Re: [Dots] Designed Expert Guidelines (RE: AD review of draft-ietf-dots-signal-channel-25 (5th Part))
Benjamin Kaduk <kaduk@mit.edu> Wed, 27 February 2019 16:02 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78457130FFF; Wed, 27 Feb 2019 08:02:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HwUCe48VKXa; Wed, 27 Feb 2019 08:01:59 -0800 (PST)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690102.outbound.protection.outlook.com [40.107.69.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D5D6130FF4; Wed, 27 Feb 2019 08:01:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u57ARN8NA7U42NQjmp/pLPybvfYMG0DPd4l3oW+IoHU=; b=C49Ze6YCcSqW2xnZdka+9ooozbz5bqPYx3Cbge33KxdF3HUSJnPwlDHZ9dBU09j4hXqw/tH9NUFgiaHozVRPOCcQUoqq32eRRKrvVrbwbbZHIkx9hnqHCh1VsswTkGq3DxVDjIPd6oXnvVlDFdNjTE0934k2jPqZTRLUnP429hI=
Received: from SN2PR01CA0062.prod.exchangelabs.com (2603:10b6:800::30) by BN6PR01MB3283.prod.exchangelabs.com (2603:10b6:404:d7::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.18; Wed, 27 Feb 2019 16:01:56 +0000
Received: from DM3NAM03FT026.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::209) by SN2PR01CA0062.outlook.office365.com (2603:10b6:800::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1622.19 via Frontend Transport; Wed, 27 Feb 2019 16:01:56 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT026.mail.protection.outlook.com (10.152.82.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Wed, 27 Feb 2019 16:01:55 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x1RG1q4Y006687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Feb 2019 11:01:54 -0500
Date: Wed, 27 Feb 2019 10:01:52 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: mohamed.boucadair@orange.com
CC: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Message-ID: <20190227160151.GM53396@kduck.mit.edu>
References: <787AE7BB302AE849A7480A190F8B93302EA0C5BC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA0C5BC@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(136003)(396003)(39860400002)(346002)(2980300002)(13464003)(189003)(199004)(52314003)(53754006)(5660300002)(86362001)(356004)(246002)(50466002)(106002)(8936002)(88552002)(2870700001)(229853002)(8676002)(55016002)(6306002)(58126008)(54906003)(2906002)(305945005)(33656002)(47776003)(36906005)(786003)(316002)(478600001)(1076003)(30864003)(6916009)(486006)(7696005)(76176011)(26826003)(126002)(476003)(956004)(966005)(11346002)(106466001)(14444005)(5024004)(446003)(104016004)(23756003)(6246003)(2351001)(26005)(186003)(336012)(53416004)(75432002)(426003)(4326008)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR01MB3283; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 50b8afa8-5afc-4dd7-c0bf-08d69ccce5ce
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:BN6PR01MB3283;
X-MS-TrafficTypeDiagnostic: BN6PR01MB3283:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Exchange-Diagnostics: 1; BN6PR01MB3283; 20:4Lixg2uFAz0VivbK0+eB2ljUEBY53cnD+HEC0kslzvoqMzfwgEvK1xnU0+zoLwfzwv6UZoENALULfLTbfXgRMP+OfHU7OasCGLvTgAtfFqQmxXT1eR3RcSxA6rgU5z/De+gF/ke1cL15XG1+zObo//ZkT2ryAigfGRbtz2/FrpsVA3xS5GNIzfxzy9NlEz7/jAlV3B9KJFslRVl7FWWz8CjtwhPsyj1+3i5+es9Ryg3af20gPm0W+khajdTabPAT5BJoayY6lKGnKVNTQnQcV4aSUUNhAyjtwFqLO9dSknYe+vGU0lBDjrg8hf2xJvDHt/mHu65yxNJxY1Pafzxs9amiS2qt947+Cr9euE3F6Tlu/NMJ3V48nHk/IfYREnBMKj2pWwuybIdEXQWm+GaBI3aVIzZS6zEwODd+qBA9kZZkO6AhH9zsAttJSWRzgW11KrT/qnDAT3IpcvwTwYHzhSyVBldgJcTwfloDwdRf10yxsvDDsMmMYZm8zY/J5djH87B8LeXJjzEOFsTpzh22ffI3ISMB0n3YoX8r5hvv2BA34rH+Jler5LllO+sIkpEzJphhMmYwDaESUI2nSV5YleOaIQUYfkj5zcJICe/W9XI=
X-Microsoft-Antispam-PRVS: <BN6PR01MB32836A85590A5A48BC792EC7A0740@BN6PR01MB3283.prod.exchangelabs.com>
X-Forefront-PRVS: 0961DF5286
X-Microsoft-Exchange-Diagnostics: 1; BN6PR01MB3283; 23:DCx0wsqe4r6Tx1N3e3H+HAKMeFqWYcImm5TWw1pNrJmOWJnqCipWn8/mSiIQZXbU3nL7ro/twsschbASoF7EZoT5o7Q1c/k7vCGghrpemfKAIb3nr+9PAgEag40TBmRs2ovAZWQix6qVrokgRW9MMVkb1Z657pFN04iyRitKLO6JwxYXoZSvpFazxqGsZxrJRygKTpNtDhERM29d8E2Jvg7EMKwiRDnMXcTNrYO+f4JnT471CEtMvANJG/Hf6HdZTsQkFwh/4ln/NJnkEVfoWj1t9hdEGVIqLVKxO+U85YFiNHLC4DBdlWXlznwbOyfteqEqSG96TH+i91S4iyUgsBSFlPXLRjSFDlzNYj1rsyooxTOA//inBS2YLdYOBGs6Bb4/bavpdjllavXd4RLMWbu+VqXbtI1c9FJzDnGIfGIOki3mbWQQYNjfuby6XNvcPiGx5pv68Wc48omXZJ6c9oTXHXMgp77LxJ1ZY7pihVI2GhByca5JCMKgArcLLyYYLe/1GT/YfH4EhXGsw+izqHX2ve+2rd5KdY8OtOeXeLSgxBhKHZXOF4J6cP01T/CAsk3dH03kZi0qxuNbkrj4B6dvxytPc369BqSdMrKnbNpqWeDROaqPAeE+1yEqP77hf8gji+TkOZWQvVwrGhqRc13ooq0pSloD4kV6lk7WJ9317qrgdSt81PSlUO8KOpKcPaz+T1EdyZyfSBPU2D67VSvc2QOmLM/zuwX7xuxe7Pmr1F/dF5yPajhqmztr9q6YxK0m7mTWJ8SXqsBbQRgFX7HTFlb+lsLey18oOecRwANKUFNVBUGW4apk53IwU1q1iqLDDfg4PvF3eQIAsI4K6Bsd3FBfZ5ZjVHApQkIWavMtg5Ms87bQO6u/Y8vv7sbXnWHYqZuMAEZaDd2jNHT5a+fXi3FXjboFvdxAblUjHDl9cDeVvJMXliaenv8RggnrPnYXmrchzBExWjSexgoC4E/QWEiSaGrBaiXRdyFk5Qh3pPcq78wF+/09ncOA12/yNK8S4lcFl6afS/TXsj4KxLJ/KtCRNMgffCwLF8K3W+J3NyIOwD0v098JflWWkBdBwGn2LfFkQsgPnbR+ukg4JLuVx8FFbon8bfoCOfWrewfXQpijSzLeS4wa3amtgedXoiqFq+6qFp2aRSEusp/5jQFcQlGzOQuCALgyT+PZjGVURDicUMsC7BT6g+YpdynclQyyzj4DD30KTlrpQeTHU1wcsK3Bw+5Tuylh7P81pg9O6vQSLnW9KR76uFga5ZFLc9rAx5476FswBnum+uT9FdhwjsD2+4iKPjZT9qKhQosABcg1M6SqLGuJN53gfkX2
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: /qzM6CnK6W3zMFQcuh0wtYLasm1cEjLA8rlSphFHQf3exrhAE/X+ubh74quNbKZVcWXYDZCnrlnbJgXE2nrmxQOJyNz6u5pdrc+gbollB1wywBYNDZ1okIw48gPDQ/5rYSmlg2v4pZ4aFSFxfPOqCDpCngEBY5lxV4u8oG82um+7yQwALDSlIHhCDILVLu+8QJiqSfdj5SnPRmSQEZbU5FMltUI39NNcdZtmJW3h8eGmL6Lp4JgSGVHRQMKPxle+LdZ9G5QfVDz50/9WLdlS44FCPAXhlMQAo0xrGjctyGosmubgve5dTklnT6TcVsDJgV5kzHIFc+EM9GTkDZzb/P5CudKv0qz82z5b+YMacoaxxVmlm1Kq8Onqdxsz421sbCzUA9YjRyeHB/bR5druuytZOlqXITgUqwetfR483b0=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Feb 2019 16:01:55.8024 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 50b8afa8-5afc-4dd7-c0bf-08d69ccce5ce
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR01MB3283
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/HZTqBn_kXN8ZUWiYccAc3GOCRdQ>
Subject: Re: [Dots] Designed Expert Guidelines (RE: AD review of draft-ietf-dots-signal-channel-25 (5th Part))
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 16:02:03 -0000
Thanks! This is similar text to what's been floating around for a while in a handful of documents; subsequent real-world experience with the procedure has revealed that it's helpful to be very clear in the document about what the entrypoint is for someone requesting a new registration. For many of the existing registries, the expected procedure is "person making registration request sends email to the named list" (as opposed to filling out IANA's webform and having IANA send mail to the list), so we could consider adding some text like "New registration requests should be sent in the form of email to the review mailing list. IANA will only accept new registrations from the Designated Experts, and will check that review was requested on the mailing list in accordance with these procedures." -Ben On Wed, Jan 23, 2019 at 12:15:27PM +0000, mohamed.boucadair@orange.com wrote: > Hi Ben, > > I implemented this change in my local copy: > > OLD: > CBOR Key Value: > Key value for the parameter. The key value MUST be an integer in > the 1-65535 range. The key values of the comprehension-required > range (0x0001 - 0x3FFF) and of the comprehension-optional range > (0x8000 - 0xBFFF) are assigned by IETF Review [RFC8126]. The key > values of the comprehension-optional range (0x4000 - 0x7FFF) are > assigned by Designated Expert [RFC8126] and of the comprehension- > optional range (0xC000 - 0xFFFF) are reserved for Private Use > [RFC8126]. > > NEW: > CBOR Key Value: > Key value for the parameter. The key value MUST be an integer in > the 1-65535 range. The key values of the comprehension-required > range (0x0001 - 0x3FFF) and of the comprehension-optional range > (0x8000 - 0xBFFF) are assigned by IETF Review (Section 4.8 of > [RFC8126]). The key values of the comprehension-optional range > (0x4000 - 0x7FFF) are assigned by Specification Required > (Section 4.6 of [RFC8126]) and of the comprehension-optional range > (0xC000 - 0xFFFF) are reserved for Private Use (Section 4.1 of > [RFC8126]). > > Registration requests for the 0x4000 - 0x7FFF range are evaluated > after a three-week review period on the dots-signal-reg- > review@ietf.org mailing list, on the advice of one or more > Designated Experts. However, to allow for the allocation of > values prior to publication, the Designated Experts may approve > registration once they are satisfied that such a specification > will be published. Registration requests sent to the mailing list > for review should use an appropriate subject (e.g., "Request to > register CBOR Key Value: example"). > > Within the review period, the Designated Experts will either > approve or deny the registration request, communicating this > decision to the review list and IANA. Denials should include an > explanation and, if applicable, suggestions as to how to make the > request successful. Registration requests that are undetermined > for a period longer than 21 days can be brought to the IESG's > attention (using the iesg@ietf.org mailing list) for resolution. > > Criteria that should be applied by the Designated Experts includes > determining whether the proposed registration duplicates existing > functionality, whether it is likely to be of general applicability > or whether it is useful only for a single use case, and whether > the registration description is clear. IANA must only accept > registry updates to the 0x4000 - 0x7FFF range from the Designated > Experts and should direct all requests for registration to the > review mailing list. It is suggested that multiple Designated > Experts be appointed. In cases where a registration decision > could be perceived as creating a conflict of interest for a > particular Expert, that Expert should defer to the judgment of the > other Experts. > > Cheers, > Med > > > -----Message d'origine----- > > De : mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com] > > Envoyé : mardi 22 janvier 2019 08:16 > > À : Benjamin Kaduk > > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org; > > dots@ietf.org > > Objet : RE: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part) > > > > Hi Ben, > > > > Please see inline. > > > > Cheers, > > Med > > > > > -----Message d'origine----- > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > > > Envoyé : lundi 21 janvier 2019 19:11 > > > À : BOUCADAIR Mohamed TGI/OLN > > > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org; > > > dots@ietf.org > > > Objet : Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th > > Part) > > > > > > On Mon, Jan 21, 2019 at 03:37:38PM +0000, mohamed.boucadair@orange.com > > wrote: > > > > Re-, > > > > > > > > Please see inline. > > > > > > > > Cheers, > > > > Med > > > > > > > > > -----Message d'origine----- > > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > > > > > Envoyé : lundi 21 janvier 2019 16:10 > > > > > À : BOUCADAIR Mohamed TGI/OLN > > > > > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal- > > channel@ietf.org; > > > > > dots@ietf.org > > > > > Objet : Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th > > > Part) > > > > > > > > > > On Mon, Jan 21, 2019 at 07:31:28AM +0000, mohamed.boucadair@orange.com > > > wrote: > > > > > > Hi Ben, all, > > > > > > > > > > > > Please see inline. > > > > > > > > > > > > Cheers, > > > > > > Med > > > > > > > > > > > > > -----Message d'origine----- > > > > > > > De : Konda, Tirumaleswar Reddy > > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > > > > > > Envoyé : samedi 19 janvier 2019 07:32 > > > > > > > À : Benjamin Kaduk; BOUCADAIR Mohamed TGI/OLN > > > > > > > Cc : draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org > > > > > > > Objet : RE: [Dots] AD review of draft-ietf-dots-signal-channel-25 > > > (5th > > > > > Part) > > > > > > > > > > > > > > Hi Ben, > > > > > > > > > > > > > > Please see inline > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of Benjamin Kaduk > > > > > > > > Sent: Saturday, January 19, 2019 2:33 AM > > > > > > > > To: mohamed.boucadair@orange.com > > > > > > > > Cc: draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org > > > > > > > > Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel- > > 25 > > > (5th > > > > > > > Part) > > > > > > > > > > > > > > > > This email originated from outside of the organization. Do not > > > click > > > > > links > > > > > > > or > > > > > > > > open attachments unless you recognize the sender and know the > > > content > > > > > is > > > > > > > safe. > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > > > Thanks for all the edits and the published -27. > > > > > > > > Assuming I'm actually caught up on all the review/response > > threads, > > > I > > > > > think > > > > > > > > we're pretty close to being able to go to IETF LC -- here's what > > I > > > see > > > > > as > > > > > > > still left: > > > > > > > > > > > > > > > > - We need to settle the risk of needing normative downrefs called > > > out > > > > > for > > > > > > > > the last call > > > > > > > > > > > > [Med] I updated the text to: > > > > > > * cite 7618/7624 as normative (+ indicate that a similar mechanism to > > > false > > > > > start may also be defined for DTLS). > > > > > > * tweak the TFO text to maintain it as informative. > > > > > > > > > > Sounds good. > > > > > > > > > > > > > - I just noticed while reviewing the diff that we also need to > > say > > > a > > > > > > > > little more about (D)TLS 1.3 0-RTT data (more below) > > > > > > > > - It looks like we lost the guidance to the Experts and text > > about > > > the > > > > > > > > review mailing list from the IANA Considerations, during the > > > > > reshuffling > > > > > > > > around having IANA manage more things > > > > > > > > > > > > > > > > > > > > [Med] That was on purpose. We would like to rely on RFC8126 rules for > > > > > deigned expert reviews. > > > > > > > > > > I'm not sure I understand this -- 8126 explicitly says that documents > > > > > should provide guidance to the designated expert on what to look for > > and > > > > > what is grounds for rejecting a request. > > > > > > > > > > > > > [Med] What I meant is that the text we used to have in -25 is generic, > > and > > > IMHO does not bring new guidelines to what is discussed in Section 5 of > > 8126. > > > > > > I think there can still be value in repeating the "general applicability, > > > clarity of description, etc. language. (But it would be even better to > > > come up with some guidance that is tightly tailored to DOTS, if we can.) > > > > [Med] I tried, actually. It is indeed when I rechecked 8126 that I found that > > text is generic. Seeking for expert reviews will be done via IANA, which is > > familiar with the process of soliciting experts. > > > > Moreover, I found a bug in the text because it does not apply to the range > > requiring IETF review, but only to a the comprehensive-optional range. > > > > > And the text about the mailing list and how to format registration requests > > > is definitely not covered in 8126! > > > > [Med] that mailing list is likely to include the designed experts. This is > > why I thought it is simple to let IANA decide how to reach out designed > > expert(s) once assigned. > > > > Anyway, I can reinsert the text if you still think it brings value. > > > > > > > > > > > > > Regarding the (D)TLS 1.3 0-RTT data, RFC 8446 notes that > > > "Application > > > > > > > > protocols MUST NOT use 0-RTT data without a profile that defines > > > its > > > > > use. > > > > > > > > That profile needs to identify which messages or interactions are > > > safe > > > > > to > > > > > > > use > > > > > > > > with 0-RTT and how to handle the situation when the server > > rejects > > > 0- > > > > > RTT > > > > > > > and > > > > > > > > falls back to 1-RTT." So we either need to say which client > > > requests > > > > > are > > > > > > > 0-RTT > > > > > > > > safe (and why) or defer that profile to another document. draft- > > > ietf- > > > > > > > dnsop- > > > > > > > > session-signal is perhaps an example of a document that specifies > > > which > > > > > > > > messages are/aren't allowed in early data. > > > > > > > > (draft-ietf-acme-acme is another, but an uninteresting one, since > > > they > > > > > make > > > > > > > > every request include a single-use nonce, and all messages are 0- > > > RTT > > > > > safe.) > > > > > > > > Our use of increasing 'mid' values may help here, in terms of > > > allowing > > > > > > > DELETEs > > > > > > > > to be safe, but I'd have to think a little more to be sure that > > > > > requesting > > > > > > > > mitigation would be safe. (On first glance the session- > > managemnet > > > bits > > > > > > > would > > > > > > > > not be safe, but I may be missing something.) > > > > > > > > > > > > > > The draft only uses idempotent requests (GET, PUT and DELETE), and > > > CoAP > > > > > is > > > > > > > capable of detecting message duplication (see > > > > > > > https://tools.ietf.org/html/rfc7252#section-4.5) for both > > confirmable > > > and > > > > > > > non-confirmable messages. > > > > > > > [1] An attacker replaying DELETE will not have any adverse impact, > > > 2.02 > > > > > > > (Deleted) Response Code is returned even if the mitigation request > > > does > > > > > not > > > > > > > exist. > > > > > > > [2] The techniques discussed in Section 8 of RFC8446 should suffice > > > to > > > > > handle > > > > > > > anti-replay (e.g. an attacker replaying a 0-RTT data carrying an > > old > > > > > > > mitigation request replaced by a new mitigation scope). > > > > > > > > > > > > > > > > > > > [Med] FWIW, we do already have this text in the draft: > > > > > > > > > > > > Section 8 of [RFC8446] discusses some mechanisms to implement > > to > > > > > > limit the impact of replay attacks on 0-RTT data. If the DOTS > > > > > > server accepts 0-RTT, it MUST implement one of these > > mechanisms. > > > > > > A DOTS server can reject 0-RTT by sending a TLS > > > HelloRetryRequest. > > > > > > > > > > (As I noted in my reply to Tiru, we need a more explicit statement.) > > > > > > > > > > > > > [Med] OK. If the assessment is confirmed, we can update the text as > > > follows: > > > > > > > > Section 8 of [RFC8446] discusses some mechanisms to implement to > > > > limit the impact of replay attacks on 0-RTT data. If the DOTS > > > > server accepts 0-RTT, it MUST implement one of these mechanisms. > > > > A DOTS server can reject 0-RTT by sending a TLS HelloRetryRequest
- [Dots] Designed Expert Guidelines (RE: AD review … mohamed.boucadair
- Re: [Dots] Designed Expert Guidelines (RE: AD rev… Benjamin Kaduk
- Re: [Dots] Designed Expert Guidelines (RE: AD rev… mohamed.boucadair