Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)

[Barry Leiba <barryleiba@computer.org>]

Ping...

On Fri, Jan 29, 2021 at 10:05 AM Barry Leiba <barryleiba@computer.org> wrote:
>
> Ben, can you check version -26 and see how much of your ballot is
> addressed there?
>
> Christian, do you think you've addressed all of Ben's issues in -26?
>
> Barry
>
> On Tue, Nov 3, 2020 at 12:28 PM Christian Amsüss <christian@amsuess.com> wrote:
> >
> > (This is one of the point-to-point follow-up mails on the RD -25
> > reviews; for the preface, please see the preceding mail on "The various
> > positions on draft-ietf-core-resource-directory-25" at
> > <https://mailarchive.ietf.org/arch/msg/core/xWLomwwhovkU-CPGNxnvs40BhaM/>).
> >
> > As DISCUSS:
> >
> > > I agree with Roman that the authorization model seems under-developed.
> > > While I recognize that there is need for flexibility across various
> > > deployments, I think that we should be providing a default model (and
> > > procedures for it) that will apply in many cases, and let
> > > deployments specify alternate models if needed.  This stuff is hard
> > > enough to get right that we should have a secure option that people can
> > > use if they don't need to have customized details.  (To be clear, I
> > > agree with the change of focus from -24 to -25 on the properties that a
> > > security policy needs to provide and/or consider, as that is
> > > fundamentally the important thing.  I just want a fallback/default
> > > option that "does something reasonable in most cases" in addition.
> > > Doing that by reference to some other existing thing would be fine, if
> > > such a thing exists.)
> >
> > response:
> >
> > There is no external policy we could reference, so a new section was created.
> > The First-Come-First-Remembered policy implements one of the candidates that
> > were considered for this role, and was picked because unlike its "endpoint name
> > comes from the certificate" it is a mode which an implementation can use
> > without any further configuration whatsoever.
> >
> > The related changes can be viewed in
> > https://github.com/core-wg/resource-directory/issues/258.
> >
> > > In particular, the current text seems to rely on the authorization
> > > model including:
> > >
> > > (1) the RD knowing how clients will be using it (and thus what
> > > properties the RD needs to enforce), which in the general case cannot be
> > > known (though for static networks it could be), yet I don't see any
> > > discussion that indicates this as a prerequisite; and
> > >
> > > (2) the client either knowing out-of-band that an entity is authorized
> > > to act as a RD or just blindly trusting any of the unauthenticated (*)
> > > advertisement mechanisms.  (* Yes, there may be some protection in the
> > > network on subscribing to the relevant multicast address, DNS-SD, etc.,
> > > but the client cannot a priori know that such protections are in place.)
> > >
> > > Relatedly, the naming model and naming authority should have some
> > > clearer discussion.  We do mention in Section 7 the possibility for a
> > > weak naming model where the RD is responsible for enforcing uniqueness
> > > of names but otherwise link attributes are the primary authorization
> > > criteria (vs. a traditional scheme with a naming authority and naming
> > > hierarchy), but with naming as a fundamental prerequisite of any
> > > authentication/authorization scheme, I think clearer discussion of how a
> > > naming model is to be selected (and, perhaps more importantly, that it
> > > must be fixed as part of a given deployment) for a given network is
> > > needed.
> >
> > respond:
> >
> > The responsibilities are the other way around. The RD does not need to know the
> > clients' expectations, the clients may only expect things they know to be true
> > of the RD.
> >
> > See GENERIC-WHOPICKSMODEL.
> >
> > > If I understand correctly, we have some codepoint squatting going on in
> > > the examples (e.g., for resource types).
> >
> > response:
> >
> > The rt=temperature-c, rt=light-lux and if=sensor are used where endpoints
> > mimick the examples of RFC6690; it is a point here to have things look just
> > like in direct discovery.
> >
> > The if=core.a and if=core.p use values from the expired and partially abandoned
> > core-interfaces -- given its future is unclear, they've been replaced by
> > examples with tag URIs, as has the et=oic.d.sensor (a value that's registered,
> > but not to for et but for rt) and rt="light"; rt=sensor was dropped as it was
> > not essential to the example.
> >
> > The individual changes are listed in
> > https://github.com/core-wg/resource-directory/pull/266.
> >
> > > We should talk about the security properties of the various RD discovery
> > > mechanisms that are defined.
> >
> > response:
> >
> > A section was added in the security considerations on this topic (see
> > https://github.com/core-wg/resource-directory/pull/275 for text
> > changes). It does not go into the properties of each mechanism, as the host
> > discovery steps are generally unprotected; instead, it emphasizes the
> > importance of checking the RD's authorization for any security properties the
> > client would expect. In the context of the server authorization topic (see
> > OPEN-SERVER), it was added that if the authorization is conditional on the
> > resources being advertised with a particular resource type, that authorization
> > already needs to be checked during the discovery phase (details in
> > https://github.com/core-wg/resource-directory/pull/306).
> >
> > As COMMENT:
> >
> > > My apologies for where these comments diverge off into rambling
> > > incoherency, or where I'm misunderstanding something that's clearly laid
> > > out; this document had the misfortune of being the last one I got to
> > > this week.
> > >
> > > Section 1
> > >
> > >    [RFC6690] only describes how to discover resources from the web
> > >    server that hosts them by querying "/.well-known/core".  In many
> > >    constrained scenarios, direct discovery of resources is not practical
> > >    due to sleeping nodes, disperse networks, or networks where multicast
> > >    traffic is inefficient.  These problems can be solved by employing an
> > >    entity called a Resource Directory (RD), which contains information
> > >    about resources held on other servers, allowing lookups to be
> > >    performed for those resources.
> > >
> > > nit(?): I'd consider specifying that the RD is "a trusted entity".
> > > (Even when the resources themselves are authenticated, a hostile RD can
> > > still deny existence of a given resource, so by choosing to use an RD
> > > there is some level of trust involved.)
> >
> > response:
> >
> > Putting it in there as a trusted entity would give the reader a wrong
> > impression of the general case. Any trust placed in the RD must be earned by a
> > security policy backed by the RD's credentials.
> >
> > > Section 2
> > >
> > >    Resource Directory (RD)
> > >       A web entity that stores information about web resources and
> > >       implements the REST interfaces defined in this specification for
> > >       discovery, for the creation, the maintenance and the removal of
> > >       registrations, and for lookup of the registered resources.
> > >
> > > nit: the list structure is not parallel here.  Maybe "for discovery,
> > > creation, maintenance, and removal of registrations, and for lookup of
> > > the registered resources"?
> >
> > response:
> >
> > The intended structure that's linearized into the sadly untreeish structure of
> > written language was
> >
> > * discovery
> > * of registrations
> >   - creation
> >   - maintenance
> >   - removal
> > * lookup
> >
> > I think this is what the current text expresses, whereas the proposed one
> > groups discovery with "of registrations", while it's more a top-level thing.
> >
> > >    Commissioning Tool
> > >       Commissioning Tool (CT) is a device that assists during the
> > >       installation of the network by assigning values to parameters,
> > >       naming endpoints and groups, or adapting the installation to the
> > >       needs of the applications.
> > >
> > > Is "the installation of the network" a one-time event?   (Might a CT be
> > > involved when adding a new device to a network at a later time?)
> >
> > response:
> >
> > CTs can come back to help new devices into the network; the text has been
> > clarified to that point in
> > https://github.com/core-wg/resource-directory/pull/295.
> >
> > There are remaining questions about how long a network can operate autonomously
> > while the CT is absent and can thus not refresh registrations, but those exceed
> > the scope of the document. (Discussed at
> > https://github.com/core-wg/resource-directory/issues/290).
> >
> > > Section 3.1
> > >
> > >    Information SHOULD only be stored in the RD if it can be obtained by
> > >    querying the described device's /.well-known/core resource directly.
> > >
> > > When might that not be the case?
> >
> > response:
> >
> > The prime example here is with devices that don't even have a copy of what they
> > might want to (but can't for resource constraints) express there; those use a
> > CT to do their work.
> >
> > The second example I can come up with is when devices have complex
> > confidentiality requirements on the links, but rely on the RD and thus publish
> > data to an authorized RD of which they don't even know who precisely might be
> > authorized to read them.
> >
> > > Section 3.2
> > >
> > >    The RD architecture is illustrated in Figure 1.  An RD is used as a
> > >    repository of registrations describing resources hosted on other web
> > >    servers, also called endpoints (EP).  An endpoint is a web server
> > >    associated with a scheme, IP address and port.  A physical node may
> > >
> > > (side note) hmm, I feel like in the HTTP world an endpoint is more
> > > likely to be associated with a DNS name than an IP address, in common
> > > usage.  Also, we later go on to assert that the endpoint's name has
> > > primacy and that the IP address/port can be ephemeral.
> >
> > response:
> >
> > This is leading the reader from the CoAP definition of endpoints to the
> > endpoints as registrants as used in the RD.
> >
> > >    An endpoint uses specific interfaces to register, update and remove a
> > >    registration.  It is also possible for an RD to fetch Web Links from
> > >    endpoints and add their contents to its registrations.
> > >
> > >    At the first registration of an endpoint, a "registration resource"
> > >    is created, the location of which is returned to the registering
> > >    endpoint.  The registering endpoint uses this registration resource
> > >    to manage the contents of registrations.
> > >
> > > Does the "RD fetches links unilaterally" case count as a "first
> > > registration of an endpoint"?  I'm having a hard time seeing how these
> > > two statements are consistent with each other, and a naive reading
> > > admits the possibility that a given endpoint could be "locked out" of
> > > the ability to manage the contents of its registrations.
> >
> > response:
> >
> > The act of the endpoint triggering the RD to fetch links from it is the
> > creation. And the "locking out" is the correct reading -- a client that uses
> > simple client has no way of managing the contents. If it were capable enough to
> > do that, it'd go the regular registration route.
> >
> > > Section 4
> > >
> > >    REST clients (registrant-EPs and CTs during registration and
> > >    maintenance, lookup clients, RD servers during simple registrations)
> > >    MUST be prepared to receive any unsuccessful code and act upon it
> > >    according to its definition, options and/or payload to the best of
> > >    their capabilities, falling back to failing the operation if recovery
> > >    is not possible.  In particular, they should retry the request upon
> > >
> > > "MUST be prepared [...] to the best of their abilities" seems
> > > non-actionable.  The stuff after "In particular", on the other hand, is
> > > actual concrete guidance that could be mandated using normative
> > > language.
> >
> > response:
> >
> > Right; fixed in https://github.com/core-wg/resource-directory/pull/276.
> >
> > > Section 4.1
> > >
> > >    1.  In a 6LoWPAN, just assume the Border Router (6LBR) can act as an
> > >        RD (using the ABRO option to find that [RFC6775]).  Confirmation
> > >        can be obtained by sending a Unicast to "coap://[6LBR]/.well-
> > >        known/core?rt=core.rd*".
> > >
> > > nit(?): I was unaware that "Unicast" was a proper noun.
> >
> > response:
> >
> > Addressed in https://github.com/core-wg/resource-directory/pull/277.
> >
> > > Section 4.3
> > >
> > >    "core.rd" in the query string.  Likewise, a Resource Type parameter
> > >    value of "core.rd-lookup*" is used to discover the URIs for RD Lookup
> > >    operations, core.rd* is used to discover all URI paths for RD
> > >    operations.  [...]
> > >
> > > Is the distinction between URIs (for RD Lookup) and URI paths (for RD)
> > > important here?
> >
> > response:
> >
> > No, it isn't. Fixed in https://github.com/core-wg/resource-directory/pull/277.
> >
> > >    While the link targets in this discovery step are often expressed in
> > >    path-absolute form, this is not a requirement.  Clients of the RD
> > >    SHOULD therefore accept URIs of all schemes they support, both as
> > >    URIs and relative references, and not limit the set of discovered
> > >    URIs to those hosted at the address used for URI discovery.
> > >
> > > I'm not sure I see how the "not limit [...] to those hosted at the
> > > address used for URI discovery" follows from the non-requirement for
> > > expression of the link-targets from discovery in path-absolute form.
> > > (Given the ability to send the discovery query to a multicast address,
> > > the guidance seems okay; it's just the "therefore" that is puzzling me.)
> >
> > response:
> >
> > If it was a requirement on the server, the clients could rely on it and thus
> > implicitly limit the set by failing to parse the full URIs.
> >
> > (It could say "explicitly or implicitly limit", but only the "implicitly
> > limit" case justifies the "therefore".)
> >
> > >    It would typically be stored in an implementation information link
> > >    (as described in [I-D.bormann-t2trg-rel-impl]):
> > >
> > >    Req: GET /.well-known/core?rel=impl-info
> > >
> > > This seems to be depicting a link-relation type that is not registered
> > > at https://www.iana.org/assignments/link-relations/link-relations.xhtml
> > > , i.e., codepoint squatting.  Please put in a stronger disclaimer that
> > > this is an example link relation type, not just an example exchange.
> >
> > response:
> >
> > A note has been added that the type is just proposed in a WIP document (in
> > https://github.com/core-wg/resource-directory/pull/278).
> >
> > > Section 5
> > >
> > > These first few paragraphs give the impression that this is
> > > first-come-first-served with minimal authentication or authorization
> > > checking.  Mentioning that there are authorization checks, with a
> > > forward-reference, might be helpful.
> >
> > response:
> >
> > It's more a last-come-longest-remembered, but even the most minimal security
> > policies would ensure that the registration resources belong to the "same"
> > device (for whatever the policy defines as same).
> >
> > Clarified in https://github.com/core-wg/resource-directory/pull/292.
> >
> > >    further parameters (see Section 9.3).  The RD then creates a new
> > >    registration resource in the RD and returns its location.  The
> > >
> > > Is this returned "registration resource" expected to function as a
> > > "capability URL" (https://www.w3.org/TR/capability-urls/) that would
> > > need to contain an appropriate amount of entropy to be reasonably
> > > unguessable by parties other than the registrant-ep/CT responsible for
> > > it?
> >
> > response:
> >
> > No, it is not a capability URL -- it will be discoverable through the endpoint
> > lookup interface.
> >
> > Note that around ACE, bearer tokens (which capability URLs are) are generally
> > discouraged in favor of proof-of-possession tokens.
> >
> > >    The registration request interface is specified as follows:
> > >
> > >    Interaction:  EP -> RD
> > >
> > > I thought that the CT could be a requestor as well as the EP.
> >
> > response:
> >
> > Yes it can be. The expression in the interaction tables is an artifact of the
> > CTs being a not-even-special case of EPs, but as we have both of them in the
> > rest of the text, so do we now in those lists. (Changes in
> > https://github.com/core-wg/resource-directory/pull/309).
> >
> > >          well.  The endpoint name and sector name are not set when one
> > >          or both are set in an accompanying authorization token.
> > >
> > > What should the RD do if they are set but also present in the
> > > accompanying authorization token?
> >
> > response:
> >
> > The wording has been updated in
> > https://github.com/core-wg/resource-directory/pull/273; it now (by
> > construction, but also explicitly) explains conflict handling.
> >
> > >    Req: POST coap://rd.example.com/rd?ep=node1
> > >    Content-Format: 40
> > >    Payload:
> > >    </sensors/temp>;ct=41;rt="temperature-c";if="sensor",
> > >
> > > (side note) XML for the sensors, not SenML?  With Carsten as an author,
> > > even? ;)
> >
> > response:
> >
> > This is clearly a mistake, and got removed in an emergency update in
> > https://github.com/core-wg/resource-directory/pull/279.
> >
> > More seriously, though, these examples are from RFC6690 (which does not have
> > ct= entries for reasons of chronology), and keeping them aligned is a good
> > thing.
> >
> > >    An RD may optionally support HTTP.  Here is an example of almost the
> > >    same registration operation above, when done using HTTP.
> > >
> > >    Req:
> > >    POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1
> > >    Host: example.com
> > >
> > > Wouldn't "Host: rd.example.com" be closer to "almost the same
> > > registration"?
> >
> > response:
> >
> > Fixed in https://github.com/core-wg/resource-directory/pull/277.
> >
> > (I had brief qualms about introducing a protocol-negotiation situation here,
> > but performing "almost the same registration" over two protocols already
> > necessarily does that).
> >
> > > Section 5.1
> > >
> > > I'm a little uneasy about specifying new behavior for POST to the
> > > existin /.well-known/core that was defined by RFC 6690 for other uses.
> > > What factors go into using the same well-known URI vs. defining a new
> > > one for this usage?
> >
> > response:
> >
> > It-always-having-been-that-way, primarily. As no large deployments are known,
> > this is fixed in https://github.com/core-wg/resource-directory/pull/259
> > by switching to a standalone /.well-known/rd.
> >
> > >    The sequence of fetching the registration content before sending a
> > >    successful response was chosen to make responses reliable, and the
> > >    caching item was chosen to still allow very constrained registrants.
> > >
> > > I'm not sure what "the caching item" is supposed to be (if it's not a
> > > typo/misordering of words).
> >
> > response:
> >
> > Now phrased as "the point about caching" (in
> > https://github.com/core-wg/resource-directory/pull/277) which should
> > be easier to read. A few lines up we recommend that the RD caches the .wk/c,
> > and this provides the rationale.
> >
> > > Section 5.3
> > >
> > >    queries concerning this endpoint.  The RD SHOULD continue to provide
> > >    access to the Registration Resource after a registration time-out
> > >    occurs in order to enable the registering endpoint to eventually
> > >    refresh the registration.  The RD MAY eventually remove the
> > >    registration resource for the purpose of garbage collection.  If the
> > >    Registration Resource is removed, the corresponding endpoint will
> > >    need to be re-registered.
> > >
> > > (This MAY is actually a MUST for the simple registration case, per §5.1,
> > > right?)
> >
> > response:
> >
> > No, it's a choice there as well. One server may keep them around forever, and
> > when the simple client comes back it'll show with the same registration
> > resource in the resource lookup. Another server may GC it and assign a
> > different registration resource when it returns.
> >
> > > Section 5.3.1
> > >
> > >    An update MAY update the lifetime or the base URI registration
> > >    parameters "lt", "base" as in Section 5.  Parameters that are not
> > >
> > > What about the "extra-attrs"; are they inherently forbidden from
> > > updates?
> >
> > response:
> >
> > The introduction paragraph was overly specific and fixed in
> > https://github.com/core-wg/resource-directory/pull/294.
> >
> > >                             base :=  Base URI (optional).  This
> > >          parameter updates the Base URI established in the original
> > >          registration to a new value.  If the parameter is set in an
> > >          update, it is stored by the RD as the new Base URI under which
> > >          to interpret the relative links present in the payload of the
> > >          original registration, following the same restrictions as in
> > >          the registration.  If the parameter is not set in the request
> > >
> > > nit: is it the interpretation of relative links that is following the
> > > same restrictions as in the registration, or the new value of the
> > > parameter being supplied in the update?
> >
> > response:
> >
> > The restrictions apply to the new value, and were moved up there in
> > https://github.com/core-wg/resource-directory/pull/294.
> >
> > >    The following example shows how the registering endpoint updates its
> > >    registration resource at an RD using this interface with the example
> > >    location value: /rd/4521.
> > >
> > > The path component "4521" contains a worryingly small amount of
> > > unpredictableness; I would prefer examples that used longer random
> > > locations, as for capability URLs.  (Throughout the document, of
> > > course.)  See also draft-gont-numeric-ids-sec-considerations, that I'm
> > > AD sponsoring, though I do not see any clear issues on first glance.
> >
> > response:
> >
> > See comment on the original capability URL question -- they are not.
> >
> > > (Also, it might be worth another sentence that this update is serving
> > > just to reset the lifetime, making no other changes, since this might be
> > > expected to be a common usage.)
> >
> > response:
> >
> > Stating purpose rather than mechanism now (since
> > https://github.com/core-wg/resource-directory/pull/294).
> >
> > > Section 6
> > >
> > > With "Resource Lookup" and "Endpoint Lookup" as (apparent) top-level
> > > siblings, would it make sense to put 6.2, or at least 6.3, as
> > > subsections under 6.1?
> >
> > response:
> >
> > It would from a hierarchical table-of-contents point of view, but given the
> > focus of lookup is on resource lookup, the existing sequence captures the
> > narrative of "With an RD, you can look up resources, here is how you use it,
> > here is what it looks like, and by the way if you really need it you can even
> > look at the registrations themselves".
> >
> > > Section 6.1
> > >
> > >    Resource lookup results in links that are semantically equivalent to
> > >    the links submitted to the RD.  The links and link parameters
> > >    returned by the lookup are equal to the submitted ones, except that
> > >    the target and anchor references are fully resolved.
> > >
> > > Are the "submitted ones" the submissions at registration time, or during
> > > the lookup query itself?  (I assume registration-time, but being
> > > explicit costs little.)
> >
> > response:
> >
> > Some words added for clarity in
> > https://github.com/core-wg/resource-directory/pull/294.
> >
> > >    If the base URI of a registration contains a link-local address, the
> > >    RD MUST NOT show its links unless the lookup was made from the same
> > >    link.  The RD MUST NOT include zone identifiers in the resolved URIs.
> > >
> > > Same link as what?
> >
> > response:
> >
> > The link the endpoint sits on; clarified in
> > https://github.com/core-wg/resource-directory/pull/294.
> >
> > > Section 6.2
> > >
> > >    The page and count parameters are used to obtain lookup results in
> > >    specified increments using pagination, where count specifies how many
> > >
> > > (We haven't introduced the page and count parameters yet.)
> >
> > response:
> >
> > Wording has been enhanced in
> > https://github.com/core-wg/resource-directory/pull/294.
> >
> > >    operator as in Section 4.1 of [RFC6690].  Attributes that are defined
> > >    as "link-type" match if the search value matches any of their values
> > >
> > > Where is it specified how an attribute might be "defined as
> > > 'link-type'"?  This is the only instance of the string "link-type" in
> > > this document, and it does not appear in RFC 6690 at all...
> >
> > response:
> >
> > That should have said "relation-types"; it does now, and also refers to
> > the 6690 ABNF (since
> > https://github.com/core-wg/resource-directory/pull/294.
> >
> > >    references) and are matched against a resolved link target.  Queries
> > >    for endpoints SHOULD be expressed in path-absolute form if possible
> > >    and MUST be expressed in URI form otherwise; the RD SHOULD recognize
> > >    either.  The "anchor" attribute is usable for resource lookups, and,
> > >    if queried, MUST be for in URI form as well.
> > >
> > > I don't see how it can be only a SHOULD to recognize either given these
> > > generation criteria.
> >
> > response:
> >
> > If the URI is on a different scheme/host, I assert things are clear. (Just to
> > ensure I didn't get your point wrong.)
> >
> > Otherwise, in practice there can happen mistakes where server and client
> > disagree about the default values of the Uri-Scheme, Uri-Host and Uri-Port
> > options -- as anyone who's ever tried to set up an HTTP reverse proxy for a
> > WebDAV server can attest to. We're trying to avoid creating these situations,
> > but when they do happen. We don't automatically declare the offending party
> > broken by putting a MUST here, but encourage the peer to assist it. The client
> > can help by providing the relative reference (for then, disagreement passses
> > unnoticed), and the server by recognizing the full URI (for the client may have
> > obtained it and not know that it'd match what the server thinks is its Uri-Host
> > name).
> >
> > (The "and MUST be expressed in URI form otherwise" sounds like a factual
> > necessity, but it is here to rule out the corner case of a client handing out
> > //hostname/path style references).
> >
> > > Section 6.3
> > >
> > >    The following example shows a client performing a lookup of all
> > >    resources of all endpoints of a given endpoint type.  It assumes that
> > >    two endpoints (with endpoint names "sensor1" and "sensor2") have
> > >    previously registered with their respective addresses
> > >    "coap://sensor1.example.com" and "coap://sensor2.example.com", and
> > >    posted the very payload of the 6th request of section 5 of [RFC6690].
> > >
> > > Er, the 6th request is a GET; do we mean to say the response to the 6th
> > > request?
> >
> > response:
> >
> > Yes. Fixed in https://github.com/core-wg/resource-directory/pull/294.
> >
> > > Section 6.4
> > >
> > >    The endpoint lookup returns registration resources which can only be
> > >    manipulated by the registering endpoint.
> > >
> > > This seems to leave it unclear whether the endpoint lookup is expected
> > > to return resources that the requestor will not have permission to
> > > manipulate (in addition to those it does have permission for).
> >
> > response:
> >
> > Clarified in https://github.com/core-wg/resource-directory/pull/294.
> >
> > >    While Endpoint Lookup does expose the registration resources, the RD
> > >    does not need to make them accessible to clients.  Clients SHOULD NOT
> > >    attempt to dereference or manipulate them.
> > >
> > > But why expose them at all if they're not going to be accessible?
> >
> > response:
> >
> > They serve as identifiers (think URI rather than URL), and may additionally be
> > used in implementation defined operations on the resource that could be allowed
> > for administrators. Last but not least, link-format (unlike the upcoming CoRAL)
> > does not have means of talking about something without naming it.
> >
> > (I do see the point, and if we started RD anew with the benefit of having
> > CoRAL, chances are this would look a bit different, and the names would not be
> > exposed to just any lookup client).
> >
> > The WG discussion of this did, however, lead to a point added to the security
> > considerations about the RD's choice of what to put in there (change in
> > https://github.com/core-wg/resource-directory/pull/267).
> >
> > >    An RD can report endpoints in lookup that are not hosted at the same
> > >    address.  [...]
> > >
> > > The "same address" as what?
> >
> > response:
> >
> > Sharpened in https://github.com/core-wg/resource-directory/pull/294.
> >
> > > Section 7.1
> > >
> > >    Whenever an RD needs to provide trustworthy results to clients doing
> > >    endpoint lookup, or resource lookup with filtering on the endpoint
> > >
> > > How will the RD know whether the client is expecting trustworthy
> > > results?  (When would a client *not* expect trustworthy results?)
> >
> > response:
> >
> > It won't per-client, it is configured for one. See GENERIC-WHOPICKSMODEL.
> >
> > >    name, the RD must ensure that the registrant is authorized to use the
> > >    given endpoint name.  This applies both to registration and later to
> > >    operations on the registration resource.  It is immaterial there
> > >    whether the client is the registrant-ep itself or a CT is doing the
> > >    registration: The RD can not tell the difference, and CTs may use
> > >
> > > I suppose there might be plausible authorization models where a
> > > return-routability check to a given address constitutes authorization to
> > > use that address as an endpoint name, in which case the RD can tell the
> > > difference between a registrant-ep and a CT attempting to act on its
> > > behalf.
> >
> > WGF-6
> > response:
> >
> > The RD might do such checks, but then again the EP might just be using
> > different network interfaces simultaneously. At that point where the EP uses a
> > different (and usually dormant) network interface for registration, the line
> > between EP and the CT gets blurry; we tolerate that blurriness because the
> > distinction is not so much a technical one (the REST server does not care
> > whether the request originates at its network peer, is proxied through there or
> > sent from there on behalf of someone completely different) as long as the
> > credentials are good.
> >
> > Frankly, I'm personally not too happy with distinguishing CTs in the first
> > place; it is more reflective of what I understand to be an industry practice
> > than a distinction in this CoAP application.
> >
> > >    When certificates are used as authorization credentials, the
> > >    sector(s) and endpoint name(s) can be transported in the subject.  In
> > >    an ACE context, those are typically transported in a scope claim.
> > >
> > > As Russ noted in the Gen-ART review, "transported in the subject" is
> > > sufficiently vague to not really be actionable.  It might be better to
> > > say that the holder of the private key corresponding to the public key
> > > certified in the certificate is generally considered authorized to act
> > > on behalf of any identities (including endpoint names) contained in the
> > > certificate's subject name.
> >
> > response:
> >
> > See GENERIC-SUBJECT.
> >
> > > Section 7.1.1
> > >
> > >    Conversely, in applications where the RD does not check the endpoint
> > >    name, the authorized registering endpoint can generate a random
> > >    number (or string) that identifies the endpoint.  The RD should then
> > >
> > > How much entropy/randomness in the random name?  Does a CSPRNG need to
> > > be used?  (I do see the follow-up about doubling the length in case of
> > > failure or starting with a UUID if that's not possible, but some
> > > guidance on where to start still seems appropriate.)
> >
> > respond:
> >
> > There is no requirement here as collisions only result in retries.
> >
> > For those cases where the client implementer thinks they can get away with not
> > implementing retry, UUID URNs are pointed to, which themselves cover the topic.
> >
> > > Section 7.2
> > >
> > >    When lookup clients expect that certain types of links can only
> > >    originate from certain endpoints, then the RD needs to apply
> > >    filtering to the links an endpoint may register.
> > >
> > > As before, how will the RD know what behavior clients are relying on?
> >
> > response:
> >
> > It will not. It may, however, advertise it explicitly. If, for example, an
> > application like LwM2M always ensures trusted endpoint names, the RD may
> > advertise as rt="core.rd-lokup-ep example.lwm2m", and then clients that trust
> > that metadatum (which they'll want to verify from some claim) know they can
> > trust the RD to have checked ep names.
> >
> > See also GENERIC-WHOPICKSMODEL
> >
> > >    An RD may also require that only links are registered on whose anchor
> > >    (or even target) the RD recognizes as authoritative of.  One way to
> > >
> > > I don't think I can parse this sentence (especially "the RD recognizes
> > > as authoritative of").
> >
> > response:
> >
> > Rephrased to "require that links are only registered if the registrant is
> > authorized to publish information about the anchor [...] of the link." in
> > https://github.com/core-wg/resource-directory/pull/294.
> >
> > > Section 8
> > >
> > > In contexts where we discuss DTLS and TLS as being generally comparable,
> > > we typically will state that DTLS replay protection is required in order
> > > to provide equivalent levels of protection.
> >
> > response:
> >
> > This item rippled quite a bit beyond the original response of "Huh? CoAP
> > doesn't already do this? Well, here we need it".
> >
> > As things stand, requiring replay protection make it harder to exploit the
> > issue described at OPEN-REPLAY-FRESHNESS, but once that is addressed for good,
> > replay protection should not be necessary any more for the RD, as all its
> > operations are becoming long-term idempotent.
> >
> > > We might also want to reiterate or refer back to the previous discussion
> > > of the potential for attributes or resource/endpoint names, link
> > > relations, etc. that may need to be confidential, the relevant access
> > > control/filtering, and the avenues by which disclosure of resource names
> > > can occur even when access to those resources will not be permitted.  (I
> > > think some of this overlaps with 8288 and 6690, but don't mind repeating
> > > it.)
> >
> > response:
> >
> > There is a pointer back saying that the necessary access control depends on the
> > protection objectives set in the policies (since
> > https://github.com/core-wg/resource-directory/pull/250).
> >
> > > Section 8.1
> > >
> > > It's probably worth reiterating that all name comparisons must be done
> > > at sector scope (since failing to do so can lead to attacks).
> >
> > response:
> >
> > It is; fixed since https://github.com/core-wg/resource-directory/pull/296.
> >
> > >    Endpoint authentication needs to be checked independently of whether
> > >    there are configured requirements on the credentials for a given
> > >    endpoint name (Section 7.1) or whether arbitrary names are accepted
> > >    (Section 7.1.1).
> > >
> > > I think this is more properly authorization than authentication.
> >
> > response:
> >
> > Yes; fixed in https://github.com/core-wg/resource-directory/pull/271.
> >
> > > Section 8.3
> > >
> > >    attacks.  There is also a danger that NTP Servers could become
> > >    implicated in denial-of-service (DoS) attacks since they run on
> > >    unprotected UDP, there is no return routability check, and they can
> > >    have a large amplification factor.  The responses from the NTP server
> > >    were found to be 19 times larger than the request.  An RD which
> > >
> > > (It's not clear to me why the specific discussion of NTP numbers is
> > > relevant here, since RD is not NTP.)
> >
> > response:
> >
> > The section has been shortened in
> > https://github.com/core-wg/resource-directory/pull/249.
> >
> > > Section 9.3
> > >
> > > Should we also include "rt" in the initial entries?  I see it is used as
> > > a query parameter for resource lookup in the examples in Section 6.3.
> >
> > response:
> >
> > It's used as is any other link attribute. There's no registry for them, and
> > while there's been talk over ond over that it would be nice, I don't think
> > there will be any until linkformat-CoRAL conversion is defined (and even then
> > it may not be comprehensive). Selectively picking some distinguished common
> > link attributes into this registry won't make things less messy.
> >
> > The prime line of defense against this getting messy is the expert guidance
> > that for some types of parameters their short names should be checked against
> > "commonly used target attributes".
> >
> >
> > >    *  indication of whether it can be passed as a query parameter at
> > >       registration of endpoints, as a query parameter in lookups, or be
> > >       expressed as a target attribute,
> > >
> > > (Since this text does not clarify about lookup of endpoints vs.
> > > resources...
> > >
> > >    Review" as described in [RFC8126].  The evaluation should consider
> > >    formal criteria, duplication of functionality (Is the new entry
> > >    redundant with an existing one?), topical suitability (E.g. is the
> > >    described property actually a property of the endpoint and not a
> > >    property of a particular resource, in which case it should go into
> > >    the payload of the registration and need not be registered?), and the
> > >
> > > ... and this text suggests that query parameters for *resource* lookups
> > > need not be registered.)
> > >
> > >    potential for conflict with commonly used target attributes (For
> > >    example, "if" could be used as a parameter for conditional
> > >    registration if it were not to be used in lookup or attributes, but
> > >    would make a bad parameter for lookup, because a resource lookup with
> > >    an "if" query parameter could ambiguously filter by the registered
> > >    endpoint property or the [RFC6690] target attribute).
> > >
> > > Then why do we use it as an example of lookup filtering in Section 6.2?
> >
> > response:
> >
> > The text suggests that target attributes for registered resources need not be
> > registered. These unregistered wild-west attribute names can be used both with
> > resource lookups (matching only resources which), and in endpoint lookups
> > (matching endpoints that contain any resource which).
> >
> > If `if` were to be put in for use in an RD parameter used with lookup, that
> > would not per se create ambiguous queries (the rules would still say "matches
> > either"), but the results would be prone to causing confusion.
> >
> > > Section 10.1.2
> > >
> > > Should we really be using unregistered resource types (i.e., codepoint
> > > squatting) in the examples?
> >
> > response:
> >
> > Addressed together with the earlier code squatting comments in
> > https://github.com/core-wg/resource-directory/pull/266.
> >
> > >    After the filling of the RD by the CT, the application in the
> > >    luminaries can learn to which groups they belong, and enable their
> > >    interface for the multicast address.
> > >
> > > Just to check: the luminaries are learning their own group membership by
> > > querying the resource directory?
> >
> > response:
> >
> > Not directly. They (in this very particular example that seems to be based on
> > industry process but which I'd not necessarily recommend for imitation) use a
> > heuristic to find any multicast URI they might possibly provide, and join that
> > group.
> >
> > > Section 10.2.2
> > >
> > > Please expand MSISDN.
> >
> > response:
> >
> > Taking a step back from this and other comments led to a drastical shortening
> > of the example.
> >
> > See also GENERIC-ODDEXAMPLES
> >
> > > Section 13.2
> > >
> > > I think RFC 7252 should probably be normative.
> > >
> > > Likewise for RFC 8288 ("the query parameter MUST be [...] a token as
> > > used in [RFC8288]").
> >
> > response:
> >
> > RFC7252 (CoAP) and RFC7230 (HTTP) were promoted to a normative reference.
> > (RFC7641 (CoAP observe) wasc left as informative because while they are
> > optional components, RD is not so much specified using them but more happens to
> > combine with them).
> >
> > RFC8288 was also promoted, but not due to the quoted line (that's not
> > implementation relevant but merely setting out rules for the registry
> > operation), but because we explicitly pull it in in terminology and the
> > information model.
> >
> > (Changes in https://github.com/core-wg/resource-directory/pull/307).