[drinks] Stephen Farrell's Discuss on draft-ietf-drinks-spp-protocol-over-soap-07: (with DISCUSS and COMMENT)
"Stephen Farrell" <stephen.farrell@cs.tcd.ie> Thu, 05 February 2015 14:34 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: drinks@ietfa.amsl.com
Delivered-To: drinks@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 165F21A8AFB; Thu, 5 Feb 2015 06:34:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4kuaNv7hzEW1; Thu, 5 Feb 2015 06:34:10 -0800 (PST)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CC9271A8F37; Thu, 5 Feb 2015 06:33:42 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.10.1.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150205143342.20868.94024.idtracker@ietfa.amsl.com>
Date: Thu, 05 Feb 2015 06:33:42 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/drinks/WAUCFq0HEILNgMXPEmp4ZZbSJr8>
Cc: drinks@ietf.org, drinks-chairs@ietf.org, draft-ietf-drinks-spp-protocol-over-soap.all@ietf.org
Subject: [drinks] Stephen Farrell's Discuss on draft-ietf-drinks-spp-protocol-over-soap-07: (with DISCUSS and COMMENT)
X-BeenThere: drinks@ietf.org
X-Mailman-Version: 2.1.15
List-Id: IETF DRINKS WG <drinks.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/drinks>, <mailto:drinks-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/drinks/>
List-Post: <mailto:drinks@ietf.org>
List-Help: <mailto:drinks-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/drinks>, <mailto:drinks-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2015 14:34:18 -0000
Stephen Farrell has entered the following ballot position for draft-ietf-drinks-spp-protocol-over-soap-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-drinks-spp-protocol-over-soap/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I just want to check one thing... Section 5: why is there a MUST for Digest auth? What'd be wrong with TLS client auth here? I do wish the WG had considered some alternative to passwords, which don't make so much sense in this use-case. (BTW: You could chose HOBA here I guess, but that's still in the RFC editor queue and not supported by libraries so perhaps doesn't suit. But it'd work. I'm an author of the HOBA spec though, so I'm biased:-) Anyway - can you tell me if the WG considered dropping passwords entirely and mandating TLS client auth be implemented? If the WG seriously considered TLS client auth already, I'll just clear. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- - General: why would one want to ever run this protocol without TLS? Did the WG consider saying that TLS MUST be used? Again, if you tell me you thought about it, I'll just clear. - 7.1.2: The framework uses "Identifier" but here you use "Identity" - it'd be better to be consistent I think and "Identifier" is a lot better. - section 11 is weaker than the corresponding section in the framework draft. Two things: 1) why not point back to the framework here? 2) shouldn't you say which of the vulns/mitigations called out in the framework are relevant or mitigated here?
- Re: [drinks] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [drinks] Stephen Farrell's Discuss on draft-i… Richard Barnes
- [drinks] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell