Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 12 April 2018 19:08 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF2A129C53 for <id-event@ietfa.amsl.com>; Thu, 12 Apr 2018 12:08:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idCjA7treOTM for <id-event@ietfa.amsl.com>; Thu, 12 Apr 2018 12:08:38 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E799F1289B0 for <id-event@ietf.org>; Thu, 12 Apr 2018 12:08:37 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id i3so223487wmf.3 for <id-event@ietf.org>; Thu, 12 Apr 2018 12:08:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=KZjl9BsTbyPTd3+m2ClwOhRy8aAXn5UqvJnlhQVHqPg=; b=U+j5weetGuHidluaxEnkCX36GSpvpFQSNqQFqoS/dsMKUpvLTRw6etVjojgj0B8Cy6 1/ImziV5jpOsJjp0lRZK8vjq06sLqoQw7GI+a2zgwQdAvNTz+V4TRGt2inP/nc6g1FlY BvR7cdmeroN7UpJeHcijT7HO7hhwwUXasUFMYYOSpXt07Wld5p19mF7L7DaEKCW1D9TS eDdvL3WmfO4yRCnD+cZU1aAmk8qIT3SYQqcU4JAAfTzW1dxv9bMXLfkFMYuMH4KZTnqz EK8gc1uvjEW23KL5cgbmzNCfBvJD1HsHZ2sARcuG5FZuse16sFLm6rnvoWMPh/hf3fed 8JFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=KZjl9BsTbyPTd3+m2ClwOhRy8aAXn5UqvJnlhQVHqPg=; b=OVExdD8+TRmXMDAKGxF4niczomrgohQi3KCQGmNuwy4ES/PFrmPZ1l1n5MsvZd1fMn vUOZ/B+YcunhB/IIUbJwKGaV0C6+l1i9TZEcNvxHgX36bBkkOw/jJZtH2iJRqTjjBP1K koQNFVbWt2HcMSMRRc54E8y3F4kzJqRalTfM0VKSW5sRvW72c0JQZw88DIq8U3P7tZXb m94mwoR5NuynP9qXQrcAiZUvxkRLEyy2wUuKO/EZO2xLL2Eetmk2t7M9mUJ+Q4tiZwOw urI+Wy9tUhVkK1pGvD5LD0qWq/6sSF0fSQAl9t+KyRZVZ/Qj3tSnb6hXa1Dvhpk4d/KY ZA6g==
X-Gm-Message-State: ALQs6tC22L/FcgMD14WYiqwUvdBkZAheEq6jjtZ+Nt2njllN+d/d3oFx 41EAK8RSXPmWXcBu5z2xpqE=
X-Google-Smtp-Source: AIpwx4/Q04yTFIdIxh++WaBJJkk2pCdPwxRVRMoZTIw4PBZkCIXhLDn0GdlBV7CdNYQ92Va16CAbNw==
X-Received: by 10.28.53.194 with SMTP id c185mr1695634wma.27.1523560116249; Thu, 12 Apr 2018 12:08:36 -0700 (PDT)
Received: from [10.0.0.139] (bzq-79-179-126-121.red.bezeqint.net. [79.179.126.121]) by smtp.gmail.com with ESMTPSA id y30sm5057903wrd.83.2018.04.12.12.08.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Apr 2018 12:08:35 -0700 (PDT)
To: "Richard Backman, Annabelle" <richanna@amazon.com>, Marius Scurtescu <mscurtescu@google.com>, Dick Hardt <dick.hardt@gmail.com>
Cc: SecEvent <id-event@ietf.org>, Michael Jones <michael.jones@microsoft.com>, John Bradley <ve7jtb@ve7jtb.com>, "Morteza Ansari (moransar)" <moransar@cisco.com>, Phil Hunt <phil.hunt@oracle.com>
References: <02e701d3c299$9c421e40$d4c65ac0$@smyslov.net> <bb8221b8-4403-1de4-5c98-43f518389f44@gmail.com> <09566560-11CA-435A-87F4-CFCBC6F889F3@oracle.com> <MW2PR00MB0298F59B5ECA2B577AF50272F5A10@MW2PR00MB0298.namprd00.prod.outlook.com> <80A4E085-96B1-40F6-86F7-EF5B96F2195A@ve7jtb.com> <750C6979-4CBE-4D66-B40B-764FF1B0EAB4@cisco.com> <CAD9ie-vgOr0HX2DWFN=Aa4d4R31pkXmkbH7+0rDoma9Uts=G5w@mail.gmail.com> <CAGdjJp+tdLeGG=UtC7qgQdk6SLFRH4zvtoehL1zSX9vxAO5x8w@mail.gmail.com> <CAGdjJp+gA_EKYD+r6NQ4TDcoyx_LMvwyP3drb818eDV2dwxiwA@mail.gmail.com> <447DFE9A-81C5-456F-8EFD-31422F7F6DAC@amazon.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <5241a309-d139-39f3-f446-a4972dacfd99@gmail.com>
Date: Thu, 12 Apr 2018 22:08:32 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <447DFE9A-81C5-456F-8EFD-31422F7F6DAC@amazon.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/_kK-WMoCoozIk09OVAUP2952GkY>
Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 19:08:41 -0000
I already did (https://mailarchive.ietf.org/arch/msg/id-event/RIBJi79HFPIqo9_f7kL_GBwOPn0) and I don't see that anything substantial has changed. The consensus still holds. Thanks, Yaron On 10/04/18 02:12, Richard Backman, Annabelle wrote: > I don’t see how keeping them in one document makes things easier for the > implementer. It just makes it harder to tell what is required for HTTP > Push versus what is required for HTTP Poll. But we’ve already had this > discussion – we spent a good half of the London session on it, Yaron > called a vote, and found consensus for splitting the document. So far I > haven’t seen any arguments for or against splitting that weren’t > presented in London. So why are we reopening this? > > Could the chairs please clarify as to whether the consensus in favor of > splitting the document still holds? > > -- > > Annabelle Richard Backman > > Amazon – Identity Services > > *From: *Id-event <id-event-bounces@ietf.org> on behalf of Marius > Scurtescu <mscurtescu@google.com> > *Date: *Monday, April 9, 2018 at 3:26 PM > *To: *Dick Hardt <dick.hardt@gmail.com> > *Cc: *SecEvent <id-event@ietf.org>, Yaron Sheffer > <yaronf.ietf@gmail.com>, Michael Jones <michael.jones@microsoft.com>, > John Bradley <ve7jtb@ve7jtb.com>, "Morteza Ansari (moransar)" > <moransar@cisco.com>, Phil Hunt <phil.hunt@oracle.com> > *Subject: *Re: [Id-event] SecEvent draft minutes - IETF-101 (London) > > Oh, and not to mention that no one could confidently show how can you > specify two delivery methods in one document and not have both MTI. > > > Marius > > On Mon, Apr 9, 2018 at 3:23 PM, Marius Scurtescu > <mscurtescu@google.com<mailto:mscurtescu@google.com>> wrote: > > Agreed, having two different protocols in one document makes it more > complicated for implementers (or anyone trying to wrap their head > around what they need). > > And again, with one document we are unnecessarily slowing one and > rushing the other delivery method. > > > Marius > > On Mon, Apr 9, 2018 at 3:15 PM, Dick Hardt > <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote: > > So someone needs to read about two methods instead of just the > one that the profile says they need to read? Seems simpler for > someone to read a Push spec if all they need is to do Push, > instead of having to read a spec that describes both, and then > trying to decipher which aspects are relevant for them. > > On Mon, Apr 9, 2018 at 3:13 PM, Morteza Ansari (moransar) > <moransar@cisco.com<mailto:moransar@cisco.com>> wrote: > > I definitely agree that we shouldn't specify an MTI at the > protocol spec. I think each profile should be specifying > that as part of the profile definition and semantics. > > And if we don’t have an MTI at the protocol document, I > think we are much better off with a single protocol document > covering different protocols in the same document. It will > be all in one place for developer to choose, much easier to > maintain the common language common and not let them > diverge, and we could even describe scenarios one would be > preferred over the other as hints and suggestion to the > developers. > > > Cheers, > Morteza > > > On 4/9/18, 2:31 PM, "Id-event on behalf of John Bradley" > <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>on > behalf of ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote: > > I think splitting the drafts was an attempt to get > around declaring one or the other method MTI. > > Clearly due to deployment constraints many people will > only be able to do one or the other. > > Having them both in the same draft would be best if we > don’t wind up having to declare one or both MTI. > > John B. > > On Mar 30, 2018, at 7:53 AM, Mike Jones > <michael.jones@microsoft.com<mailto:michael.jones@microsoft.com>> > wrote: > > > > I agree with Phil that having separate push and pull > delivery drafts would be a mistake. Many participants will > end up implementing both modalities. Having them both in > one draft will help keep them as common as possible - > preventing unnecessary and possibly unintended drift between > them. > > > > Also, as I said at the microphone in London, I think > we'll have a much easier time with the IESG taking one draft > forward with two closely related delivery modalities > defined, rather that two different delivery drafts. I fear > that if we try to get approval for two drafts, we might > receive DISCUSS feedback saying "pick one". > > > > For what it's worth (and to inform people who weren't > in the room), my personal sense was that the hums weren't > conclusive. Most of them had significant portions of people > humming for both positions. In short, my (personal) sense > was there wasn't clear consensus demonstrated to split the > delivery draft. I think the topic needs more discussion on > the list. > > > > Best wishes, > > -- Mike > > > > -----Original Message----- > > From: Id-event > <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> On > Behalf Of Phil Hunt > > Sent: Thursday, March 29, 2018 10:15 PM > > To: Yaron Sheffer > <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> > > Cc: SecEvent > <id-event@ietf.org<mailto:id-event@ietf.org>> > > Subject: Re: [Id-event] SecEvent draft minutes - > IETF-101 (London) > > > > Regarding the hums, I think they may be premature. In > part, because there is a unifying draft proposal available now. > > > > When we formed the group the sole purpose was a > common format and a single delivery draft for all cases. > > > > Several ietf people complained in Argentina about yet > another pub sub system the ietf does not need. > > > > Another comment was made not to follow the route > stix/taxii made in developing multiple incompatible methods > of delivery. > > > > If we split the draft we will have 3 methods not > two(including Backchannel). > > > > I worry this will lead to delay from rejection down > the road. This should be clarified first. > > > > I worry with multiple methods, profilers will develop > their own undermining the point of this work. > > > > Maybe I stand alone here, but I think splitting is a > mistake. > > > > Phil > > > >> On Mar 24, 2018, at 8:00 AM, Yaron Sheffer > <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote: > >> > >> Thank you Valery for taking the minutes. All, please > let us know if anything is incorrect or missing. > >> > >> In addition, we had a series of hums on the SET > Delivery draft. Per IETF process, we need to validate them > on the list. So if you weren't in the room and you have a > major objection to the results of these hums, please speak > up. I do suggest that before doing so, you review the actual > recorded meeting: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3Dr0hbpQqsN6s&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=bZnIUtQK2S3enqQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s=VbJxhADDKAULj3hrOYI1cbC5A8hEmFIesTvuGzkkOP0&e=. > >> > >> IETF 101 London Friday 23 March 2018 9:30 - 11:30 > >> > >> [Yaron] (WG status update, agenda bashing) > [Annabelle] asks for 10 > >> minutes for discussion > >> > >> [Mike] (presents Security Event Token draft update) > >> > >> [Annabelle] (presents SET Token delivery using HTTP > draft) [Mike] > >> Microsoft needs for both POLL and PUSH [Phil] > Redefining smth in HTTP > >> may cause problems [William] Return codes are only > for browsers to > >> display messages for users [Phil] It's needed for > resending in case of > >> error (?) [Annabelle] What is MTI - push or poll? > >> [Phil] With PUSH happened immediately... > >> [Leif] What is MTI for server or for client? > >> [William] Each option has an explicit use case > [Yaron (as chair)] We > >> need to have only one preferred option [Phil] There > are very different > >> cases [Phil] Push is simple, but in terms of > applicability it's not a > >> long term use case [Annabelle] There use cases for > both [Phil] Take > >> two and then abandon one [William] Why does the > chair require a single > >> MTI [Leif] It's from chair's experience, WG > consensus needed [William] > >> We have use cases for both [Mike] Procedurally it's > better to keep > >> both methods in one draft [Yaron] Having two methods > complicates the > >> description which method is for which situation etc. > >> [William] Still have interoperability issue for > receiver [Yaron] Need > >> to resolve this [Leif] WG should decide [Ben as AD] > If the WG doesn't > >> select a single method the IESG would probably > object [Annabelle] SET > >> will probably be profiled for different use cases > [Yaron] Is going to > >> make hums about selecting a single delivery method > and whether we need > >> to split the draft [John] What is hum about - > mandatory to implement or to deploy? > >> [Leif] We should analyze scenarios > >> [Annabelle] The protocol are unidirectional, so MTI for > >> transmitter/receiver is problematic [Justin] No > negotiation, either it > >> is or not, MTI for the receiver is dictated by what > the receiver > >> supports [Phil] They both must be able HTTP, the > roles can be changed > >> [Leif] Confusion between MTI and to deploy, a good > question - select > >> MTI for transmitter [Annabelle] Every transmitter > should have both > >> [Tero] Minimal implementation requires one, bigger > may have both, > >> single MTI is better then two for limited devices > [Annabelle] IoT > >> implementers have special requirement [William] They > are application > >> specific, we expected profile this [Yaron] Hum if we > need a single MTI > >> for transmitter - silence Later edit: Clearly no > support for a single MTI. > >> [Justin] Hum must be for multiple discrete options > [Yaron] Hum on use > >> cases for two methods - some hums [Yaron] Hum if > both should be MTI - > >> some hums [Yaron] Hum if should not specify MTI - > some hums Later > >> edit: room was split between two MTIs and no MTIs. > >> [Annabelle] We should split the spec > >> [Justin] Agree to split the spec > >> [Justin] I hummed for both MTI for transmitter, > because they are not > >> usually constrained [Annabelle] SET is possibly to > be used w/o HTTP, > >> this is only MTI for those using HTTP; both MTI is > problematic because > >> implementers will do unnecessary stuff [William] If > both are MTI, we > >> need 2 specs [John] Splitting the spec is the best > way [Mike] If > >> split, then the information for developers will be > duplicated [Ben] > >> Why single document better (?) [Mike] My experience > with JOSE > >> [Annabelle] Significant overlap between documents is > SET, otherwise > >> little commonality Later edit: existing editors > volunteered to take Push-specific doc, Annabelle and Mike > volunteered to work on Poll. > >> [from jabber] Little commonality between two methods > [Mike] We'll do > >> both, we have use cases for both [Yaron] Hum if > split documents - some > >> long hums [Yaron] Hum if one document - some hums > [Yaron] Room is in > >> favor of splitting the documents [Yaron] Wrap up: no > MTI, split the > >> document into two, transmitter implements either or both > >> > >> [Annabelle] (presenting Subject Identifier Types) > [Mike] 3rd party > >> specifications cannot establish IANA registry [Leif] > IANA Expert? > >> [Ben] FCFS, doesn't need Expert, or specification > required [Leif] I > >> support this idea [William] I also support [Yaron] > Any objections to > >> adopt this document? No objections, publish as WG > document > >> > >> [Annabelle] Expiration ("exp") claim is not > recommended; however it > >> has some value [Mike] It's a layering violation; > problems with caching > >> [Annabelle] We're not talking about caching, you > don't want to grow > >> anti-replay database forever, having expiration > helps [Phil] The past > >> doesn't expire, it's up to receiver how to use it, > caching doesn't make sense [Yaron] What about replay protection? > >> [Mike] JTI helps to detect replay (?) [from jabber] > Transport should > >> deal with replay [John] Expiry is expected to mean > that token should > >> not be processed after that, it's not an indication > that information > >> is no longer valid [Mike] It must not be mandatory > [Annabelle] > >> Currently the draft says it's not recommended [Mike] > We have to allow it to be optional because of the need to > distinguish from access tokens. > >> [Ben] Some use case when processing expired token > (?) [John] Have an > >> explicit expire for JTI, there are other solutions > [Phil] I prefer to > >> add a new attribute to SET, not changing ... > >> [Yaron] The document in LC, smaller changes are OK > without blocking the doc's progress. > >> [Phil] Replay and caching are different for PUSH and > POLL, prefer to > >> see in HTTP header [Brian] Expiration is not > necessary, receiver has > >> policy to follow [Annabelle] No-one is advocating > using exp for > >> caching [from jabber] JTI expiration belongs to JTI > not to transport > >> [Yaron] We're not ready to have hum, room thinks > there is an issue, please work through it on the list. > >> > >> [Phil] Presents his SSTP Delivery draft - symmetric > transport > >> protocol, parameters used in requests and response > are same [Phil] We > >> would change optionality from two methods to a > single one, may be a compromise [Yaron] The protocol was > only published yesterday, so we are not ready to discuss now. > >> > >> [Meeting adjourned.] > >> > >> _______________________________________________ > >> Id-event mailing list > >> Id-event@ietf.org<mailto:Id-event@ietf.org> > >> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail > >> > man_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65 > >> > eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=bZnIUtQK2S3en > >> > qQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s=bm9Kqkwb8W8ClkdHFvnnH60BmArjysl02dP_3 > >> TAjwew&e= > > > > _______________________________________________ > > Id-event mailing list > > Id-event@ietf.org<mailto:Id-event@ietf.org> > > https://www.ietf.org/mailman/listinfo/id-event > > > > _______________________________________________ > > Id-event mailing list > > Id-event@ietf.org<mailto:Id-event@ietf.org> > > https://www.ietf.org/mailman/listinfo/id-event > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org<mailto:Id-event@ietf.org> > https://www.ietf.org/mailman/listinfo/id-event > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org<mailto:Id-event@ietf.org> > https://www.ietf.org/mailman/listinfo/id-event > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org<mailto:Id-event@ietf.org> > https://www.ietf.org/mailman/listinfo/id-event >
- [Id-event] SecEvent draft minutes - IETF-101 (Lon… Yaron Sheffer
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Phil Hunt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Phil Hunt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Mike Jones
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Yaron Sheffer
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Benjamin Kaduk
- Re: [Id-event] SecEvent draft minutes - IETF-101 … John Bradley
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … John Bradley
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Morteza Ansari (moransar)
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Dick Hardt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Richard Backman, Annabelle
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Yaron Sheffer