IETF Logo Mail Archive

Re: [Id-event] SecEvent draft minutes - IETF-101 (London)

Marius Scurtescu <mscurtescu@google.com> Mon, 09 April 2018 21:35 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 850C312D95F for <id-event@ietfa.amsl.com>; Mon, 9 Apr 2018 14:35:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjYh_t-pxmT2 for <id-event@ietfa.amsl.com>; Mon, 9 Apr 2018 14:35:46 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8922212D95C for <id-event@ietf.org>; Mon, 9 Apr 2018 14:35:46 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id a17so5992935uaf.13 for <id-event@ietf.org>; Mon, 09 Apr 2018 14:35:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PBfkjNvn0pIT2O9VNOQG/8a0BbXIakFOyG6EBMDeCaI=; b=qGoZzbK52ouwq1On41r9boS439LKOPtHKmiV+BGAYhTsSA7qOVPEWNIPT7Bev2WIeI W3pFIqCQVIAw96bOkR9aAxLXVuWC/cQ++DG4qT/8CC4JJrJtOMb6QLd3VUs5nA9/NyuH nMIvzEn0ZWD17GZFtnQy92B1WKqa5F6OE1rRnu0vChOfAkoi3jL0RwoC9se/VCVy/i+R exoQBRA+JOu1yu5Av8CCFXG8qNyVh5flZ0s6U+NSyU4yBbOs/Dslxw8a9Px8Hgjcy+/c YBlDwdXAX2qZktxV8IO68N/wHBXZarg295V5OkpNp80lu5wT9S3fhppd7OuLMN2e5eDf w9hQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PBfkjNvn0pIT2O9VNOQG/8a0BbXIakFOyG6EBMDeCaI=; b=LfXjeVemFluFudmEDEPwP+7FmhVoL7x0c3jGh85tQn2qBPMygdQ0Iub0ieHzkgbVhb f48VGARrsZF5/HHCfmacLVYoHMOagu1yNKIzdTsdvB3/hrDSv2heBt4JUWwakvMe0nER 9+figPsFW2P+BAfNb+ROgOM6byN8saDTbq3lAkgxPcYet+vUlS7BWxrdc80/cYhqpu+g qt/usePPZabAxi/UEP6Ev2KUXND7gOyibtVdm5C17zJS+JWbGzwbsAT5/Hddxde25q/U Xpr/eRu7VntC8gpjPVpQPVcmDkDDw+YjiUObIBPYOFahL5KOZca+TsZAYGLFZdAFt54q yL3g==
X-Gm-Message-State: ALQs6tAzzjdBEpKU4+YaoRUF7U5gJ6IhVf/lIBm+KEgL5CcUpboppuiG Zjde7Ho1pNgFTmonFxvIEm/z8ayzRthhtFbYQA4qkA==
X-Google-Smtp-Source: AIpwx4+F9KDrvqAKm9TfeNCLGoc1OWiWfDTO37Yq9dbGrscJNdVoSR1+CtqnV5IGcAwqNRWK8cFoPQ/O61NSiLOFBN8=
X-Received: by 10.176.97.140 with SMTP id h12mr25267048uan.136.1523309745082; Mon, 09 Apr 2018 14:35:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.155.214 with HTTP; Mon, 9 Apr 2018 14:35:24 -0700 (PDT)
In-Reply-To: <80A4E085-96B1-40F6-86F7-EF5B96F2195A@ve7jtb.com>
References: <02e701d3c299$9c421e40$d4c65ac0$@smyslov.net> <bb8221b8-4403-1de4-5c98-43f518389f44@gmail.com> <09566560-11CA-435A-87F4-CFCBC6F889F3@oracle.com> <MW2PR00MB0298F59B5ECA2B577AF50272F5A10@MW2PR00MB0298.namprd00.prod.outlook.com> <80A4E085-96B1-40F6-86F7-EF5B96F2195A@ve7jtb.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 09 Apr 2018 14:35:24 -0700
Message-ID: <CAGdjJpJrtwuE2Hxm-oxZWj3=B1vDsODrE7e8sqBYUBko6vt7wA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Michael Jones <michael.jones@microsoft.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, SecEvent <id-event@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="94eb2c1ea3b43db2080569713097"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/gyelQ279R_6YQixC4QhF_ST-cLc>
Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 21:35:50 -0000

On Mon, Apr 9, 2018 at 2:30 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> I think splitting the drafts was an attempt to get around declaring one or
> the other method MTI.
>

That, and also to allow the two delivery methods to mature at their own
speed and not tie one to the other. Push has implementations and there is
no reason holding it back from LC for example, or rushing Poll when it is
not ready.



> Clearly due to deployment constraints many people will only be able to do
> one or the other.
>
> Having them both in the same draft would be best if we don’t wind up
> having to declare one or both MTI.
>

What is the advantage of having both in same draft?



>
> John B.
> > On Mar 30, 2018, at 7:53 AM, Mike Jones <michael.jones@microsoft.com>
> wrote:
> >
> > I agree with Phil that having separate push and pull delivery drafts
> would be a mistake.  Many participants will end up implementing both
> modalities.  Having them both in one draft will help keep them as common as
> possible - preventing unnecessary and possibly unintended drift between
> them.
> >
> > Also, as I said at the microphone in London, I think we'll have a much
> easier time with the IESG taking one draft forward with two closely related
> delivery modalities defined, rather that two different delivery drafts.  I
> fear that if we try to get approval for two drafts, we might receive
> DISCUSS feedback saying "pick one".
> >
> > For what it's worth (and to inform people who weren't in the room), my
> personal sense was that the hums weren't conclusive.  Most of them had
> significant portions of people humming for both positions.  In short, my
> (personal) sense was there wasn't clear consensus demonstrated to split the
> delivery draft.  I think the topic needs more discussion on the list.
> >
> >                               Best wishes,
> >                               -- Mike
> >
> > -----Original Message-----
> > From: Id-event <id-event-bounces@ietf.org> On Behalf Of Phil Hunt
> > Sent: Thursday, March 29, 2018 10:15 PM
> > To: Yaron Sheffer <yaronf.ietf@gmail.com>
> > Cc: SecEvent <id-event@ietf.org>
> > Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
> >
> > Regarding the hums, I think they may be premature. In part, because
> there is a unifying draft proposal available now.
> >
> > When we formed the group the sole purpose was a common format and a
> single delivery draft for all cases.
> >
> > Several ietf people complained in Argentina about yet another pub sub
> system the ietf does not need.
> >
> > Another comment was made not to follow the route stix/taxii made in
> developing multiple incompatible methods of delivery.
> >
> > If we split the draft we will have 3 methods not two(including
> Backchannel).
> >
> > I worry this will lead to delay from rejection down the road. This
> should be clarified first.
> >
> > I worry with multiple methods, profilers will develop their own
> undermining the point of this work.
> >
> > Maybe I stand alone here, but I think splitting is a mistake.
> >
> > Phil
> >
> >> On Mar 24, 2018, at 8:00 AM, Yaron Sheffer <yaronf.ietf@gmail.com>
> wrote:
> >>
> >> Thank you Valery for taking the minutes. All, please let us know if
> anything is incorrect or missing.
> >>
> >> In addition, we had a series of hums on the SET Delivery draft. Per
> IETF process, we need to validate them on the list. So if you weren't in
> the room and you have a major objection to the results of these hums,
> please speak up. I do suggest that before doing so, you review the actual
> recorded meeting: https://urldefense.proofpoint.
> com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3Dr0hbpQqsN6s&d=DwICAg&c=
> RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=
> na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=
> bZnIUtQK2S3enqQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s=
> VbJxhADDKAULj3hrOYI1cbC5A8hEmFIesTvuGzkkOP0&e=.
> >>
> >> IETF 101 London Friday 23 March 2018 9:30 - 11:30
> >>
> >> [Yaron] (WG status update, agenda bashing) [Annabelle] asks for 10
> >> minutes for discussion
> >>
> >> [Mike] (presents Security Event Token draft update)
> >>
> >> [Annabelle] (presents SET Token delivery using HTTP draft) [Mike]
> >> Microsoft needs for both POLL and PUSH [Phil] Redefining smth in HTTP
> >> may cause problems [William] Return codes are only for browsers to
> >> display messages for users [Phil] It's needed for resending in case of
> >> error (?) [Annabelle] What is MTI - push or poll?
> >> [Phil] With PUSH  happened immediately...
> >> [Leif] What is MTI for server or for client?
> >> [William] Each option has an explicit use case [Yaron (as chair)] We
> >> need to have only one preferred option [Phil] There are very different
> >> cases [Phil] Push is simple, but in terms of applicability it's not a
> >> long term use case [Annabelle] There use cases for both [Phil] Take
> >> two and then abandon one [William] Why does the chair require a single
> >> MTI [Leif] It's from chair's experience, WG consensus needed [William]
> >> We have use cases for both [Mike] Procedurally it's better to keep
> >> both methods in one draft [Yaron] Having two methods complicates the
> >> description which method is for which situation etc.
> >> [William] Still have interoperability issue for receiver [Yaron] Need
> >> to resolve this [Leif] WG should decide [Ben as AD] If the WG doesn't
> >> select a single method the IESG would probably object [Annabelle] SET
> >> will probably be profiled for different use cases [Yaron] Is going to
> >> make hums about selecting a single delivery method and whether we need
> >> to split the draft [John] What is hum about - mandatory to implement or
> to deploy?
> >> [Leif] We should analyze scenarios
> >> [Annabelle] The protocol are unidirectional, so MTI for
> >> transmitter/receiver is problematic [Justin] No negotiation, either it
> >> is or not, MTI for the receiver is dictated by what the receiver
> >> supports [Phil] They both must be able HTTP, the roles can be changed
> >> [Leif] Confusion between MTI and to deploy, a good question - select
> >> MTI for transmitter [Annabelle] Every transmitter should have both
> >> [Tero] Minimal implementation requires one, bigger may have both,
> >> single MTI is better then two for limited devices [Annabelle] IoT
> >> implementers have special requirement [William] They are application
> >> specific, we expected profile this [Yaron] Hum if we need a single MTI
> >> for transmitter - silence Later edit: Clearly no support for a single
> MTI.
> >> [Justin] Hum must be for multiple discrete options [Yaron] Hum on use
> >> cases for two methods - some hums [Yaron] Hum if both should be MTI -
> >> some hums [Yaron] Hum if should not specify MTI - some hums Later
> >> edit: room was split between two MTIs and no MTIs.
> >> [Annabelle] We should split the spec
> >> [Justin] Agree to split the spec
> >> [Justin] I hummed for both MTI for transmitter, because they are not
> >> usually constrained [Annabelle] SET is possibly to be used w/o HTTP,
> >> this is only MTI for those using HTTP; both MTI is problematic because
> >> implementers will do unnecessary stuff [William] If both are MTI, we
> >> need 2 specs [John] Splitting the spec is the best way [Mike] If
> >> split, then the information for developers will be duplicated [Ben]
> >> Why single document better (?) [Mike] My experience with JOSE
> >> [Annabelle] Significant overlap between documents is SET, otherwise
> >> little commonality Later edit: existing editors volunteered to take
> Push-specific doc, Annabelle and Mike volunteered to work on Poll.
> >> [from jabber] Little commonality between two methods [Mike] We'll do
> >> both, we have use cases for both [Yaron] Hum if split documents - some
> >> long hums [Yaron] Hum if one document - some hums [Yaron] Room is in
> >> favor of splitting the documents [Yaron] Wrap up: no MTI, split the
> >> document into two, transmitter implements either or both
> >>
> >> [Annabelle] (presenting Subject Identifier Types) [Mike] 3rd party
> >> specifications cannot establish IANA registry [Leif] IANA Expert?
> >> [Ben] FCFS, doesn't need Expert, or specification required [Leif] I
> >> support this idea [William] I also support [Yaron] Any objections to
> >> adopt this document? No objections, publish as WG document
> >>
> >> [Annabelle] Expiration ("exp") claim is not recommended; however it
> >> has some value [Mike] It's a layering violation; problems with caching
> >> [Annabelle] We're not talking about caching, you don't want to grow
> >> anti-replay database forever, having expiration helps [Phil] The past
> >> doesn't expire, it's up to receiver how to use it, caching doesn't make
> sense [Yaron] What about replay protection?
> >> [Mike] JTI helps to detect replay (?) [from jabber] Transport should
> >> deal with replay [John] Expiry is expected to mean that token should
> >> not be processed after that, it's not an indication that information
> >> is no longer valid [Mike] It must not be mandatory [Annabelle]
> >> Currently the draft says it's not recommended [Mike] We have to allow
> it to be optional because of the need to distinguish from access tokens.
> >> [Ben] Some use case when processing expired token (?) [John] Have an
> >> explicit expire for JTI, there are other solutions [Phil] I prefer to
> >> add a new attribute to SET, not changing ...
> >> [Yaron] The document in LC, smaller changes are OK without blocking the
> doc's progress.
> >> [Phil] Replay and caching are different for PUSH and POLL, prefer to
> >> see in HTTP header [Brian] Expiration is not necessary, receiver has
> >> policy to follow [Annabelle] No-one is advocating using exp for
> >> caching [from jabber] JTI expiration belongs to JTI not to transport
> >> [Yaron] We're not ready to have hum, room thinks there is an issue,
> please work through it on the list.
> >>
> >> [Phil] Presents his SSTP Delivery draft - symmetric transport
> >> protocol, parameters used in requests and response are same [Phil] We
> >> would change optionality from two methods to a single one, may be a
> compromise [Yaron] The protocol was only published yesterday, so we are not
> ready to discuss now.
> >>
> >> [Meeting adjourned.]
> >>
> >> _______________________________________________
> >> Id-event mailing list
> >> Id-event@ietf.org
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail
> >> man_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65
> >> eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=bZnIUtQK2S3en
> >> qQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s=bm9Kqkwb8W8ClkdHFvnnH60BmArjysl02dP_3
> >> TAjwew&e=
> >
> > _______________________________________________
> > Id-event mailing list
> > Id-event@ietf.org
> > https://www.ietf.org/mailman/listinfo/id-event
> >
> > _______________________________________________
> > Id-event mailing list
> > Id-event@ietf.org
> > https://www.ietf.org/mailman/listinfo/id-event
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>

v2.23.0 | Report a Bug | By Email