Re: [Id-event] AD review of draft-ietf-secevent-http-poll-06
Mike Jones <Michael.Jones@microsoft.com> Mon, 27 April 2020 23:51 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4EBB3A077F; Mon, 27 Apr 2020 16:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iKztufMSEBTw; Mon, 27 Apr 2020 16:51:03 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650132.outbound.protection.outlook.com [40.107.65.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9180D3A0772; Mon, 27 Apr 2020 16:51:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SAVnWjTpzcQ4QKuc4woLp9FoeONOcChPxU1scs/WXvYh91SKeUQZZ7PnVlxVj+jAdyOTOhJxE7EYiTwwGpu4B703t82Hl5+4T+8eRQVu0BKJLNzajepdpd1Z4b1lhjDjMCD4gKJZCDAoqC2ATf6znR0GriVKbSTHdhn636p/R4o9S9DO1Z/z4gL/OWasbhTcHFEijzLqFUcvQX0Vri/4WJUi+ssILDIB/YJYP1CfPkwoJ62TXm74rvEqa3UrBVDrQLigBn21iR2QRDtM6v92W7Si8dx3aY7+kz/vAzekNTllczp4BGKLogdjJe3OjKy6Wpd6COrqCQcYl9na5MV4/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mUMewT6P2QwqAGn9tG1lhsqp1n05ioXl86Bps7AODA0=; b=jMZQZAyTEuXYWkpCLKNuoZLSEraIFBEdLsNh5g5eEY2PSX9kEnr5r3XP799XqRHDYfO6j9I6uvaBQ/qKWp3mXjXg0qhJNgU+/sMD78q3B4j4aY96RLmXKIuTqtvBCwoaWPZdW6EgM0ga+lu6Ub5DMMe0JpG035uSjwll2Un0zb/x1Q9W082dm/112DgAPWhG+Arm88f8AeJ6aa994/tVwXlltfue6vd948pzRWx+4kSE4JDjpbO2efg0hH7jEYlbgIvC1sW5yNYJ4u1GPrzDE9JzMi1IlUhhkCDmdXAJnIT4ZPquSemcNDHWEAOv/itshi1OKEsmpBlrH+zcEBGRnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mUMewT6P2QwqAGn9tG1lhsqp1n05ioXl86Bps7AODA0=; b=YaFn3z70ieVf9WbFyc+PB5BChhRlUaIKj7Oyci9+NtmtNDNYAzlEkDfgunY0PCInfcZbZFYr+6nhbTEJHKDtb7YG782sI7JrgbrcyFaFhWurJLl9B8AP6NBLO2Y2MQAfvrhI2uK6Y8v0ueVRsae0c08b9rt4sNEezxQEXe2Sn04=
Received: from CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23) by CH2PR00MB0793.namprd00.prod.outlook.com (2603:10b6:610:6f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2984.0; Mon, 27 Apr 2020 23:51:01 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::d5c1:bba5:bf6c:8786]) by CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::d5c1:bba5:bf6c:8786%7]) with mapi id 15.20.2993.000; Mon, 27 Apr 2020 23:51:01 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "richanna@amazon.com" <richanna@amazon.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "draft-ietf-secevent-http-poll.all@ietf.org" <draft-ietf-secevent-http-poll.all@ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Thread-Topic: [Id-event] AD review of draft-ietf-secevent-http-poll-06
Thread-Index: AdYc7rOyODjwbpyaR1unVK/WNvqD+A==
Date: Mon, 27 Apr 2020 23:51:01 +0000
Message-ID: <CH2PR00MB0678EBDCC46668DCE8DFD1F3F5AF0@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=7317f497-4c9b-42fb-b313-0000b4fafaf0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-04-25T02:09:24Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 17ef8f0b-d122-42e5-38ab-08d7eb05d737
x-ms-traffictypediagnostic: CH2PR00MB0793:
x-microsoft-antispam-prvs: <CH2PR00MB07930032D4BADAD5C6AD1C2EF5AF0@CH2PR00MB0793.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0386B406AA
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZmAS5X6pWvhszKwrutHQTKlGZrIGmRwOxGgh3PhGqhryd6b39VjnlUcY3SXh8UnyLk4MgJLggp4GH80dvDf0eWMBlEIn0E2viYYXLFHES5396+FEXEEoRkIPV1Jhf/apOti3OwAHiw4i/UQSKbTRzz3Xg8Kk09FvfyAFQkD2E634UkaNMHFs1YfwizR/Br3qQCIM220Sl6QRrS2bahxdONP3ov3EOYXesohWHA9YfxPULf+D5aZG4Zq1QlEnSFxSlSgTU0QHNmF/NsBxKrd9Ii4tmB0SJENXJL2ZUB7ZXyUE4IhgiMsaOaTZ/QzX0Z/eDeYzrPFLuXl0UiYzfetYkZVuEPVaJg9GQa0c895hEqy4oSUFid6gW/Offo8asA3FeqxNS8PiBeTgem7jtCOjPg6YM1tJDSN9ZacgNB2C2aWd6IR26RHrKsGaTEbV6SIarfbyOyhMIU9NHFwiyoB3BP6d410JMf7eoW0HhOKQ5PvF2kzEH7t0JqZ1cAMaNsrryQu1fkL6OtuqOk4pvGv47w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0678.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(186003)(66556008)(64756008)(66476007)(76116006)(66446008)(86362001)(66946007)(10290500003)(8990500004)(4326008)(5660300002)(26005)(33656002)(71200400001)(54906003)(53546011)(498600001)(9686003)(7696005)(6506007)(82960400001)(82950400001)(8936002)(2906002)(8676002)(55016002)(110136005)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: P/sDtb8aX0addpMClkE8TfNdhU1RHCBpCJTRzRxWkJMoQlpMeg7IofcAzk1P7B+JjQu9qZKAU7dVGXcDnsmO8mPq3XMQDW/vGVhCM8FHHoiJiSd/ZhMLJVj64kWfUunsiIjihGN+eK3G7nQGIRq7kP8GqF1L4Lmc4rnX+iF4Yu2AlJqiK4XuOuyI4xJh+AO0abe11yVgnmz8YnQ/7UQF+OUWGfPSdwglXoFdT0+CHnjjDyLrplyrWpQtwhmASy507k1kX6WstzHrQzx+q1F3vE6UWtjPeadbKkHfGGAzYeqFxkCn/kiNjy4Ey8T2UAJC6vrTdc/DZ/LjQsd8C6lF/8BHdyE4+jeLEQ4Ew+l9BRGGs5oFL6b7HL235nyn0s7wFY6tDCtnVtJKcRbB4OMvUWq/BAf7LfQg/HCXsExP1YEI7hyNmvwRotokpYt/UFjE8sRBT4pDI3wa+GMxItN9WoT16bH5lPPAl2C1IyKZi5weDC/wLNER7WvO+RcU7SbKsMqjbFRp6diAbE+F5KkIyQKtSirNG8s48oiZIVr6bqsJ0KtY9F/BmsZRFGgz3Lj3WWJ8R5Lg1/pRKzlUNeK8ooJp1tPBA+X+HLusYMnT3TdBy3bmuYnoXrcGVdexnTHLsAWqr/Xv3L7ihMQblJPz19zNv2f6KTzgK1h82eMIlv37O41epfYjAEnqeui9WaxjwmShkxxSYO59g74OZaxDKy7aIO7KttCH0Ms3CKyOc+/Eyr3+7wJlw9kLANd1actgn5L0zlm2GS2YYK/c0w+RdIpqXbyqNCyDx13wqaiNGz4=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0678.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 17ef8f0b-d122-42e5-38ab-08d7eb05d737
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2020 23:51:01.2277 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ejl74+f2PpUGgpOkB5IkVFzRn1fa4t5X9Kfelw6K9E3qxtGg+QF5xTFKfbNOmfFgSDd604uMGhe4x8LSQ8bzTQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0793
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/3u5kga2IVZvcaROjQGFm355I8IE>
Subject: Re: [Id-event] AD review of draft-ietf-secevent-http-poll-06
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 23:51:06 -0000
Thanks for the edits you made, Annabelle. Do we also want to delete this text from Poll before publishing, per Ben's suggestion?
<t>
Authorization for the eligibility to provide actionable SETs can be determined by
using the identity of the SET Issuer,
validating the polling endpoint URL, perhaps using TLS,
or via other employed authentication methods.
Among other benefits, authentication can help prevent denial-of-service attacks.
Because SETs are
not commands, SET Recipients are free to ignore SETs that
are not of interest after acknowledging their receipt.</t>
-- Mike
-----Original Message-----
From: Mike Jones
Sent: Friday, April 24, 2020 7:12 PM
To: 'Benjamin Kaduk' <kaduk@mit.edu>; richanna@amazon.com
Cc: draft-ietf-secevent-http-poll.all@ietf.org; id-event@ietf.org
Subject: Re: [Id-event] AD review of draft-ietf-secevent-http-poll-06
Thanks Ben. I think the DDOS text can be dropped from Poll. I'll do that early next week.
Thanks again,
-- Mike
-----Original Message-----
From: Benjamin Kaduk <kaduk@mit.edu>
Sent: Friday, April 24, 2020 5:53 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: draft-ietf-secevent-http-poll.all@ietf.org; id-event@ietf.org
Subject: [EXTERNAL] Re: [Id-event] AD review of draft-ietf-secevent-http-poll-06
Hi Mike,
Thanks for the updates, and I continue to be sorry for the long response times.
Poll is in quite good shape (well, I guess it's mostly just that -push is taking the brunt of the work for harmonizing the differences in text); just a couple more changes to make and we should be good to start the IETF LCs in parallel. I'll again trim the resolved bits.
In Section 3 we have a note about DoS protections embedded in a larger block of text:
Authorization for the eligibility to provide actionable SETs can be
determined by using the identity of the SET Issuer, validating the
polling endpoint URL, perhaps using TLS, or via other employed
authentication methods. Among other benefits, authentication can
help prevent denial-of-service attacks. Because SETs are not
commands, SET Recipients are free to ignore SETs that are not of
interest after acknowledging their receipt.
I am not 100% sure, but I think this may have been text that originates before the split of documents, and in push got extracted and made into a separate section. Does it still make sense here? The DoS risk would typically be for a server getting lots of inbound connections, but there's not quite as clear a case for (client) authentication helping with that for poll, since the client is not sending huge amounts of stuff that would need to be dropped. Am I misunderstanding the intent here, or should the sentence just get dropped?
On Fri, Feb 07, 2020 at 05:18:04PM +0000, Mike Jones wrote:
> draft-ietf-secevent-http-poll-07<https://tools.ietf.org/html/draft-ietf-secevent-http-poll-07> was published to address these review comments. (-08<https://tools.ietf.org/html/draft-ietf-secevent-http-poll-08> addressed additional editorial nits.) Descriptions of the changes made for these comments are inline, prefixed by "Mike>".
>
>
>
> -----Original Message-----
> From: Id-event <id-event-bounces@ietf.org> On Behalf Of Benjamin Kaduk
> Sent: Tuesday, December 10, 2019 4:37 PM
> To: draft-ietf-secevent-http-poll.all@ietf.org
> Cc: id-event@ietf.org
> Subject: [Id-event] AD review of draft-ietf-secevent-http-poll-06
>
>
> Section 3
>
>
> Since poll has the TLS server as the SET Transmitter, we could potentially pull in RFC 6125 and talk about validating DNS-IDs to authenticate the Transmitter. Given that the name to be authenticated would be part of the information conveyed out-of-band, though, it's not entirely clear how much value there would be in doing so.
>
>
> Mike> As in Push, this section was formerly poorly worded, and has largely been rewritten.
As for -push, I'd really like to be able to say something about the other half of the name comparison. In this case would it be something like "discovery of SET Transmitters (and the names used to authenticate them) is out of scope for this document"?
Thanks for the updates,
Ben
- [Id-event] AD review of draft-ietf-secevent-http-… Benjamin Kaduk
- Re: [Id-event] AD review of draft-ietf-secevent-h… Mike Jones
- Re: [Id-event] AD review of draft-ietf-secevent-h… Benjamin Kaduk
- Re: [Id-event] [EXTERNAL] Re: AD review of draft-… Mike Jones
- Re: [Id-event] AD review of draft-ietf-secevent-h… Mike Jones
- Re: [Id-event] AD review of draft-ietf-secevent-h… Richard Backman, Annabelle
- Re: [Id-event] AD review of draft-ietf-secevent-h… Benjamin Kaduk
- Re: [Id-event] AD review of draft-ietf-secevent-h… Mike Jones
- Re: [Id-event] AD review of draft-ietf-secevent-h… Richard Backman, Annabelle
- Re: [Id-event] AD review of draft-ietf-secevent-h… Mike Jones
- Re: [Id-event] AD review of draft-ietf-secevent-h… Richard Backman, Annabelle
- Re: [Id-event] AD review of draft-ietf-secevent-h… Richard Backman, Annabelle
- Re: [Id-event] AD review of draft-ietf-secevent-h… Benjamin Kaduk
- Re: [Id-event] AD review of draft-ietf-secevent-h… Dick Hardt