IETF Logo Mail Archive

Re: [Id-event] AD review of draft-ietf-secevent-http-push-07

Mike Jones <Michael.Jones@microsoft.com> Fri, 07 February 2020 17:17 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 239D912089C; Fri, 7 Feb 2020 09:17:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.981
X-Spam-Level:
X-Spam-Status: No, score=-1.981 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0J0LzfuT0d0; Fri, 7 Feb 2020 09:17:19 -0800 (PST)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on0714.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe56::714]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 867E31208BD; Fri, 7 Feb 2020 09:17:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HeJU9i3GVT5Q8H20XGnCcDWn+rmrGbBvnwcxcDAJEbLw0qei48wd91P+TS+AKWLMhM1u1Dnxj+vdlj5+maAOLuK7QIao1xyM5OKQU+o1W1su3UVSZbIyu49ZpxckP32pjHcBZnQ9KHaxCnVsfXo3Is+QDxJ3ADJPFph7JjBY6313V3CkIf638V0GRLUoSqhjdUj2B8a6xlMJYiBkTzZZ6V0DiNz/cXOq6Ksz/GYT00iZGdhZQbhY7wTOAjam9T6pqA2ToTG/VMwOrktowFTzT5hBz+uzkZudt2HB0GjrgFjCc9VKLGTMl2gmmAsn/kzV/GL07Yw3qc1R2TGGSmFMtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ctFRaHg+35xxqZzZ1uZrZn7Rj8IkleDFURYexxL8608=; b=Mamwt86sIeeMsTG3fCkcYkOrSQidjoIyNuhE7IPir53mhoc+RvNMmSb2v4oKKgztlll76IgT6Rwx2dy9F9TqchqxDnKVVRVREaJjXNUvTdQyzbhYHIm3o1dajec2K6J57iYveEKw+KaHDgFqibPZ8M4mtuGutFpWSuOYJGfH5LBb3pcr8bnzFrlE7a9R+B3wIlyga4icTtpfWxVzGeRyCT60KeOLgEZOe8D+z2pr+rvqtethgxVNNi4XKb8PkGLUjqTNvQGEm6sxYVX0n56zBXCCDz2RwNhGu4syo8sSTpriClvk4iplKWPC/fG8ZwKT+4YgfzjcLWwBDwLTCj3OXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ctFRaHg+35xxqZzZ1uZrZn7Rj8IkleDFURYexxL8608=; b=BjwRDJIZ3i9XGgGdzTLdJ7B/DejOO0X3O5Hlgj+VeOrARINVoY1ztOW/Dvur35X7A8s5uV11w6+lGlJohJwFTSt5MLcQ9q4F/BmPEQI2GiRES34sWfsT1Fm/Q9MDhWP4I6qNio78MDucTw7WI/x8aKrDBK0iHhmM1D0KGtYJvi4=
Received: from DM6PR00MB0682.namprd00.prod.outlook.com (10.141.184.216) by DM6PR00MB0815.namprd00.prod.outlook.com (20.179.166.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2747.0; Fri, 7 Feb 2020 17:17:13 +0000
Received: from DM6PR00MB0682.namprd00.prod.outlook.com ([fe80::14b9:506:d536:fd07]) by DM6PR00MB0682.namprd00.prod.outlook.com ([fe80::14b9:506:d536:fd07%9]) with mapi id 15.20.2753.000; Fri, 7 Feb 2020 17:17:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-secevent-http-push.all@ietf.org" <draft-ietf-secevent-http-push.all@ietf.org>
CC: "id-event@ietf.org" <id-event@ietf.org>
Thread-Topic: [Id-event] AD review of draft-ietf-secevent-http-push-07
Thread-Index: AdXd2mDJWlTfyiFYQVGb0HMAU2Cn/g==
Date: Fri, 07 Feb 2020 17:17:12 +0000
Message-ID: <DM6PR00MB06820ACC4F7F25AE7042FB5AF51C0@DM6PR00MB0682.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=46f2fd5e-5111-43ee-a177-000075b0caa4; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-02-07T15:08:42Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [8.46.75.3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c8712118-1e57-4d70-e30f-08d7abf19279
x-ms-traffictypediagnostic: DM6PR00MB0815:
x-microsoft-antispam-prvs: <DM6PR00MB081502316A5BC089E567EFA8F51C0@DM6PR00MB0815.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0306EE2ED4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(346002)(376002)(366004)(396003)(136003)(189003)(199004)(6506007)(9686003)(53546011)(2906002)(55016002)(30864003)(76116006)(7696005)(4326008)(8990500004)(186003)(26005)(966005)(316002)(52536014)(5660300002)(10290500003)(86362001)(478600001)(81166006)(81156014)(71200400001)(8936002)(33656002)(66446008)(66556008)(64756008)(66946007)(110136005)(66476007)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0815; H:DM6PR00MB0682.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CSkWy7J+5ANOLkzSg2577kfOLlNXPzdavwZKPXRuhnvod9DduO3w1Tyb11EamhaYnYGEJiadX04VDLnLV9vs0Sxju8eZehQtbEtCStd9PiPpmv52+zwppRjfnEvZeYZf2D+HY9b4J0arManQbIAfoxgLurgQKOB+YipcsKNVCF3ASrClapqe9IMsmIHdeuSYpQIV3u57OJvkyLPhPdbL9ezLJ9esaB3By5N/yMHjVQQRGxxvVpXa0CI1ZPERFRrJPLTVRz8D62lL5BG3w2XWA2DduIjygR1aXx8nknag90WOrH0B0o3/86JzxtobNW+0PFG05QYxHaxv8UbNyuk8s7dMAiBAKMM5j1GG9sRxPrae2MFcFE8n48DK563gtGkv7lMR0y2YljJcluprlU5h1IVTWwXEanzNMyAYl9pplQrWjgldR+8+cG2G0iaSGndA6fk2KHAH7aR+jMplerF6Dj1z+zhVoLi4gakl+jqyDoD35M+vHQKE3ORw4Kfhyg4ZgxLzMD3yat1Is6asJ+4bWA==
x-ms-exchange-antispam-messagedata: sMbRlL69b9JH+Nnb6jpNl/egXZ2DQB6LcAd8yDDLqrMPbYnzDC6hmTimj1FBWqiMl2jp1Prau0UfN1VjFiZR+zw1p3odF3qItaEiQe1+H8b6HFNR3D+sXvCzooVqjHKq2X5yF0uEqlKrao6SaxSb4g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB06820ACC4F7F25AE7042FB5AF51C0DM6PR00MB0682namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c8712118-1e57-4d70-e30f-08d7abf19279
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2020 17:17:12.8009 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3pCA1pt0aIkyuH6m4xf2dGzBu7Gm9xPKY2l4eb7Hrdg91Iox79nEVWfERvDu5tEFunJaJ9wh2Iek3nbO+u5jTg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0815
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/BlzC3AMibR0iHWBuH7qLqJjXGHA>
Subject: Re: [Id-event] AD review of draft-ietf-secevent-http-push-07
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2020 17:17:24 -0000

draft-ietf-secevent-http-push-08<https://tools.ietf.org/html/draft-ietf-secevent-http-push-08> was published to address these review comments.  (-09<https://tools.ietf.org/html/draft-ietf-secevent-http-push-09> addressed additional editorial nits.)  Descriptions of the changes made for these comments are inline, prefixed by "Mike>".



-----Original Message-----
From: Id-event <id-event-bounces@ietf.org> On Behalf Of Benjamin Kaduk
Sent: Tuesday, December 10, 2019 4:36 PM
To: draft-ietf-secevent-http-push.all@ietf.org
Cc: id-event@ietf.org
Subject: [Id-event] AD review of draft-ietf-secevent-http-push-07



Hi all,



Due to the unfortunate delay in AD evaluation from my personal situation, I ended up being able to review push and poll side-by-side; this results in a couple places where we may want to update push with content from poll.  I've tried to keep such comments self-contained in the per-document reviews, though I expect that both authors and I will be consulting both documents during the course of the updates.



I think all of these should be fairly straightforward to address, so hopefully we can kick off IETF LC before the new year.





While I agree with the note in the shepherd writeup that it's appropriate to reference RFC 5246 specifically for TLS 1.2, we probably also want to reference RFC 8446 as the "current generic TLS reference"

at least once.



Mike> Done



Section 1



   A mechanism for exchanging configuration metadata such as endpoint

   URLs and cryptographic key parameters between the transmitter and

   recipient is out of scope for this specification.



I guess "cryptographic key parameters" was intended to be things like JST signing keys, but we could equally be talking about TLS certificates/CAs/DNS-IDs here as well, if we wanted.



Mike> This has been simplified to simply "cryptographic keys".



Section 2



   o  The SET is authentic (i.e., it was issued by the issuer specified

      within the SET).



Does "recipient does not have issuer's public key" just get lumped into the "not authentic" bucket?



Mike> Added "and if signed, was signed by a key belonging to the issuer".



   o  The SET Issuer is recognized as an issuer that the SET Recipient

      is willing to receive SETs from (e.g., the issuer is whitelisted

      by the SET Recipient).



   o  The SET Recipient is willing to accept the SET when transmitted by

      the SET Transmitter (e.g., the SET Transmitter is expected to send

      SETs with the subject of the SET in question).



We call out that we have to trust the issuer in general, and we have to trust the transmitter to send for a given subject, but we don't explicitly say anything about trusting the issuer to issue for that subject.  There are, of course, many scenarios where no such check is possible (e.g., when the subject is identified by the iss/sub pair and not a globally unique 'sub' claim), but perhaps there are cases where such a check is conceivable.  Do we want to say anything about it ("no, because it's too complicated to accurately described" is okay)?



Mike> No, because it's too complicated to easily accurately describe, and doing so would only be a distraction. ;-)



Section 2.1



   The "Content-Type" header of this request MUST be "application/

   secevent+jwt" as defined in Sections 2.2 and 6.2 of [RFC8417], and



I think we mean Sections 2.3 and 7.3 of that document.



Mike> Fixed



   The mechanisms by which the SET Transmitter determines the HTTP

   endpoint to use when transmitting a SET to a given SET Recipient are

   not defined by this specification and are deployment specific.



Any TLS certificate validation procedures (when HTTPS is used) would also be deployment-specific, of course, but do we think it's worth mentioning them here anyway (to seed the idea of using TLS)?



Mike> We talk about TLS validation multiple places already, so it's not clear to me that it would add value to also do so here.



The example in Figure 1 seems to not have an 'events' claim in the transmitted JWT?



Mike> Fixed



Section 2.4



Do we want to say anything about generic error-handling behavior when a SET Transmitter receives an error code that it does not know about (e.g., because that code has been allocated after the software was written)?



Mike> Added the sentence starting "Implementations SHOULD expect that other Error Codes MAY also be received"...



   | authentication_failed | The SET Recipient could not authenticate  |

   |                       | the SET Transmitter from the contents of  |

   |                       | the request.                              |



Are only the contents of the request allowed to be used for authenticating the Transmitter (as opposed to, say, TLS-layer client-certificate authentication)?

(Note that this text also appears in Section 7.1.2.)



Mike> Simplified to "The SET Recipient could not authenticate the SET Transmitter".



Section 3



It might be worth some discussion that for push, HTTP authentication authenticates the transmitter, whereas for poll it authenticates the recipient; workflows that need to authenticate the other party would have to rely on TLS, it seems.



Mike> Much of the text in this section was rewritten to make it simpler and clearer.



   The SET delivery method described in this specification is based upon

   HTTP and depends on the use of TLS and/or standard HTTP

   authentication and authorization schemes, as per [RFC7235].



Maybe reference RFC 2818 for "HTTP over TLS", to get parallelism of references?



Mike> Done



   Because SET Delivery describes a simple function, authorization for

   the ability to pick-up or deliver SETs can be derived by considering

   the identity of the SET Issuer, or via other employed authentication



Presumably this would involve some comparison/relationship between sender and issuer?



Mike> This was in the section that was rewritten for simplicity and clarity.



Also, I'm not sure I understand what is meant by "the ability to pick up SETs".  Is this the implied ability of a non-Issuer Transmitter to obtain the SETs being transmitted?



Mike> That terminology has been removed from the draft.



Section 4



   Delivery reliability requirements may vary from implementation to

   implementation.  This specification defines the response from the SET



Is this more of a per-implementation thing or a per-deployment thing?



Mike> It now says that the reliability requirements depend upon the use case.



   Implementers SHOULD evaluate their reliability requirements and the



(here, too)



Mike> Ditto



   if any, in order to meet their requirements.  SET Transmitters with

   high reliability requirements may be tempted to always retry failed

   transmissions, however it should be noted that for many types of SET



nit: comma after "however" (as well as the existing one before it).



Mike> Fixed



Section 5



We should probably pull in the "HTTP Considerations" subsection from poll.



Mike> Done



I want to see how the discussion goes on poll's "Access Token Considerations" first, but we may want something like that as well.



Mike> Yes, it makes sense to do that



Section 5.1



   In scenarios where HTTP authorization or TLS mutual authentication

   are not used or are considered weak, JWS signed SETs SHOULD be used

   (see [RFC7515] and Security Considerations [RFC8417]).  This enables



nit: I think we want "the Security Considerations of [RFC8417]".



Mike> I reworked this sentence to use normal reference styles.



Section 5.2



RFC 6125 is great and I'm glad we're referencing it, but it does leave a couple of gaps to be specified for a full picture of application usage.

Specifically, we should say what name from the certificate we validate (and, ideally, how the application knows what name it is expecting to see in that name field in the certificate).  Most applications these days will be using the DNS-ID, and perhaps something about wildcards and/or revocation info.  The last time I was making this comment on a document I pointed to RFC 8461 as a potential example to crib from, at least in terms of the types of things to talk about.



Mike> I added DNS-ID.



Section 6



I would have expected to see some form of reminder to encrypt data that needs confidentiality protection, in a privacy considerations section.



Mike> I added the sentence "Furthermore, data that needs confidentiality protection MUST be encrypted, either via TLS or using JSON Web Encryption (JWE), or both" to both drafts.



   If a SET needs to be retained for audit purposes, a JWS signature MAY

   be used to provide verification of its authenticity.



We should probably give the reader a bit more to conect this signature to the privacy considerations in question.



Mike> This sentence actually wasn't about privacy at all, so I deleted it from both drafts.



Section 7.1



   "Security Event Token Delivery Error Codes".  Initial values for the

   Security Event Token Delivery Error Codes registry are given in

   Table 1.  Future assignments are to be made through the First Come



It is a little confusing to say here at the top-level that the initial contents are in Table 1, but then also have Section 7.1.2 with the full initial registration (filling out the template).  I'd suggest to either mention both the table and Section 7.1.2 here, or just Section 7.1.2.



Mike> It now says "Initial values for the Security Event Token Delivery Error Codes registry are defined in <xref target="reqErrors"/> and registered below."



Section 7.1.1



   Change Controller

      For error codes registered by the IETF or its working groups, list

      "IETF SecEvent Working Group".  For all other error codes, list

      the name of the party responsible for the registration.  Contact

      information such as mailing address, email address, or phone

      number may also be provided.



The current thinking from the IESG is that we don't want to lock the immutable RFC into something that might go stale, and since IANA is good at tracking things, we can have them track the right contact-point within the IETF as well.  So, the expected "final state" is that the public registry lists "IETF" as the change controller, with IANA knowing to direct inquiries the WG list (until such time as updated by the IESG).  Thus, the document at this point should say something about "IANA is requested to direct inquiries to the id-event@ietf.org<mailto:id-event@ietf.org> mailing list, and the RFC Editor is requested to remove this sentence prior to publication"  This is something of a recent change, so we'll probably end up making further tweaks along the way, but that should be a good rough start.



Mike> Changed to "IETF".



   Defining Document(s)

      A reference to the document or documents that define the Security

      Event Token Delivery Error Code.  The definition MUST specify the

      name and description of the error code, and explain under what

      circumstances the error code may be used.  URIs that can be used

      to retrieve copies of each document at no cost SHOULD be included.



Is a document of some form required?  That's not consistent with the FCFS policy (as IANA does not want to be in the business of making the technical decision about whether the document qualifies for this purpose); should we be thinking about a Specification Required policy instead (with guidance to the experts to apply a very low bar)?



Mike> It's now "Specification Required".



Section 7.1.2



      Error Code: access_denied

      Description: The SET Transmitter is not authorized to transmit the

      SET to the SET Recipient.



In Table 1 we say "transmit the provided SET" (i.e., "provided" is not present here).  We should be consistent, though I don't really care which phrasing gets used.



Mike> Deleted "provided".



Appendices



It looks like we expect Appendices A and C to be removed before publication, but Appendix B (Acknowledgments) to remain.  Feel free to add the EDITORS NOTE to Appendix C as well.



Mike> Added instructions to the RFC Editor to do so.



-Ben



_______________________________________________

Id-event mailing list

Id-event@ietf.org<mailto:Id-event@ietf.org>

https://www.ietf.org/mailman/listinfo/id-event



Mike> Thanks again, Ben!



                                                       -- Mike

v2.23.0 | Report a Bug | By Email