Re: [Id-event] Review of draft-ietf-secevent-http-push-05

Dick Hardt <dick.hardt@gmail.com> Thu, 11 April 2019 21:09 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86F61206EA for <id-event@ietfa.amsl.com>; Thu, 11 Apr 2019 14:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEG0HgNX05sE for <id-event@ietfa.amsl.com>; Thu, 11 Apr 2019 14:09:18 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 295E3120706 for <id-event@ietf.org>; Thu, 11 Apr 2019 14:09:18 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id 188so4026450pfd.8 for <id-event@ietf.org>; Thu, 11 Apr 2019 14:09:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hlaP37jdlD38avOK0hnyeon5CQ89RBHIStz+RiLr31s=; b=lLhoIHhZ2Vy9b/G+0SBHD06YrM1QlIDMnkFkFPF8p3jujRXEJFrd41Z4d1u4WFtbqF uoKMmTfpCgxqC/YQIfAnGaStA3HKPQYe6pg7vh5oBUUHsQoFfnDmmhauZbSuxBSvJ9vS jHaySRMe0pZdQGiaeLpMdRjA/rgcX+/HVj/EncDg/lbls88hTcS5PgPDp28o62Z5RxKn 2DFoNbYftLtGw5y8OoOTLZ5XtUeUKsf1oMNKBZN27kE9nJxW8rdN8i33Vsgw/vW7jA2H 4QPwLzLGLLoS1sUnywTPY59rIIFDkuT05OJvuDawjefmPfXe7DfJGpd+aL7w8In7pMzn m52Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hlaP37jdlD38avOK0hnyeon5CQ89RBHIStz+RiLr31s=; b=RSUCNo/4Xde+Cz/3vwv+OT6DkOFzZ8SXGvbE/P5B/mki3NHRytzKkWkuIpDjFhtlKG BoXl1fgtv4b7lOdYik6ATSJw52tkMVKYPL7yj+uRjH1+pWn+IVBjfFW8w8+9Q9sAvt5f ovu/wcFcqNusi4qXjXKhhm4F8Uak9rcouRqYM4nK7DPIL/60mU6iS/nYU5ryp8rmeQcA Ddmk68wmq+2/+KPDussELsa7QGsBWuCBm0+IScP/AKwkQLrixnlxsLsS4/lxYEUSCVKR IVxOB3HU1ouD1/WwhKXbOKyJP36jeZt//SCQxUvOVE4HewKtj/CEGX17PnrNQ/5ePOvZ UsKQ==
X-Gm-Message-State: APjAAAXYDwCo6B+aMDDiaQqjvvaC2OWDvb4PXZfgVakaLchW7pqt54nn OUYT0Ly+TYSscIqRI+s8Sc9Ch4x2MxupioOzWME=
X-Google-Smtp-Source: APXvYqyNFqq+8yXrnqWtc8xKgz9cS3vuQruTcECZ6nyszKB0STid8O+LzAzMrgarH8q2rAKPq7nGDAywL8P1gsY02mI=
X-Received: by 2002:a05:6a00:c1:: with SMTP id e1mr46024247pfj.143.1555016957550; Thu, 11 Apr 2019 14:09:17 -0700 (PDT)
MIME-Version: 1.0
References: <71b9d281-46f9-8bb4-3524-211e5ab7fa55@curity.io>
In-Reply-To: <71b9d281-46f9-8bb4-3524-211e5ab7fa55@curity.io>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 11 Apr 2019 14:09:06 -0700
Message-ID: <CAD9ie-v0v8vaoc_Tz4EhTz_XKCWQkfdsJ2duySSZpZ52r9rUvg@mail.gmail.com>
To: Mark Dobrinic <mark.dobrinic@curity.io>
Cc: SecEvent <id-event@ietf.org>, Annabelle Richard <richanna@amazon.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000005fe5b90586479916"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/BJYHpL5NaF2ECO7r1r2muifIgYc>
Subject: Re: [Id-event] Review of draft-ietf-secevent-http-push-05
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 21:09:26 -0000

Mark: thanks for the review and feedback

Annabelle: have you had a chance to review the feedback?

On Wed, Mar 27, 2019 at 3:55 AM Mark Dobrinic <mark.dobrinic@curity.io>
wrote:

> Hi id-event,
>
> Read through draft 05, and here's some of my findings. With the
> disclaimer that I am not fully aware of the historical discussions that
> led to this draft.
>
> - Section 2.0 mentions: "Once a SET has been validated and persisted,
> the SET Recipient SHOULD immediately return a response ..."; there's a
> bit of a gap on what to do when the SET was validated but failed to
> persist. The errors don't (and probably shouldn't?) cover this, as this
> might be considered business logic on the recipient's part? Section 2.2
> talks about "appropriate retention requirements", which is nicely
> formulated. This type of wording might be also snuck in to the language
> of section 2.0's paragraph ("Once the SET has been validated and
> persisted ..")
>
> - Is the `description` field in the error response REQUIRED?
>
> - Is there a reason why the `authentication_failed` failure response
> should not return a HTTP/401 Unauthorized HTTP status code?
>
> - Section 5.1 talks about the SET Issuer being authorized to deliver the
> SET; should this not be the SET Transmitter?
>
> - Section 5.4 on authenticating persisted SETs; Not sure if I understood
> this correctly, but if a SET Transmitter can send a SET that was issued
> by a different SET Issuer, how would the signature verification key be
> resolved to authenticate the SET? 5.4 talks about the SET *Transmitter*
> signing the SET, should this not be the SET *Issuer*? Or is this out of
> scope?
>
> Nitpicks:
> - The sentence above the examples (e.g. in section 2.2) should always
> end with a colon ':' ("The following is ... a SET:"), or end with a
> period '.'. Don't care which, but looks nicer if it's the same
> everywhere. I think only 2.2 falls out of line.
>
> - The text above Figure 5 says "SET Receiver", should be "SET Recipient"
>
> Hope this helps to wrap it up to publication :)
>
>
> --
> Regards,
>
> Mark Dobrinic
> Software Engineer and Identity Specialist
> Curity AB
>
> mark.dobrinic@curity.io
> www.curity.io
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>