Re: [COSE] Paul Wouters' Discuss on draft-ietf-cose-countersign-09: (with DISCUSS and COMMENT)
Carsten Bormann <cabo@tzi.org> Fri, 09 September 2022 08:06 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A44F3C14CF10; Fri, 9 Sep 2022 01:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkGQ_MYoGlku; Fri, 9 Sep 2022 01:06:03 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [134.102.50.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACF2C14CF0F; Fri, 9 Sep 2022 01:05:55 -0700 (PDT)
Received: from client-0116.vpn.uni-bremen.de (client-0116.vpn.uni-bremen.de [134.102.107.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4MP7pm0XKgzDCcq; Fri, 9 Sep 2022 10:05:51 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <FC9567D0-B3D7-4ED5-BB83-CCCC1A343613@aiven.io>
Date: Fri, 09 Sep 2022 10:05:51 +0200
Cc: Russ Housley <housley@vigilsec.com>, IESG <iesg@ietf.org>, draft-ietf-cose-countersign@ietf.org, Cose Chairs Wg <cose-chairs@ietf.org>, cose <cose@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
X-Mao-Original-Outgoing-Id: 684403551.2316051-cfbfb2a3ba9caae38a3485ccd3be15fb
Content-Transfer-Encoding: quoted-printable
Message-Id: <562FF5D6-B425-4FCA-8203-3CB923FCB552@tzi.org>
References: <E226CF54-4C8C-490A-839A-6B0E3DF34EFC@vigilsec.com> <FC9567D0-B3D7-4ED5-BB83-CCCC1A343613@aiven.io>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/TS7bG0GUUeRbGES3_uQ-B67E5eg>
Subject: Re: [COSE] Paul Wouters' Discuss on draft-ietf-cose-countersign-09: (with DISCUSS and COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2022 08:06:07 -0000
On 2022-09-09, at 02:36, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org> wrote: > > I am fine with a pointer to a downloadable source which can also contain the commands to install the software. OK. In this case the obvious pointer to use would be https://github.com/cabo/cbor-diag This is a repo that contains the code as well as a README.md with installation instructions (gem install…). > Upon compromise, the pointer can be updated to protect the immutable RFC text. Wether it points to GitHub or IETF or elsewhere doesn’t matter to me. This more useful than a simple “gem install” under the assumption that neither github itself nor the github user cabo will go rogue. (An indirection via the IETF would give the IETF more control, but also more responsibility and possibly some process issues.) Grüße, Carsten > > Paul > > Sent using a virtual keyboard on a phone > >> On Sep 8, 2022, at 16:04, Russ Housley <housley@vigilsec.com> wrote: >> >> >> >>> On Sep 8, 2022, at 1:47 AM, Carsten Bormann <cabo@tzi.org> wrote: >>> >>> On 2022-09-08, at 04:14, Paul Wouters via Datatracker <noreply@ietf.org> wrote: >>>> >>>> ---------------------------------------------------------------------- >>>> DISCUSS: >>>> ---------------------------------------------------------------------- >>>> >>>> gem install cbor-diag >>>> >>>> I am concerned about adding install commands for "programs from the internet" >>>> within an RFC. If the rubygem for some reason becomes malicious, we cannot >>>> pull it from the RFC (even if we pull it from the datatracker link, it would >>>> still live on in copies of the RFC elsewhere and malicious people could point >>>> to copies of those original RFCs to point people to downlod the malicious rubygem. >>>> >>>> I would be okay with an iet.org download location of a ruby gem. >>> >>> “gem install” is the appropriate way to install rubygems software, not a “location of a rubygem”. >>> >>> What you seem to be asking for is some indirection so we can swap out the name of the gem in case cbor-diag becomes rogue. That does make some sense to me, but we’d need to install that indirection somewhere in a place maintained by the IETF. >>> >>> ➔ “Please consult https://www.ietf.org/software/cbor-diag for the way to install this software”. >>> And that page would contain instructions including “gem install cbor-diag” until that goes rogue. >>> >>> Can we get such a infrastructure of pages recommending software up and running? Do we mire ourselves in process issues (who gets change control etc.)? >>> >>> Data point from a quick search: >>> The RFCs that already suggest installing rubygems via a direct “gem install” include RFC 8152, RFC 8610, RFC 9052. >>> >>> (In reality, I’d expect the rubygems organization to act more quickly on a report of cbor-diag going rogue than the IETF would.) >>> >>> Grüße, Carsten >> >> >> Paul: >> >> Are you satisfied with this explanation? Or, would you prefer the pointer to https://www.ietf.org/software/cbor-diag >> >> Russ >> > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose
- [COSE] Paul Wouters' Discuss on draft-ietf-cose-c… Paul Wouters via Datatracker
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Carsten Bormann
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Russ Housley
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Paul Wouters
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Carsten Bormann
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Russ Housley
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Carsten Bormann
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Russ Housley
- Re: [COSE] Paul Wouters' Discuss on draft-ietf-co… Paul Wouters