Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
"Richard Backman, Annabelle" <richanna@amazon.com> Mon, 09 April 2018 23:12 UTC
Return-Path: <prvs=630787089=richanna@amazon.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C387312D87C for <id-event@ietfa.amsl.com>; Mon, 9 Apr 2018 16:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.81
X-Spam-Level:
X-Spam-Status: No, score=-11.81 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9PKeKBMuAS0 for <id-event@ietfa.amsl.com>; Mon, 9 Apr 2018 16:12:46 -0700 (PDT)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9660C12D87B for <id-event@ietf.org>; Mon, 9 Apr 2018 16:12:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1523315565; x=1554851565; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=uhwtNYwHxysNGf1z7coM526T/dIJHHqvka2Zasme0Vk=; b=WBdxfGHl+u4Nd5Zxpy2P6jJn0TwAsB9ZBP/UnynKY1Lp8qieui6mkH6Q /DFAir4KG3UKCWtBZKPmD4V80MTQQ9CY+8joNEzRUySSTdWp2mU0ypXXu XDvd8O2pEsFjEc7eF/MKvhCSEAZTPkiZuGMrT61OAKV6XbNDomhoHevQ7 4=;
X-IronPort-AV: E=Sophos;i="5.48,429,1517875200"; d="scan'208,217";a="339140450"
Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-1e-c7c08562.us-east-1.amazon.com) ([10.124.125.6]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 09 Apr 2018 23:12:44 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan3.iad.amazon.com [10.40.159.166]) by email-inbound-relay-1e-c7c08562.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id w39NCaXD006693 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 9 Apr 2018 23:12:41 GMT
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 9 Apr 2018 23:12:41 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 9 Apr 2018 23:12:40 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1236.000; Mon, 9 Apr 2018 23:12:40 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Marius Scurtescu <mscurtescu@google.com>, Dick Hardt <dick.hardt@gmail.com>
CC: SecEvent <id-event@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, Michael Jones <michael.jones@microsoft.com>, John Bradley <ve7jtb@ve7jtb.com>, "Morteza Ansari (moransar)" <moransar@cisco.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [Id-event] SecEvent draft minutes - IETF-101 (London)
Thread-Index: AQHTw3iMl4iiFtAU20meGE2ddLR7oKPoRRCAgABepICAEGlxAIAAC+GAgAAAnYCAAAI1gIAAAHWA//+X7AA=
Date: Mon, 09 Apr 2018 23:12:40 +0000
Message-ID: <447DFE9A-81C5-456F-8EFD-31422F7F6DAC@amazon.com>
References: <02e701d3c299$9c421e40$d4c65ac0$@smyslov.net> <bb8221b8-4403-1de4-5c98-43f518389f44@gmail.com> <09566560-11CA-435A-87F4-CFCBC6F889F3@oracle.com> <MW2PR00MB0298F59B5ECA2B577AF50272F5A10@MW2PR00MB0298.namprd00.prod.outlook.com> <80A4E085-96B1-40F6-86F7-EF5B96F2195A@ve7jtb.com> <750C6979-4CBE-4D66-B40B-764FF1B0EAB4@cisco.com> <CAD9ie-vgOr0HX2DWFN=Aa4d4R31pkXmkbH7+0rDoma9Uts=G5w@mail.gmail.com> <CAGdjJp+tdLeGG=UtC7qgQdk6SLFRH4zvtoehL1zSX9vxAO5x8w@mail.gmail.com> <CAGdjJp+gA_EKYD+r6NQ4TDcoyx_LMvwyP3drb818eDV2dwxiwA@mail.gmail.com>
In-Reply-To: <CAGdjJp+gA_EKYD+r6NQ4TDcoyx_LMvwyP3drb818eDV2dwxiwA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.162.175]
Content-Type: multipart/alternative; boundary="_000_447DFE9A81C5456F8EFD31422F7F6DACamazoncom_"
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/BOP0OW6SNeoxkcU16dwQYHpJfeo>
Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 23:12:51 -0000
I don’t see how keeping them in one document makes things easier for the implementer. It just makes it harder to tell what is required for HTTP Push versus what is required for HTTP Poll. But we’ve already had this discussion – we spent a good half of the London session on it, Yaron called a vote, and found consensus for splitting the document. So far I haven’t seen any arguments for or against splitting that weren’t presented in London. So why are we reopening this? Could the chairs please clarify as to whether the consensus in favor of splitting the document still holds? -- Annabelle Richard Backman Amazon – Identity Services From: Id-event <id-event-bounces@ietf.org> on behalf of Marius Scurtescu <mscurtescu@google.com> Date: Monday, April 9, 2018 at 3:26 PM To: Dick Hardt <dick.hardt@gmail.com> Cc: SecEvent <id-event@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, Michael Jones <michael.jones@microsoft.com>, John Bradley <ve7jtb@ve7jtb.com>, "Morteza Ansari (moransar)" <moransar@cisco.com>, Phil Hunt <phil.hunt@oracle.com> Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London) Oh, and not to mention that no one could confidently show how can you specify two delivery methods in one document and not have both MTI. Marius On Mon, Apr 9, 2018 at 3:23 PM, Marius Scurtescu <mscurtescu@google.com<mailto:mscurtescu@google.com>> wrote: Agreed, having two different protocols in one document makes it more complicated for implementers (or anyone trying to wrap their head around what they need). And again, with one document we are unnecessarily slowing one and rushing the other delivery method. Marius On Mon, Apr 9, 2018 at 3:15 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote: So someone needs to read about two methods instead of just the one that the profile says they need to read? Seems simpler for someone to read a Push spec if all they need is to do Push, instead of having to read a spec that describes both, and then trying to decipher which aspects are relevant for them. On Mon, Apr 9, 2018 at 3:13 PM, Morteza Ansari (moransar) <moransar@cisco.com<mailto:moransar@cisco.com>> wrote: I definitely agree that we shouldn't specify an MTI at the protocol spec. I think each profile should be specifying that as part of the profile definition and semantics. And if we don’t have an MTI at the protocol document, I think we are much better off with a single protocol document covering different protocols in the same document. It will be all in one place for developer to choose, much easier to maintain the common language common and not let them diverge, and we could even describe scenarios one would be preferred over the other as hints and suggestion to the developers. Cheers, Morteza On 4/9/18, 2:31 PM, "Id-event on behalf of John Bradley" <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org> on behalf of ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote: I think splitting the drafts was an attempt to get around declaring one or the other method MTI. Clearly due to deployment constraints many people will only be able to do one or the other. Having them both in the same draft would be best if we don’t wind up having to declare one or both MTI. John B. > On Mar 30, 2018, at 7:53 AM, Mike Jones <michael.jones@microsoft.com<mailto:michael.jones@microsoft.com>> wrote: > > I agree with Phil that having separate push and pull delivery drafts would be a mistake. Many participants will end up implementing both modalities. Having them both in one draft will help keep them as common as possible - preventing unnecessary and possibly unintended drift between them. > > Also, as I said at the microphone in London, I think we'll have a much easier time with the IESG taking one draft forward with two closely related delivery modalities defined, rather that two different delivery drafts. I fear that if we try to get approval for two drafts, we might receive DISCUSS feedback saying "pick one". > > For what it's worth (and to inform people who weren't in the room), my personal sense was that the hums weren't conclusive. Most of them had significant portions of people humming for both positions. In short, my (personal) sense was there wasn't clear consensus demonstrated to split the delivery draft. I think the topic needs more discussion on the list. > > Best wishes, > -- Mike > > -----Original Message----- > From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> On Behalf Of Phil Hunt > Sent: Thursday, March 29, 2018 10:15 PM > To: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> > Cc: SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>> > Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London) > > Regarding the hums, I think they may be premature. In part, because there is a unifying draft proposal available now. > > When we formed the group the sole purpose was a common format and a single delivery draft for all cases. > > Several ietf people complained in Argentina about yet another pub sub system the ietf does not need. > > Another comment was made not to follow the route stix/taxii made in developing multiple incompatible methods of delivery. > > If we split the draft we will have 3 methods not two(including Backchannel). > > I worry this will lead to delay from rejection down the road. This should be clarified first. > > I worry with multiple methods, profilers will develop their own undermining the point of this work. > > Maybe I stand alone here, but I think splitting is a mistake. > > Phil > >> On Mar 24, 2018, at 8:00 AM, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote: >> >> Thank you Valery for taking the minutes. All, please let us know if anything is incorrect or missing. >> >> In addition, we had a series of hums on the SET Delivery draft. Per IETF process, we need to validate them on the list. So if you weren't in the room and you have a major objection to the results of these hums, please speak up. I do suggest that before doing so, you review the actual recorded meeting: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3Dr0hbpQqsN6s&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=bZnIUtQK2S3enqQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s=VbJxhADDKAULj3hrOYI1cbC5A8hEmFIesTvuGzkkOP0&e=. >> >> IETF 101 London Friday 23 March 2018 9:30 - 11:30 >> >> [Yaron] (WG status update, agenda bashing) [Annabelle] asks for 10 >> minutes for discussion >> >> [Mike] (presents Security Event Token draft update) >> >> [Annabelle] (presents SET Token delivery using HTTP draft) [Mike] >> Microsoft needs for both POLL and PUSH [Phil] Redefining smth in HTTP >> may cause problems [William] Return codes are only for browsers to >> display messages for users [Phil] It's needed for resending in case of >> error (?) [Annabelle] What is MTI - push or poll? >> [Phil] With PUSH happened immediately... >> [Leif] What is MTI for server or for client? >> [William] Each option has an explicit use case [Yaron (as chair)] We >> need to have only one preferred option [Phil] There are very different >> cases [Phil] Push is simple, but in terms of applicability it's not a >> long term use case [Annabelle] There use cases for both [Phil] Take >> two and then abandon one [William] Why does the chair require a single >> MTI [Leif] It's from chair's experience, WG consensus needed [William] >> We have use cases for both [Mike] Procedurally it's better to keep >> both methods in one draft [Yaron] Having two methods complicates the >> description which method is for which situation etc. >> [William] Still have interoperability issue for receiver [Yaron] Need >> to resolve this [Leif] WG should decide [Ben as AD] If the WG doesn't >> select a single method the IESG would probably object [Annabelle] SET >> will probably be profiled for different use cases [Yaron] Is going to >> make hums about selecting a single delivery method and whether we need >> to split the draft [John] What is hum about - mandatory to implement or to deploy? >> [Leif] We should analyze scenarios >> [Annabelle] The protocol are unidirectional, so MTI for >> transmitter/receiver is problematic [Justin] No negotiation, either it >> is or not, MTI for the receiver is dictated by what the receiver >> supports [Phil] They both must be able HTTP, the roles can be changed >> [Leif] Confusion between MTI and to deploy, a good question - select >> MTI for transmitter [Annabelle] Every transmitter should have both >> [Tero] Minimal implementation requires one, bigger may have both, >> single MTI is better then two for limited devices [Annabelle] IoT >> implementers have special requirement [William] They are application >> specific, we expected profile this [Yaron] Hum if we need a single MTI >> for transmitter - silence Later edit: Clearly no support for a single MTI. >> [Justin] Hum must be for multiple discrete options [Yaron] Hum on use >> cases for two methods - some hums [Yaron] Hum if both should be MTI - >> some hums [Yaron] Hum if should not specify MTI - some hums Later >> edit: room was split between two MTIs and no MTIs. >> [Annabelle] We should split the spec >> [Justin] Agree to split the spec >> [Justin] I hummed for both MTI for transmitter, because they are not >> usually constrained [Annabelle] SET is possibly to be used w/o HTTP, >> this is only MTI for those using HTTP; both MTI is problematic because >> implementers will do unnecessary stuff [William] If both are MTI, we >> need 2 specs [John] Splitting the spec is the best way [Mike] If >> split, then the information for developers will be duplicated [Ben] >> Why single document better (?) [Mike] My experience with JOSE >> [Annabelle] Significant overlap between documents is SET, otherwise >> little commonality Later edit: existing editors volunteered to take Push-specific doc, Annabelle and Mike volunteered to work on Poll. >> [from jabber] Little commonality between two methods [Mike] We'll do >> both, we have use cases for both [Yaron] Hum if split documents - some >> long hums [Yaron] Hum if one document - some hums [Yaron] Room is in >> favor of splitting the documents [Yaron] Wrap up: no MTI, split the >> document into two, transmitter implements either or both >> >> [Annabelle] (presenting Subject Identifier Types) [Mike] 3rd party >> specifications cannot establish IANA registry [Leif] IANA Expert? >> [Ben] FCFS, doesn't need Expert, or specification required [Leif] I >> support this idea [William] I also support [Yaron] Any objections to >> adopt this document? No objections, publish as WG document >> >> [Annabelle] Expiration ("exp") claim is not recommended; however it >> has some value [Mike] It's a layering violation; problems with caching >> [Annabelle] We're not talking about caching, you don't want to grow >> anti-replay database forever, having expiration helps [Phil] The past >> doesn't expire, it's up to receiver how to use it, caching doesn't make sense [Yaron] What about replay protection? >> [Mike] JTI helps to detect replay (?) [from jabber] Transport should >> deal with replay [John] Expiry is expected to mean that token should >> not be processed after that, it's not an indication that information >> is no longer valid [Mike] It must not be mandatory [Annabelle] >> Currently the draft says it's not recommended [Mike] We have to allow it to be optional because of the need to distinguish from access tokens. >> [Ben] Some use case when processing expired token (?) [John] Have an >> explicit expire for JTI, there are other solutions [Phil] I prefer to >> add a new attribute to SET, not changing ... >> [Yaron] The document in LC, smaller changes are OK without blocking the doc's progress. >> [Phil] Replay and caching are different for PUSH and POLL, prefer to >> see in HTTP header [Brian] Expiration is not necessary, receiver has >> policy to follow [Annabelle] No-one is advocating using exp for >> caching [from jabber] JTI expiration belongs to JTI not to transport >> [Yaron] We're not ready to have hum, room thinks there is an issue, please work through it on the list. >> >> [Phil] Presents his SSTP Delivery draft - symmetric transport >> protocol, parameters used in requests and response are same [Phil] We >> would change optionality from two methods to a single one, may be a compromise [Yaron] The protocol was only published yesterday, so we are not ready to discuss now. >> >> [Meeting adjourned.] >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org<mailto:Id-event@ietf.org> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail >> man_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65 >> eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=bZnIUtQK2S3en >> qQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s=bm9Kqkwb8W8ClkdHFvnnH60BmArjysl02dP_3 >> TAjwew&e= > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org<mailto:Id-event@ietf.org> > https://www.ietf.org/mailman/listinfo/id-event > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org<mailto:Id-event@ietf.org> > https://www.ietf.org/mailman/listinfo/id-event _______________________________________________ Id-event mailing list Id-event@ietf.org<mailto:Id-event@ietf.org> https://www.ietf.org/mailman/listinfo/id-event _______________________________________________ Id-event mailing list Id-event@ietf.org<mailto:Id-event@ietf.org> https://www.ietf.org/mailman/listinfo/id-event _______________________________________________ Id-event mailing list Id-event@ietf.org<mailto:Id-event@ietf.org> https://www.ietf.org/mailman/listinfo/id-event
- [Id-event] SecEvent draft minutes - IETF-101 (Lon… Yaron Sheffer
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Phil Hunt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Phil Hunt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Mike Jones
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Yaron Sheffer
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Benjamin Kaduk
- Re: [Id-event] SecEvent draft minutes - IETF-101 … John Bradley
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … John Bradley
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Morteza Ansari (moransar)
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Dick Hardt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Richard Backman, Annabelle
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Yaron Sheffer