Re: [eppext] Stephen Farrell's Discuss on draft-ietf-eppext-tmch-smd-04: (with DISCUSS and COMMENT)

Gustavo Lozano <gustavo.lozano@icann.org> Wed, 09 March 2016 18:02 UTC

Return-Path: <gustavo.lozano@icann.org>
X-Original-To: eppext@ietfa.amsl.com
Delivered-To: eppext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0CF412D85C; Wed, 9 Mar 2016 10:02:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([127.0.0.1]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JJkKEIVTcul; Wed, 9 Mar 2016 10:02:24 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7602412D7C3; Wed, 9 Mar 2016 10:02:24 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Wed, 9 Mar 2016 10:02:22 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1130.005; Wed, 9 Mar 2016 10:02:21 -0800
From: Gustavo Lozano <gustavo.lozano@icann.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-eppext-tmch-smd-04: (with DISCUSS and COMMENT)
Thread-Index: AQHRei3TFMvNWXALbEqmU069u77+Eg==
Date: Wed, 9 Mar 2016 18:02:20 +0000
Message-ID: <D30603D6.F9DBD%gustavo.lozano@icann.org>
References: <20160215191046.25962.24626.idtracker@ietfa.amsl.com> <D2EB39F0.F50BD%gustavo.lozano@icann.org> <56D9B557.3020001@cs.tcd.ie> <D300AC67.F8C28%gustavo.lozano@icann.org> <56DDA4EC.7040402@cs.tcd.ie>
In-Reply-To: <56DDA4EC.7040402@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3540391337_5171983"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/eppext/j_8-Q5eslcPakzUrwFGsASELFAg>
Cc: "draft-ietf-eppext-tmch-smd@ietf.org" <draft-ietf-eppext-tmch-smd@ietf.org>, "nkong@cnnic.cn" <nkong@cnnic.cn>, "eppext@ietf.org" <eppext@ietf.org>, "eppext-chairs@ietf.org" <eppext-chairs@ietf.org>
Subject: Re: [eppext] Stephen Farrell's Discuss on draft-ietf-eppext-tmch-smd-04: (with DISCUSS and COMMENT)
X-BeenThere: eppext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: EPPEXT <eppext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eppext>, <mailto:eppext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eppext/>
List-Post: <mailto:eppext@ietf.org>
List-Help: <mailto:eppext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eppext>, <mailto:eppext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 18:02:27 -0000

Thank you Stephan, I appreciate your input,

I modified the following paragraph in the introduction section based on
your suggestion, and added the tmch-func-spec I-D to the informative
section. Do you think that the aforementioned changes solve your concerns?

It's worth mentioning that I have not published a newer version of the
I-D, because I want to know your thoughts first.

- - start - -
The detailed policy regarding the public key infrastructure (PKI),
authorized validators, and other requirements must be defined based on the
local policy of the entities using this specification. In the case of
gTLDs, the detailed policy regarding the use of this specification is
defined in the Rights Protection Mechanism Requirements document (see
[ICANN-TMCH]), and the PKI is defined in [I-D.ietf-eppext-tmch-func-spec].
- - end - 


Regards,
Gustavo

On 3/7/16, 15:57, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>; wrote:

>
>Hiya,
>
>On 05/03/16 16:54, Gustavo Lozano wrote:
>> Thank you Stephen,
>> 
>> Comments inline.
>> 
>> Regards,
>> Gustavo
>> 
>> On 3/4/16, 10:18, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>; wrote:
>> 
>>>
>>> Hi Gustavo,
>>>
>>> Sorry for the slow response...
>>>
>>> On 18/02/16 17:20, Gustavo Lozano wrote:
>>>> Thank you for your review Stephen,
>>>>
>>>> Regarding the DISCUSS portion of your email:
>>>>
>>>> Short story: in the case of the gTLD space, the information regarding
>>>> the
>>>> PKI used for validating SMDs is defined here:
>>>> https://tools.ietf.org/html/draft-ietf-eppext-tmch-func-spec-00
>>>> (sections:
>>>> 4.1, 5.1.1.3, 5.1.2.3, 5.2.1, 5.2.2, 5.2.3.1, 5.2.3.2, 5.2.4, 5.2.5,
>>>> 6.2,
>>>> 6.4).
>>>
>>> Sorry, but that is too short a story for me to grok it:-)
>>>
>>>>
>>>> Long story: https://tools.ietf.org/html/draft-ietf-eppext-tmch-smd-04
>>>> (SMD
>>>> draft) was conceived as a draft defining a mapping of the common
>>>> elements
>>>> found in trademark data. The design goal is that the SMD draft
>>>> specification could be used by any entity (e.g. ccTLDs, gTLDs,
>>>>trademark
>>>> validators <-> distribution channel) for mapping the tradermak data.
>>>>The
>>>> organizations using the digitally signed portion of the spec will need
>>>> to
>>>> define a PKI and the policy for that particular use-case scenario.
>>>
>>> Right. The issue is what information about that PKI is needed in this
>>> draft. Without any, all we end up knowing is that the signature bits
>>> are ok, but nothing about their meaning. Now that could be a valid
>>> approach to take, but you'd need to say so and why say what else is
>>> needed to make an implementation of this usable.
>> 
>> draft-ietf-eppext-tmch-smd-04 defines the format of the XML blob. In
>>other
>> words, it should be enough to syntactically validate the XML blob (with
>>or
>> without digital signatures). The definition of the PKI is an exercise
>>for
>> a party that wants to use this format, and digitally sign the XML blob.
>>In
>> the case of the ICANN-TMCH, the PKI is defined in
>> draft-ietf-eppext-tmch-func-spec-00.
>> 
>> 
>> I think that this is explained in the introduction, but the text may
>>need
>> to be tweaked?
>
>Yes. Both the abstract and intro say that this document defines a thing
>called a "digitally signed mark" - some people would consider that to
>define such a thing, you do need to say how it relates to a PKI, or, in
>this case, to say that that is defined elsewhere and point at an example
>of such an elsewhere.
>
>> 
>>>
>>> I'm also puzzled that the func-spec draft you mention above, in
>>> section 5.1.1.3, points to a specific root cert (presumably operated by
>>> icann?). 
>> 
>> Correct, the root cert mentioned in section 5.1.1.3 of
>> draft-ietf-eppext-tmch-func-spec is used for validating the SMDs
>>generated
>> by the ICANN-TMCH.
>> 
>>> Presumably that means that the func-spec is specific to
>>> what ICANN did and plan to do in future with gTLDs and the func-spec
>>> is not meant to be something generic that can be used by e.g. ccTLDs?
>> 
>> Correct, draft-ietf-eppext-tmch-func-spec is specific to what ICANN did
>> for the new gTLD program. An SMD generated by the ICANN-TMCH basically
>> says: a validator using ICANN policies, validated that X is the holder
>>of
>> the mark Y. A ccTLD may want to use the same policies, and use the root
>> cert provided by ICANN for validating the SMDs generated by the
>> ICANN-TMCH. A ccTLD may want to use different policies, use the format
>> defined in draft-ietf-eppext-tmch-smd-04, and if interested in using
>> digital signatures, define its own PKI.
>
>I think you need that information or an equivalent in this document.
>The func-spec reference can be informative and not normative if you need
>to have this document as an RFC before the func-spec. (In that case
>you'd need to say something like "a PKI for using this with new gTLDs
>will also be defined by the EPPEXT WG in [func-spec]".) But I think
>it'd be better if this RFC and the func-spec one popped out together.
>
>>>> In the
>>>> case of new gTLDs, the [ICANN-TMCH]
>>>>
>>>> 
>>>>(<http://newgtlds.icann.org/en/about/trademark-clearinghouse/rpm-requir
>>>>em
>>>> en
>>>> ts-30sep13-en.pdf>) is the document (included by reference in the new
>>>> gTLD
>>>> contracts) defining the policy / technical requirements. The document
>>>> [ICANN-TMCH] links to
>>>> https://tools.ietf.org/html/draft-ietf-eppext-tmch-func-spec-00
>>>
>>> I didn't see any mention of that I-D in [ICANN-TMCH] - are we looking
>>> at the right things?
>> 
>> The draft is mentioned as draft-lozano-tmch-func-spec (see section
>>2.4.1).
>> The draft was renamed as draft-ietf-eppext-tmch-func-spec when the
>>EPPEXT
>> WG accepted it as a WG document.
>
>As I suggested above, I think you need to refer to func-spec from this
>draft. Doing so via the ICANN doc, via an expired I-D seems like a bad
>idea when you can do it directly.
>
>Cheers,
>S.
>
>> 
>> 
>>>
>>>> where the
>>>> technical requirements are specified. For example, a ccTLD may use
>>>>this
>>>> spec with different policy / technical requirements, therefore
>>>> [ICANN-TMCH] / draft-ietf-eppext-tmch-func-spec-00 is just how it was
>>>> done
>>>> in the gTLD space. I included [ICANN-TMCH] to provide the context for
>>>> the
>>>> creation of this spec, an as an example of how it was done for new
>>>> gTLDs.
>>>
>>> Right. The question is what information (about the PKI) is needed for
>>> this to be usable in general.
>>>
>>> Cheers,
>>> S.
>>>
>>>>
>>>> Regarding the COMMENT portion of your email:
>>>>
>>>> - Please see the secdir review [1] which raises a number of
>>>> significant points (including the DISCUSS above) and which
>>>> hasn't as far as I've seen gotten a response (apologies if I
>>>> missed that).
>>>>
>>>>    [1]
>>>> https://www.ietf.org/mail-archive/web/secdir/current/msg06248.html
>>>>
>>>> Gustavo - I think that I resolved all the issues raised in [1] in
>>>> version
>>>> 04 of the draft.
>>>>
>>>> - "precudle" nice:-)
>>>>
>>>>
>>>> Gustavo - I will fix this :).
>>>>
>>>> Regards,
>>>>
>>>> Gustavo
>>>>
>>>> On 2/15/16, 11:10, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>;
>>>>wrote:
>>>>
>>>>> Stephen Farrell has entered the following ballot position for
>>>>> draft-ietf-eppext-tmch-smd-04: Discuss
>>>>>
>>>>> When responding, please keep the subject line intact and reply to all
>>>>> email addresses included in the To and CC lines. (Feel free to cut
>>>>>this
>>>>> introductory paragraph, however.)
>>>>>
>>>>>
>>>>> Please refer to
>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>
>>>>>
>>>>> The document, along with other ballot positions, can be found here:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-eppext-tmch-smd/
>>>>>
>>>>>
>>>>>
>>>>> 
>>>>>----------------------------------------------------------------------
>>>>> DISCUSS:
>>>>> 
>>>>>----------------------------------------------------------------------
>>>>>
>>>>>
>>>>> Section 7 points to [ICANN-TMCH] for signature validation policy
>>>>> (I think, not quite sure). I did a quick scan (so I might have
>>>>> missed it) of that document and did not find any mention of
>>>>> security or signature validation, so what is an implementer
>>>>> supposed to do, over and above just checking the cryptographic
>>>>> correctness of the XMLDSIG? Note1: I'm not asking that all of
>>>>> the details of how to construct a PKI for this functionality be
>>>>> documented here, somewhere else is fine, but it doesn't seem to
>>>>> be in [ICANN-TMCH] that I can see, so I don't know what I'd have
>>>>> to implement, that'd get interop. Note2: I'm also not asking for
>>>>> a US-DoD-scale super-huge PKI or RPKI to be specified here,
>>>>> something simpler should work.
>>>>>
>>>>>
>>>>> 
>>>>>----------------------------------------------------------------------
>>>>> COMMENT:
>>>>> 
>>>>>----------------------------------------------------------------------
>>>>>
>>>>>
>>>>> - Please see the secdir review [1] which raises a number of
>>>>> significant points (including the DISCUSS above) and which
>>>>> hasn't as far as I've seen gotten a response (apologies if I
>>>>> missed that).
>>>>>
>>>>>   [1]
>>>>> https://www.ietf.org/mail-archive/web/secdir/current/msg06248.html
>>>>>
>>>>> - "precudle" nice:-)
>>>>>
>>>>>