Re: [Id-event] Roman Danyliw's No Objection on draft-ietf-secevent-http-push-12: (with COMMENT)
Roman Danyliw <rdd@cert.org> Thu, 25 June 2020 12:23 UTC
Return-Path: <rdd@cert.org>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FBD83A0976; Thu, 25 Jun 2020 05:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ud1RcPtH3zea; Thu, 25 Jun 2020 05:23:50 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF343A0972; Thu, 25 Jun 2020 05:23:49 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 05PCNla9020141; Thu, 25 Jun 2020 08:23:47 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 05PCNla9020141
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1593087828; bh=40HH43MrHCsJz2ae6bd6ZOxN9rDvQcoK1dUtzpueC8c=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=HhQYlk8EdxddQAxd/Rc7k/kcrxNLzKdAfqpXzqqfhrRQnNcEM2L6m+Gpzieg5BrV3 gGpB7A3htqpO0RSVupeESSd44JIhM3pFUpMPLFW8kZ2hi3AUF+wIRKEoLK6zwP8EGE m5uJ3wXV2+chN7CgqFsh/te5CwFsZ3sHTVVNUrsE=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 05PCNlaX017061; Thu, 25 Jun 2020 08:23:47 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 25 Jun 2020 08:23:46 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 25 Jun 2020 08:23:46 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Thu, 25 Jun 2020 08:23:46 -0400
From: Roman Danyliw <rdd@cert.org>
To: Mike Jones <Michael.Jones@microsoft.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-secevent-http-push@ietf.org" <draft-ietf-secevent-http-push@ietf.org>, "secevent-chairs@ietf.org" <secevent-chairs@ietf.org>, "id-event@ietf.org" <id-event@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: Roman Danyliw's No Objection on draft-ietf-secevent-http-push-12: (with COMMENT)
Thread-Index: AdZKsywd/cMs0ZZ54UywuQi06LW6uAAODhuw
Date: Thu, 25 Jun 2020 12:23:45 +0000
Message-ID: <03a320f4ceb546eda4aa9a0690da6f9a@cert.org>
References: <CH2PR00MB067866D9FEC8D94045A2CBC0F5920@CH2PR00MB0678.namprd00.prod.outlook.com>
In-Reply-To: <CH2PR00MB067866D9FEC8D94045A2CBC0F5920@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.201.72]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/RegRRhjlTSIJauCUgy12bLQKBk4>
Subject: Re: [Id-event] Roman Danyliw's No Objection on draft-ietf-secevent-http-push-12: (with COMMENT)
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2020 12:23:53 -0000
Hi Mike! Thanks for the clarifications below and the updated text now in -13. It addresses all of my comments. Regards, Roman > -----Original Message----- > From: Mike Jones <Michael.Jones@microsoft.com> > Sent: Thursday, June 25, 2020 1:41 AM > To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> > Cc: draft-ietf-secevent-http-push@ietf.org; secevent-chairs@ietf.org; id- > event@ietf.org; Yaron Sheffer <yaronf.ietf@gmail.com> > Subject: RE: Roman Danyliw's No Objection on draft-ietf-secevent-http-push- > 12: (with COMMENT) > > Thanks for your review, Roman. https://tools.ietf.org/html/draft-ietf-secevent- > http-push-13 is intended to address your comments. Detailed replies are inline, > prefixed by "Mike>". > > -----Original Message----- > From: Roman Danyliw via Datatracker <noreply@ietf.org> > Sent: Tuesday, June 23, 2020 6:51 AM > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-secevent-http-push@ietf.org; secevent-chairs@ietf.org; id- > event@ietf.org; Yaron Sheffer <yaronf.ietf@gmail.com>; > yaronf.ietf@gmail.com > Subject: Roman Danyliw's No Objection on draft-ietf-secevent-http-push-12: > (with COMMENT) > > Roman Danyliw has entered the following ballot position for > draft-ietf-secevent-http-push-12: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-secevent-http-push/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for responding to the SECDIR review (and thanks to Valery Smyslov for > doing it) > > ** Section 2.1. Per “To transmit a SET to a SET Recipient, the SET Transmitter > makes an HTTP POST request to an HTTP endpoint using TLS provided by the > SET Recipient” didn’t parse right. What does it mean to “us[e] TLS provided by > …”? > > Mike> Murry also noticed this. I reworded this sentence according to his > suggestion. > > ** Section 5.3. Recommend being clearer that using TLS is a MUST. > OLD > In some use cases, using TLS to secure the transmitted SETs will be > sufficient. In other use cases, encrypting the SET as described in > JWE [RFC7516] will also be required > > NEW > TLS MUST be used to secure the transmitted SETs. In some use cases, also > encrypting the SET as described in JWE [RFC7516] will be required. > > Mike> Done > > ** Section 5.3. Per “SETs may contain sensitive information that is considered > Personally Identifiable Information (PII). In such cases …”, first off, I fully > endorse and concur with the spirit here – being clear when you have sensitive > information that confidentiality is a MUST requirement. However, we need > precision here – PII is a technical term in many jurisdictions, and the definition > varies. I wouldn’t want to make the normative guidance here conditional on > this ambiguity. I’d also note that Section 5.1. of RFC8417 refers to > confidentiality requirements in the presence of third parties. > Combining these observations will the editorial item above, I recommend: > > “SETs may contain sensitive information, to include Personally Identifiable > Information (PII), or be distributed through third parties. TLS MUST be …” > > Mike> Thanks, done > > ** Section 5.3. Per the reference RFC7525, I recognize that this sentence is > identical to Section 5.1 of RFC8417. Is there a reason why conformance to it > (RFC7525) is not a MUST (e.g., to ensure guidance on ciphersuites)? You’ve > already covered TLS version numbers with text and certificate validation with > RFC6125. > > Mike> It's now a MUST > > ** Section 5.5. Per “At the time of receipt, the SET Recipient can rely upon > transport layer mechanisms …”, since this whole specification is about a > particular “transport layer mechanisms”, what is are the specific details here – > or is this out of scope? > > Mike> It now more specifically talks about TLS mechanisms > > Thanks again, > -- Mike
- [Id-event] Roman Danyliw's No Objection on draft-… Roman Danyliw via Datatracker
- Re: [Id-event] Roman Danyliw's No Objection on dr… Mike Jones
- Re: [Id-event] Roman Danyliw's No Objection on dr… Roman Danyliw