Re: [Gen-art] [Id-event] Genart last call review of draft-ietf-secevent-http-poll-09
Dick Hardt <dick.hardt@gmail.com> Tue, 09 June 2020 19:02 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB39B3A0DBD; Tue, 9 Jun 2020 12:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tu1MzYftqBb7; Tue, 9 Jun 2020 12:02:02 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9B0B3A0F39; Tue, 9 Jun 2020 12:01:27 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id c21so13130478lfb.3; Tue, 09 Jun 2020 12:01:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zsrc1Y1vegc8DpJuapDpl4GxPg4PqelSDS31MSHXNRE=; b=CpTdWD1xU6dJf4H8D3Lh0K7OnD6ygGxH2UqBzjr/gjkZOJFeGWtcEVNqJt3yjvqEVR 5ysOJb2egZpbZ0wxYen90TAkhW3vhid9dA6J2TFne16pIwhDJZLqyilaa8cSABC11mft xWqBqn3ehXT2kKHwxHJviCyb6zmQGKLouJ/BbUWqWQcfMqKox4Byfy0NSTgVZzDFAeab DS6wyZWlFdmfqG9hdoso4E2+rO6P2i2QMKHPzrcs7yzfCgP/+kn07PhT8n12ytiPn67j 8NNV2qUX4Im5qz3hZmHcgmAFrAsGQVbd0dK9QNiH5hAPgKezc504aPFT/kcSe9DFVpdw Ukug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zsrc1Y1vegc8DpJuapDpl4GxPg4PqelSDS31MSHXNRE=; b=aoGQxpHH4tPmevIooQIGI6UkCdU9ZDBiH/ELaGzj7h33NrpM9n1bdL0nL3Ksj3YJxF +jLmVd1FuMTkwApwdF+Th31JVEmDiOVdQ3LzNK6BdX1FE4bOFZp4QSdWj0Tm8einfcdS JV+4JXYucoDUlitn67g/ThydarGo8p3RZFgtEsJ9O6vdOggAvd0gZzjXjFOkaiX399GR s0d7ia/RL5kGQ5PehCNXEkYzU/l/3gSLmbWHgvjGFModyPDh8G2W129MYmeZtK4cl02z FSMIOk3qCuOuU7lm/RM1BKOBowhuQlyrl68Uq/6BoR2DNPNGq3ZL+9odvWf5B/4qYlma qftw==
X-Gm-Message-State: AOAM532rMfv69H/qO/HJN0QVaP1IWojry/1ikaWrK6Skhp6vhpzz2O0m 33GPNSmLqelpo1TlxWpH9YDOo3JkmjpicW90G30=
X-Google-Smtp-Source: ABdhPJz0sEUIiHWHQ74vGIZavzSWeclVx4S+4kWeIyEG9IQRjLQM1a/F8mz/riXXe/BGkAQOzjg0unyzKV+oaqvt1T0=
X-Received: by 2002:ac2:489a:: with SMTP id x26mr16256012lfc.111.1591729285738; Tue, 09 Jun 2020 12:01:25 -0700 (PDT)
MIME-Version: 1.0
References: <CH2PR00MB0678026DC6A8BE87C1068B12F5860@CH2PR00MB0678.namprd00.prod.outlook.com> <AB3CE273-1CCE-4A7B-A95B-52A38C78C45C@gmail.com> <CH2PR00MB0678F645A6828D0C1C8986F0F5860@CH2PR00MB0678.namprd00.prod.outlook.com> <E37BB397-D02E-4B26-BAF6-7101D96D156E@gmail.com> <MN2PR00MB0686DEED5B3EFDB8E14E1FB1F5820@MN2PR00MB0686.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0686DEED5B3EFDB8E14E1FB1F5820@MN2PR00MB0686.namprd00.prod.outlook.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 09 Jun 2020 12:00:59 -0700
Message-ID: <CAD9ie-u-e9cDiqcT+k1cKKLQhy0vJkNmHA4Hk2ZmMAbyvC+Wtg@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, Robert Sparks <rjsparks@nostrum.com>, "gen-art@ietf.org" <gen-art@ietf.org>, Valery Smyslov <svan@elvis.ru>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-secevent-http-poll.all@ietf.org" <draft-ietf-secevent-http-poll.all@ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a7b40705a7ab5a7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/_pXUfk5h6E4El95hq_oZiQwxctg>
Subject: Re: [Gen-art] [Id-event] Genart last call review of draft-ietf-secevent-http-poll-09
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 19:02:06 -0000
There were concerns mandating TLS for any SET as it restricts the use of SET to TLS transports. I would guess the language in the draft-ietf-secevent-http-pull and draft-ietf-secevent-http-poll followed that thinking. I my personal opinion, mandating TLS for HTTP transports is reasonable (which is what the specs in discussion use), and that should be changed in both draft-ietf-secevent-http-pull and draft-ietf-secevent-http-poll /Dick On Mon, Jun 8, 2020 at 6:18 PM Mike Jones <Michael.Jones@microsoft.com> wrote: > I agree that the spec should give clear guidance on whether TLS is > required. People should read Phil Hunt's comments (which I just forwarded > to the list) and consider where we'd like to land in this regard. > > I agree that if we decide to mandate TLS, rather than simply > integrity-protected SETS, we should modify the Section 3 text below: > The SET delivery method described in this specification is based upon > HTTP and HTTP over TLS [RFC2818] and/or standard HTTP authentication > and authorization schemes, as per [RFC7235]. > to remove the "HTTP and". > > Likewise, we'd need to revise 4.3 to remove the non-TLS choice. We can > also revise the first sentence of 4.4.1 to make it clear that 6750 requires > TLS, regardless of other decisions we make. > > Note that some of the language in question is also present in > draft-ietf-secevent-http-push, so we should apply consistent changes there > as well. > > I hope to hear back from the working group with your thoughts this week. > > -- Mike > > -----Original Message----- > From: Yaron Sheffer <yaronf.ietf@gmail.com> > Sent: Friday, June 5, 2020 9:36 AM > To: Mike Jones <Michael.Jones@microsoft.com>; Robert Sparks < > rjsparks@nostrum.com>; gen-art@ietf.org; Valery Smyslov <svan@elvis.ru> > Cc: last-call@ietf.org; draft-ietf-secevent-http-poll.all@ietf.org; > id-event@ietf.org > Subject: Re: [Id-event] Genart last call review of > draft-ietf-secevent-http-poll-09 > > Hi Mike, > > The document is very ambiguous regarding the use of TLS, and frankly I > wish we noticed it earlier. > > - The first sentence of Sec. 3 has TLS as one of two options: "The SET > delivery method described in this specification is based upon HTTP and HTTP > over TLS [RFC2818] and/or standard HTTP authentication and authorization > schemes, as per [RFC7235]. " > > - Similarly in Sec. 4.3, TLS is mentioned as one alternative, not a > requirement: "In such cases, SET Transmitters and SET Recipients MUST > protect the confidentiality of the SET contents by encrypting the SET as > described in JWE [RFC7516], using a transport-layer security mechanism such > as TLS, or both. " > > - Sec. 4.4.1 (first sentence) also treats TLS as conditional. > > My personal opinion is that nowadays we can simply mandate TLS, but I'm > open to discuss it. Whatever the WG chooses, the document needs to be clear > and consistent. > > Thanks, > Yaron > > On 6/5/20, 19:22, "Mike Jones" <Michael.Jones@microsoft.com> wrote: > > That TLS is used is specified in the first sentence of the > introduction at > https://tools.ietf.org/html/draft-ietf-secevent-http-poll-09#section-1. > It's also in the first paragraph of > https://tools.ietf.org/html/draft-ietf-secevent-http-poll-09#section-3. > > The new privacy considerations text was requested by Valery Smyslov in > the SecDir review of push. I also added it here. I did think it was odd > that it was requested when TLS is required, but it seemed harmless to add > it. If you like, I could clarify that this should never occur. > > -- Mike > > -----Original Message----- > From: Yaron Sheffer <yaronf.ietf@gmail.com> > Sent: Friday, June 5, 2020 8:26 AM > To: Mike Jones <Michael.Jones@microsoft.com>; Robert Sparks < > rjsparks@nostrum.com>; gen-art@ietf.org > Cc: last-call@ietf.org; draft-ietf-secevent-http-poll.all@ietf.org; > id-event@ietf.org > Subject: Re: [Id-event] Genart last call review of > draft-ietf-secevent-http-poll-09 > > Hi Mike, > > I'm looking at the latest PR, specifically at the Poll document. I can > see that you changed the text around signing SETs, but I don't see any new > (or existing) text that requires HTTPS as you noted in your response to > Robert. > > I even see this new text "If SETs are transmitted over unencrypted > channels" that confuses me even more. For the latter, maybe you meant > something like: If SETs are transmitted over unencrypted channels while > being processed in an otherwise protected system. > > Thanks, > Yaron > > On 6/5/20, 03:49, "Mike Jones" <Michael.Jones@microsoft.com> wrote: > > Thanks for the quick reply. My responses are inline, prefixed by > "Mike>". > > -----Original Message----- > From: Robert Sparks <rjsparks@nostrum.com> > Sent: Thursday, June 4, 2020 2:51 PM > To: Mike Jones <Michael.Jones@microsoft.com>; gen-art@ietf.org > Cc: last-call@ietf.org; draft-ietf-secevent-http-poll.all@ietf.org; > id-event@ietf.org > Subject: Re: [Id-event] Genart last call review of > draft-ietf-secevent-http-poll-09 > > > On 6/4/20 4:27 PM, Mike Jones wrote: > > Thanks for your review, Robert. I'm working on addressing the > review comments received and wanted to have a clarifying discussion on some > of yours before deciding what corresponding edits to make. > > > > I think there's a misunderstanding about "jti" values and the > security > > model. Because communication is over a TLS-protected channel > > Not always, and that's an important part of my point. > > See the first sentence of section 4.1: > > " In scenarios where HTTP authorization or TLS mutual > authentication > are not used or are considered weak, " > > Mike> Frankly, the text you're citing never seemed very clear or > well motivated to me. It was written by an earlier editor who since > stopped working on the spec. I'm going to just remove it and unambiguously > require HTTPS. > > > between two parties, it would be fine if the JTI values were > totally guessable, such as "A", "B", "C", etc. There's no opportunity for > an attacker to inject traffic into or to listen to the stream. Does that > make sense to you? > _If_ it were never possible for authorization to be weak or for > TLS auth to not be used, then sure. But the exception you call out at 4.1 > exactly allows someone to be an attacker this way. > > > > As for limits on how long a transmitter is required to hold a > SET, I propose to add this text: > > Transmitters may also discard undelivered SETs under > deployment-specific conditions, > > such as if they have not been polled for over too long a > period of time > > or if an excessive amount of storage is needed to retain > them. > That's better, but consider being a bit more specific about "too > long". > > Mike> That's deployment-specific, but I'm open to wording > suggestions. > > > > > -- Mike > > > > -----Original Message----- > > From: Id-event <id-event-bounces@ietf.org> On Behalf Of Robert > Sparks > > via Datatracker > > Sent: Friday, May 8, 2020 11:57 AM > > To: gen-art@ietf.org > > Cc: last-call@ietf.org; > draft-ietf-secevent-http-poll.all@ietf.org; > > id-event@ietf.org > > Subject: [Id-event] Genart last call review of > > draft-ietf-secevent-http-poll-09 > > > > Reviewer: Robert Sparks > > Review result: Ready with Issues > > > > I am the assigned Gen-ART reviewer for this draft. The General > Area Review Team (Gen-ART) reviews all IETF documents being processed by > the IESG for the IETF Chair. Please treat these comments just like any > other last call comments. > > > > For more information, please see the FAQ at > > > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > > > Document: draft-ietf-secevent-http-poll-09 > > Reviewer: Robert Sparks > > Review Date: 2020-05-08 > > IETF LC End Date: 2020-05-13 > > IESG Telechat date: Not scheduled for a telechat > > > > Summary: Essentially ready but with some issues to consider > before > > publishing as a Proposed Standard RFC > > > > This document is well-written and easy to follow. > > > > I have a couple of edge-case issues that I think should be > considered though: > > > > This document allows, and anticipates, deployments where > Recipients are not well authenticated. See, for example, the first sentence > of section 4.1. There is also an unstated expectation in the document that > the jti of each SET is hard to guess. If it's reasonably easy to guess jti > values, a malicious Recipient could ack SETs it has never received and the > Transmitter will remove that state, preventing a valid Recipient from ever > receiving that SET. > > > > If that's an explicit requirement in the jwt or SET base > documents for the jti to be hard to guess, please point me to it? If > there's not, perhaps a short discussion in the security considerations > requiring this property would be worthwhile? > > > > Is there a discussion somewhere of how long the transmitter is > required to hold a given SET for a Recipient? Forever seems unreasonable. > > > > > > > > _______________________________________________ > > Id-event mailing list > > Id-event@ietf.org > > https://www.ietf.org/mailman/listinfo/id-event > > > > > ᐧ
- [Gen-art] Genart last call review of draft-ietf-s… Robert Sparks via Datatracker
- Re: [Gen-art] [Id-event] Genart last call review … Mike Jones
- Re: [Gen-art] [Id-event] Genart last call review … Robert Sparks
- Re: [Gen-art] [Id-event] Genart last call review … Mike Jones
- Re: [Gen-art] [Id-event] Genart last call review … Yaron Sheffer
- Re: [Gen-art] [Id-event] Genart last call review … Mike Jones
- Re: [Gen-art] [Id-event] Genart last call review … Yaron Sheffer
- Re: [Gen-art] [Id-event] Genart last call review … Mike Jones
- Re: [Gen-art] [Id-event] Genart last call review … Dick Hardt
- Re: [Gen-art] [Id-event] Genart last call review … Richard Backman, Annabelle
- Re: [Gen-art] [Id-event] Genart last call review … Mike Jones
- Re: [Gen-art] [Id-event] Genart last call review … Phillip Hunt
- Re: [Gen-art] [Id-event] Genart last call review … Mike Jones