IETF Logo Mail Archive

Re: [Gen-art] [Id-event] Genart last call review of draft-ietf-secevent-http-poll-09

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 05 June 2020 15:25 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EEFB3A07B3; Fri, 5 Jun 2020 08:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXGBRZwh4vmz; Fri, 5 Jun 2020 08:25:38 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9F223A07A5; Fri, 5 Jun 2020 08:25:37 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id g62so5231986qtd.5; Fri, 05 Jun 2020 08:25:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=QltrRqk6ZUJErzEb2oT43Xc0vRUTz7rAKfk/IqtIBeY=; b=dMvseKM8DqLfXIPlCL7I1UmPW24MvTcLCDk8lXQTSKiCrczpKdsolAZIZ/QoDabw6E YvceGCjlpSPPZcRDWHyaR8cOFv6XTiZcAxQiH2yLTCf8zWVh2uKp2gcaJ0ady+wHKMto Tk4yac2NMrS9ofeyfSnYN1dDrAXuCB51hs8SAXvSv9SiBQKTD7/I4oLhAknOS4RBl6yC 7bP8IXmjrSrfia4nGlE7j8dEzq4KQFmax1W7Zf+RdguOv+k396V6NDvufxT3qRtFgc8C zCmBZ+rqdo5qCFyElms+kUZcYrRrIJpKwtef7Tfb1VvgqucJ9lSEEniHmbr1QpZ4gyvK RDbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=QltrRqk6ZUJErzEb2oT43Xc0vRUTz7rAKfk/IqtIBeY=; b=JTCOzWUIywnBS+Qjq1QWlbnX4vi6x8y1rTvHXMhsxj3zFeLyldUtRTZPhmt1xlGyNz lVL/7jt66FmycSZ0x7dvh+/qNPte0h5utolX9gjUeuP7pTk+TpErK9lo5ys7WrRNmOte cYw1zndSq5RSvZf2bA2Q857WUSyuytT+YaXxe1xD1IE9ICl23tkQL3S2+xLzQQaTePol WhIEka/FzllAdFCGybR1fck+pOG9BntIc8Dxe6sMLJIvZGLsYdLuD947jMAh/jfl8mv3 McLhpu0jJZM1exk5UmCAo9DmiaW/rsrSvrflkUK7ueltit9VzisQacHa5T0G6kuhX6/O a7ZQ==
X-Gm-Message-State: AOAM530UMvV73kJzGS4gUdz95vCU1jeChP+WhOH6CMvHWgbWROS7pIKe oN6erUtd0GjXn16/UqDKRP/EuxIw
X-Google-Smtp-Source: ABdhPJyngVScjJ9fEcVaLMdgQyRQruKgB6Hv8e/BkwvXYgf89yBPuAgS4kIdfG7eUFt2iu5BWsACCg==
X-Received: by 2002:aed:31c5:: with SMTP id 63mr10206676qth.373.1591370736729; Fri, 05 Jun 2020 08:25:36 -0700 (PDT)
Received: from [172.26.49.35] (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id p25sm62529qtj.18.2020.06.05.08.25.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Jun 2020 08:25:35 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.37.20051002
Date: Fri, 05 Jun 2020 18:25:31 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Robert Sparks <rjsparks@nostrum.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-secevent-http-poll.all@ietf.org" <draft-ietf-secevent-http-poll.all@ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Message-ID: <AB3CE273-1CCE-4A7B-A95B-52A38C78C45C@gmail.com>
Thread-Topic: [Id-event] Genart last call review of draft-ietf-secevent-http-poll-09
References: <CH2PR00MB0678026DC6A8BE87C1068B12F5860@CH2PR00MB0678.namprd00.prod.outlook.com>
In-Reply-To: <CH2PR00MB0678026DC6A8BE87C1068B12F5860@CH2PR00MB0678.namprd00.prod.outlook.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/tx9A9jnRjSR5Qqhig4y1Dubz-6o>
Subject: Re: [Gen-art] [Id-event] Genart last call review of draft-ietf-secevent-http-poll-09
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 15:25:40 -0000

Hi Mike,

I'm looking at the latest PR, specifically at the Poll document. I can see that you changed the text around signing SETs, but I don't see any new (or existing) text that requires HTTPS as you noted in your response to Robert.

I even see this new text "If SETs are transmitted over unencrypted channels" that confuses me even more. For the latter, maybe you meant something like: If SETs are transmitted over unencrypted channels while being processed in an otherwise protected system.

Thanks,
	Yaron

On 6/5/20, 03:49, "Mike Jones" <Michael.Jones@microsoft.com> wrote:

    Thanks for the quick reply.  My responses are inline, prefixed by "Mike>".

    -----Original Message-----
    From: Robert Sparks <rjsparks@nostrum.com> 
    Sent: Thursday, June 4, 2020 2:51 PM
    To: Mike Jones <Michael.Jones@microsoft.com>; gen-art@ietf.org
    Cc: last-call@ietf.org; draft-ietf-secevent-http-poll.all@ietf.org; id-event@ietf.org
    Subject: Re: [Id-event] Genart last call review of draft-ietf-secevent-http-poll-09


    On 6/4/20 4:27 PM, Mike Jones wrote:
    > Thanks for your review, Robert.  I'm working on addressing the review comments received and wanted to have a clarifying discussion on some of yours before deciding what corresponding edits to make.
    >
    > I think there's a misunderstanding about "jti" values and the security 
    > model.  Because communication is over a TLS-protected channel

    Not always, and that's an important part of my point.

    See the first sentence of section 4.1:

    "   In scenarios where HTTP authorization or TLS mutual authentication
        are not used or are considered weak, "

    Mike> Frankly, the text you're citing never seemed very clear or well motivated to me.  It was written by an earlier editor who since stopped working on the spec.  I'm going to just remove it and unambiguously require HTTPS.

    > between two parties, it would be fine if the JTI values were totally guessable, such as "A", "B", "C", etc.  There's no opportunity for an attacker to inject traffic into or to listen to the stream.  Does that make sense to you?
    _If_ it were never possible for authorization to be weak or for TLS auth to not be used, then sure. But the exception you call out at 4.1 exactly allows someone to be an attacker this way.
    >
    > As for limits on how long a transmitter is required to hold a SET, I propose to add this text:
    >        Transmitters may also discard undelivered SETs under deployment-specific conditions,
    >        such as if they have not been polled for over too long a period of time
    >        or if an excessive amount of storage is needed to retain them.
    That's better, but consider being a bit more specific about "too long".

    Mike> That's deployment-specific, but I'm open to wording suggestions.

    >
    > 				-- Mike
    >
    > -----Original Message-----
    > From: Id-event <id-event-bounces@ietf.org> On Behalf Of Robert Sparks 
    > via Datatracker
    > Sent: Friday, May 8, 2020 11:57 AM
    > To: gen-art@ietf.org
    > Cc: last-call@ietf.org; draft-ietf-secevent-http-poll.all@ietf.org; 
    > id-event@ietf.org
    > Subject: [Id-event] Genart last call review of 
    > draft-ietf-secevent-http-poll-09
    >
    > Reviewer: Robert Sparks
    > Review result: Ready with Issues
    >
    > I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair.  Please treat these comments just like any other last call comments.
    >
    > For more information, please see the FAQ at
    >
    > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
    >
    > Document: draft-ietf-secevent-http-poll-09
    > Reviewer: Robert Sparks
    > Review Date: 2020-05-08
    > IETF LC End Date: 2020-05-13
    > IESG Telechat date: Not scheduled for a telechat
    >
    > Summary: Essentially ready but with some issues to consider before 
    > publishing as a Proposed Standard RFC
    >
    > This document is well-written and easy to follow.
    >
    > I have a couple of edge-case issues that I think should be considered though:
    >
    > This document allows, and anticipates, deployments where Recipients are not well authenticated. See, for example, the first sentence of section 4.1. There is also an unstated expectation in the document that the jti of each SET is hard to guess.  If it's reasonably easy to guess jti values, a malicious Recipient could ack SETs it has never received and the Transmitter will remove that state, preventing a valid Recipient from ever receiving that SET.
    >
    > If that's an explicit requirement in the jwt or SET base documents for the jti to be hard to guess, please point me to it? If there's not, perhaps a short discussion in the security considerations requiring this property would be worthwhile?
    >
    > Is there a discussion somewhere of how long the transmitter is required to hold a given SET for a Recipient? Forever seems unreasonable.
    >
    >
    >
    > _______________________________________________
    > Id-event mailing list
    > Id-event@ietf.org
    > https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email