) can be transported in the subject.  In
>    an ACE context, those are typically transported in a scope claim.
> 
> As Russ noted in the Gen-ART review, "transported in the subject" is
> sufficiently vague to not really be actionable.  It might be better to
> say that the holder of the private key corresponding to the public key
> certified in the certificate is generally considered authorized to act
> on behalf of any identities (including endpoint names) contained in the
> certificate's subject name.

response:

See GENERIC-SUBJECT.

> Section 7.1.1
> 
>    Conversely, in applications where the RD does not check the endpoint
>    name, the authorized registering endpoint can generate a random
>    number (or string) that identifies the endpoint.  The RD should then
> 
> How much entropy/randomness in the random name?  Does a CSPRNG need to
> be used?  (I do see the follow-up about doubling the length in case of
> failure or starting with a UUID if that's not possible, but some
> guidance on where to start still seems appropriate.)

respond:

There is no requirement here as collisions only result in retries.

For those cases where the client implementer thinks they can get away with not
implementing retry, UUID URNs are pointed to, which themselves cover the topic.

> Section 7.2
> 
>    When lookup clients expect that certain types of links can only
>    originate from certain endpoints, then the RD needs to apply
>    filtering to the links an endpoint may register.
> 
> As before, how will the RD know what behavior clients are relying on?

response:

It will not. It may, however, advertise it explicitly. If, for example, an
application like LwM2M always ensures trusted endpoint names, the RD may
advertise as rt="core.rd-lokup-ep example.lwm2m", and then clients that trust
that metadatum (which they'll want to verify from some claim) know they can
trust the RD to have checked ep names.

See also GENERIC-WHOPICKSMODEL

>    An RD may also require that only links are registered on whose anchor
>    (or even target) the RD recognizes as authoritative of.  One way to
> 
> I don't think I can parse this sentence (especially "the RD recognizes
> as authoritative of").

response:

Rephrased to "require that links are only registered if the registrant is
authorized to publish information about the anchor [...] of the link." in
https://github.com/core-wg/resource-directory/pull/294.

> Section 8
> 
> In contexts where we discuss DTLS and TLS as being generally comparable,
> we typically will state that DTLS replay protection is required in order
> to provide equivalent levels of protection.

response:

This item rippled quite a bit beyond the original response of "Huh? CoAP
doesn't already do this? Well, here we need it".

As things stand, requiring replay protection make it harder to exploit the
issue described at OPEN-REPLAY-FRESHNESS, but once that is addressed for good,
replay protection should not be necessary any more for the RD, as all its
operations are becoming long-term idempotent.

> We might also want to reiterate or refer back to the previous discussion
> of the potential for attributes or resource/endpoint names, link
> relations, etc. that may need to be confidential, the relevant access
> control/filtering, and the avenues by which disclosure of resource names
> can occur even when access to those resources will not be permitted.  (I
> think some of this overlaps with 8288 and 6690, but don't mind repeating
> it.)

response:

There is a pointer back saying that the necessary access control depends on the
protection objectives set in the policies (since
https://github.com/core-wg/resource-directory/pull/250).

> Section 8.1
> 
> It's probably worth reiterating that all name comparisons must be done
> at sector scope (since failing to do so can lead to attacks).

response:

It is; fixed since https://github.com/core-wg/resource-directory/pull/296.

>    Endpoint authentication needs to be checked independently of whether
>    there are configured requirements on the credentials for a given
>    endpoint name (Section 7.1) or whether arbitrary names are accepted
>    (Section 7.1.1).
> 
> I think this is more properly authorization than authentication.

response:

Yes; fixed in https://github.com/core-wg/resource-directory/pull/271.

> Section 8.3
> 
>    attacks.  There is also a danger that NTP Servers could become
>    implicated in denial-of-service (DoS) attacks since they run on
>    unprotected UDP, there is no return routability check, and they can
>    have a large amplification factor.  The responses from the NTP server
>    were found to be 19 times larger than the request.  An RD which
> 
> (It's not clear to me why the specific discussion of NTP numbers is
> relevant here, since RD is not NTP.)

response:

The section has been shortened in
https://github.com/core-wg/resource-directory/pull/249.

> Section 9.3
> 
> Should we also include "rt" in the initial entries?  I see it is used as
> a query parameter for resource lookup in the examples in Section 6.3.

response:

It's used as is any other link attribute. There's no registry for them, and
while there's been talk over ond over that it would be nice, I don't think
there will be any until linkformat-CoRAL conversion is defined (and even then
it may not be comprehensive). Selectively picking some distinguished common
link attributes into this registry won't make things less messy.

The prime line of defense against this getting messy is the expert guidance
that for some types of parameters their short names should be checked against
"commonly used target attributes".


>    *  indication of whether it can be passed as a query parameter at
>       registration of endpoints, as a query parameter in lookups, or be
>       expressed as a target attribute,
>
> (Since this text does not clarify about lookup of endpoints vs.
> resources...
> 
>    Review" as described in [RFC8126].  The evaluation should consider
>    formal criteria, duplication of functionality (Is the new entry
>    redundant with an existing one?), topical suitability (E.g. is the
>    described property actually a property of the endpoint and not a
>    property of a particular resource, in which case it should go into
>    the payload of the registration and need not be registered?), and the
> 
> ... and this text suggests that query parameters for *resource* lookups
> need not be registered.)
> 
>    potential for conflict with commonly used target attributes (For
>    example, "if" could be used as a parameter for conditional
>    registration if it were not to be used in lookup or attributes, but
>    would make a bad parameter for lookup, because a resource lookup with
>    an "if" query parameter could ambiguously filter by the registered
>    endpoint property or the [RFC6690] target attribute).
> 
> Then why do we use it as an example of lookup filtering in Section 6.2?

response:

The text suggests that target attributes for registered resources need not be
registered. These unregistered wild-west attribute names can be used both with
resource lookups (matching only resources which), and in endpoint lookups
(matching endpoints that contain any resource which).

If `if` were to be put in for use in an RD parameter used with lookup, that
would not per se create ambiguous queries (the rules would still say "matches
either"), but the results would be prone to causing confusion.

> Section 10.1.2
> 
> Should we really be using unregistered resource types (i.e., codepoint
> squatting) in the examples?

response:

Addressed together with the earlier code squatting comments in
https://github.com/core-wg/resource-directory/pull/266.

>    After the filling of the RD by the CT, the application in the
>    luminaries can learn to which groups they belong, and enable their
>    interface for the multicast address.
> 
> Just to check: the luminaries are learning their own group membership by
> querying the resource directory?

response:

Not directly. They (in this very particular example that seems to be based on
industry process but which I'd not necessarily recommend for imitation) use a
heuristic to find any multicast URI they might possibly provide, and join that
group.

> Section 10.2.2
> 
> Please expand MSISDN.

response:

Taking a step back from this and other comments led to a drastical shortening
of the example.

See also GENERIC-ODDEXAMPLES

> Section 13.2
> 
> I think RFC 7252 should probably be normative.
> 
> Likewise for RFC 8288 ("the query parameter MUST be [...] a token as
> used in [RFC8288]").

response:

RFC7252 (CoAP) and RFC7230 (HTTP) were promoted to a normative reference.
(RFC7641 (CoAP observe) wasc left as informative because while they are
optional components, RD is not so much specified using them but more happens to
combine with them).

RFC8288 was also promoted, but not due to the quoted line (that's not
implementation relevant but merely setting out rules for the registry
operation), but because we explicitly pull it in in terminology and the
information model.

(Changes in https://github.com/core-wg/resource-directory/pull/307).