Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
Dick Hardt <dick.hardt@gmail.com> Mon, 09 April 2018 22:16 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01E5F12D7F8 for <id-event@ietfa.amsl.com>; Mon, 9 Apr 2018 15:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2k85CgfGRPP for <id-event@ietfa.amsl.com>; Mon, 9 Apr 2018 15:16:00 -0700 (PDT)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EF6D12D7F6 for <id-event@ietf.org>; Mon, 9 Apr 2018 15:16:00 -0700 (PDT)
Received: by mail-pf0-x230.google.com with SMTP id p6so2999297pfn.4 for <id-event@ietf.org>; Mon, 09 Apr 2018 15:16:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kjw0EVNNvC8tZ9d9buN4xlS2PfaPSq22XaXD1dBMwIM=; b=Ng29To6l59VJkC/i/gm7Vj2kw+buSgE7LYHwbSKzf/zqajiriP7REdEgcgR1xzkXh5 R6U+yeGz5F4ZlNck/6LazF+taWYJDGl+FcEYCalpMyJezWkoctgDhJVRK8ZeiamhgdW+ YlAzgKz9jtjEfQMD84jGqXgV63sAJcmEwE2yB6O4MZBbRI8gcPK7a5VRTFQMXY86Se90 BawFqfFFTWqf7FUjP5P5wn9oxIjXI5XX/NrKiYhruG2j+1cWuNr8sjrE2F12mNBY1X5K 3MppHloNznLirIZJaEXJYaxKe2b75xNj9ArGzuYRc3q3tlBSr8O4GnHJKodOZI+XFcHa i9Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kjw0EVNNvC8tZ9d9buN4xlS2PfaPSq22XaXD1dBMwIM=; b=JOEaKRuaBuCErg8aynK6SriX6EOlVYiy0oqyM058aTFB72irRy96/l05cC+v7A4js+ jAWyyoHGYsWiV2M8jUZErrtapxgcQ1VrvJ+biAH7SNVDI9GypzD63a2wKQOMR1ySWG3D 8myETMoyBieiB3zlG5BZrz66lXKMKspZPL16j8kMQMLR6mrzNHauOTu2fkGExe6sy20j HaINaRgIynSJHiZyZ0Vy6DDcvs7F7nKS6qofwhIelflC306j4Wub3cMBPLxuMVsDrjeZ /9I4+7C3yc4GkERLAaf5YjzwG/iGFgaNB0D9pfqNcOf/VSWzvWD9MrTPY+3PjetMMP2n SfOA==
X-Gm-Message-State: ALQs6tCg7FjTvJwBi+rXPUdnd7zrk9QcYAnoEmPexON8M/Df0RMkpFUB FRiOWHuQhgmZ9U+MNNWCJWJQ/9V9B8fR3MDhbgI=
X-Google-Smtp-Source: AIpwx48FvdycfqvdpFi2EA18NSRqJFLliINaQgN422DMSF0nvgDZyNE7VPw2nGYvSyRnM5ol26rQ3rOXCoaR+PMAoBs=
X-Received: by 10.98.70.8 with SMTP id t8mr535461pfa.185.1523312159750; Mon, 09 Apr 2018 15:15:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.226.131 with HTTP; Mon, 9 Apr 2018 15:15:39 -0700 (PDT)
In-Reply-To: <750C6979-4CBE-4D66-B40B-764FF1B0EAB4@cisco.com>
References: <02e701d3c299$9c421e40$d4c65ac0$@smyslov.net> <bb8221b8-4403-1de4-5c98-43f518389f44@gmail.com> <09566560-11CA-435A-87F4-CFCBC6F889F3@oracle.com> <MW2PR00MB0298F59B5ECA2B577AF50272F5A10@MW2PR00MB0298.namprd00.prod.outlook.com> <80A4E085-96B1-40F6-86F7-EF5B96F2195A@ve7jtb.com> <750C6979-4CBE-4D66-B40B-764FF1B0EAB4@cisco.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 09 Apr 2018 15:15:39 -0700
Message-ID: <CAD9ie-vgOr0HX2DWFN=Aa4d4R31pkXmkbH7+0rDoma9Uts=G5w@mail.gmail.com>
To: "Morteza Ansari (moransar)" <moransar@cisco.com>
Cc: John Bradley <ve7jtb@ve7jtb.com>, Michael Jones <michael.jones@microsoft.com>, Yaron Sheffer <yaronf.ietf@gmail.com>, SecEvent <id-event@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="94eb2c0b7cf429fd9d056971c060"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/le6DaWL0OrnaERXj5BJn0-9kHDg>
Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London)
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 22:16:05 -0000
So someone needs to read about two methods instead of just the one that the profile says they need to read? Seems simpler for someone to read a Push spec if all they need is to do Push, instead of having to read a spec that describes both, and then trying to decipher which aspects are relevant for them. On Mon, Apr 9, 2018 at 3:13 PM, Morteza Ansari (moransar) < moransar@cisco.com> wrote: > I definitely agree that we shouldn't specify an MTI at the protocol spec. > I think each profile should be specifying that as part of the profile > definition and semantics. > > And if we don’t have an MTI at the protocol document, I think we are much > better off with a single protocol document covering different protocols in > the same document. It will be all in one place for developer to choose, > much easier to maintain the common language common and not let them > diverge, and we could even describe scenarios one would be preferred over > the other as hints and suggestion to the developers. > > > Cheers, > Morteza > > On 4/9/18, 2:31 PM, "Id-event on behalf of John Bradley" < > id-event-bounces@ietf.org on behalf of ve7jtb@ve7jtb.com> wrote: > > I think splitting the drafts was an attempt to get around declaring > one or the other method MTI. > > Clearly due to deployment constraints many people will only be able to > do one or the other. > > Having them both in the same draft would be best if we don’t wind up > having to declare one or both MTI. > > John B. > > On Mar 30, 2018, at 7:53 AM, Mike Jones <michael.jones@microsoft.com> > wrote: > > > > I agree with Phil that having separate push and pull delivery drafts > would be a mistake. Many participants will end up implementing both > modalities. Having them both in one draft will help keep them as common as > possible - preventing unnecessary and possibly unintended drift between > them. > > > > Also, as I said at the microphone in London, I think we'll have a > much easier time with the IESG taking one draft forward with two closely > related delivery modalities defined, rather that two different delivery > drafts. I fear that if we try to get approval for two drafts, we might > receive DISCUSS feedback saying "pick one". > > > > For what it's worth (and to inform people who weren't in the room), > my personal sense was that the hums weren't conclusive. Most of them had > significant portions of people humming for both positions. In short, my > (personal) sense was there wasn't clear consensus demonstrated to split the > delivery draft. I think the topic needs more discussion on the list. > > > > Best wishes, > > -- Mike > > > > -----Original Message----- > > From: Id-event <id-event-bounces@ietf.org> On Behalf Of Phil Hunt > > Sent: Thursday, March 29, 2018 10:15 PM > > To: Yaron Sheffer <yaronf.ietf@gmail.com> > > Cc: SecEvent <id-event@ietf.org> > > Subject: Re: [Id-event] SecEvent draft minutes - IETF-101 (London) > > > > Regarding the hums, I think they may be premature. In part, because > there is a unifying draft proposal available now. > > > > When we formed the group the sole purpose was a common format and a > single delivery draft for all cases. > > > > Several ietf people complained in Argentina about yet another pub > sub system the ietf does not need. > > > > Another comment was made not to follow the route stix/taxii made in > developing multiple incompatible methods of delivery. > > > > If we split the draft we will have 3 methods not two(including > Backchannel). > > > > I worry this will lead to delay from rejection down the road. This > should be clarified first. > > > > I worry with multiple methods, profilers will develop their own > undermining the point of this work. > > > > Maybe I stand alone here, but I think splitting is a mistake. > > > > Phil > > > >> On Mar 24, 2018, at 8:00 AM, Yaron Sheffer <yaronf.ietf@gmail.com> > wrote: > >> > >> Thank you Valery for taking the minutes. All, please let us know if > anything is incorrect or missing. > >> > >> In addition, we had a series of hums on the SET Delivery draft. Per > IETF process, we need to validate them on the list. So if you weren't in > the room and you have a major objection to the results of these hums, > please speak up. I do suggest that before doing so, you review the actual > recorded meeting: https://urldefense.proofpoint. > com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3Dr0hbpQqsN6s&d=DwICAg&c= > RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r= > na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m= > bZnIUtQK2S3enqQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s= > VbJxhADDKAULj3hrOYI1cbC5A8hEmFIesTvuGzkkOP0&e=. > >> > >> IETF 101 London Friday 23 March 2018 9:30 - 11:30 > >> > >> [Yaron] (WG status update, agenda bashing) [Annabelle] asks for 10 > >> minutes for discussion > >> > >> [Mike] (presents Security Event Token draft update) > >> > >> [Annabelle] (presents SET Token delivery using HTTP draft) [Mike] > >> Microsoft needs for both POLL and PUSH [Phil] Redefining smth in > HTTP > >> may cause problems [William] Return codes are only for browsers to > >> display messages for users [Phil] It's needed for resending in case > of > >> error (?) [Annabelle] What is MTI - push or poll? > >> [Phil] With PUSH happened immediately... > >> [Leif] What is MTI for server or for client? > >> [William] Each option has an explicit use case [Yaron (as chair)] We > >> need to have only one preferred option [Phil] There are very > different > >> cases [Phil] Push is simple, but in terms of applicability it's not > a > >> long term use case [Annabelle] There use cases for both [Phil] Take > >> two and then abandon one [William] Why does the chair require a > single > >> MTI [Leif] It's from chair's experience, WG consensus needed > [William] > >> We have use cases for both [Mike] Procedurally it's better to keep > >> both methods in one draft [Yaron] Having two methods complicates the > >> description which method is for which situation etc. > >> [William] Still have interoperability issue for receiver [Yaron] > Need > >> to resolve this [Leif] WG should decide [Ben as AD] If the WG > doesn't > >> select a single method the IESG would probably object [Annabelle] > SET > >> will probably be profiled for different use cases [Yaron] Is going > to > >> make hums about selecting a single delivery method and whether we > need > >> to split the draft [John] What is hum about - mandatory to > implement or to deploy? > >> [Leif] We should analyze scenarios > >> [Annabelle] The protocol are unidirectional, so MTI for > >> transmitter/receiver is problematic [Justin] No negotiation, either > it > >> is or not, MTI for the receiver is dictated by what the receiver > >> supports [Phil] They both must be able HTTP, the roles can be > changed > >> [Leif] Confusion between MTI and to deploy, a good question - select > >> MTI for transmitter [Annabelle] Every transmitter should have both > >> [Tero] Minimal implementation requires one, bigger may have both, > >> single MTI is better then two for limited devices [Annabelle] IoT > >> implementers have special requirement [William] They are application > >> specific, we expected profile this [Yaron] Hum if we need a single > MTI > >> for transmitter - silence Later edit: Clearly no support for a > single MTI. > >> [Justin] Hum must be for multiple discrete options [Yaron] Hum on > use > >> cases for two methods - some hums [Yaron] Hum if both should be MTI > - > >> some hums [Yaron] Hum if should not specify MTI - some hums Later > >> edit: room was split between two MTIs and no MTIs. > >> [Annabelle] We should split the spec > >> [Justin] Agree to split the spec > >> [Justin] I hummed for both MTI for transmitter, because they are not > >> usually constrained [Annabelle] SET is possibly to be used w/o HTTP, > >> this is only MTI for those using HTTP; both MTI is problematic > because > >> implementers will do unnecessary stuff [William] If both are MTI, we > >> need 2 specs [John] Splitting the spec is the best way [Mike] If > >> split, then the information for developers will be duplicated [Ben] > >> Why single document better (?) [Mike] My experience with JOSE > >> [Annabelle] Significant overlap between documents is SET, otherwise > >> little commonality Later edit: existing editors volunteered to take > Push-specific doc, Annabelle and Mike volunteered to work on Poll. > >> [from jabber] Little commonality between two methods [Mike] We'll do > >> both, we have use cases for both [Yaron] Hum if split documents - > some > >> long hums [Yaron] Hum if one document - some hums [Yaron] Room is in > >> favor of splitting the documents [Yaron] Wrap up: no MTI, split the > >> document into two, transmitter implements either or both > >> > >> [Annabelle] (presenting Subject Identifier Types) [Mike] 3rd party > >> specifications cannot establish IANA registry [Leif] IANA Expert? > >> [Ben] FCFS, doesn't need Expert, or specification required [Leif] I > >> support this idea [William] I also support [Yaron] Any objections to > >> adopt this document? No objections, publish as WG document > >> > >> [Annabelle] Expiration ("exp") claim is not recommended; however it > >> has some value [Mike] It's a layering violation; problems with > caching > >> [Annabelle] We're not talking about caching, you don't want to grow > >> anti-replay database forever, having expiration helps [Phil] The > past > >> doesn't expire, it's up to receiver how to use it, caching doesn't > make sense [Yaron] What about replay protection? > >> [Mike] JTI helps to detect replay (?) [from jabber] Transport should > >> deal with replay [John] Expiry is expected to mean that token should > >> not be processed after that, it's not an indication that information > >> is no longer valid [Mike] It must not be mandatory [Annabelle] > >> Currently the draft says it's not recommended [Mike] We have to > allow it to be optional because of the need to distinguish from access > tokens. > >> [Ben] Some use case when processing expired token (?) [John] Have an > >> explicit expire for JTI, there are other solutions [Phil] I prefer > to > >> add a new attribute to SET, not changing ... > >> [Yaron] The document in LC, smaller changes are OK without blocking > the doc's progress. > >> [Phil] Replay and caching are different for PUSH and POLL, prefer to > >> see in HTTP header [Brian] Expiration is not necessary, receiver has > >> policy to follow [Annabelle] No-one is advocating using exp for > >> caching [from jabber] JTI expiration belongs to JTI not to transport > >> [Yaron] We're not ready to have hum, room thinks there is an issue, > please work through it on the list. > >> > >> [Phil] Presents his SSTP Delivery draft - symmetric transport > >> protocol, parameters used in requests and response are same [Phil] > We > >> would change optionality from two methods to a single one, may be a > compromise [Yaron] The protocol was only published yesterday, so we are not > ready to discuss now. > >> > >> [Meeting adjourned.] > >> > >> _______________________________________________ > >> Id-event mailing list > >> Id-event@ietf.org > >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www. > ietf.org_mail > >> man_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIr > MUB65 > >> eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPk > AI1aLcLN4KZNA&m=bZnIUtQK2S3en > >> qQ3E8wJZHxLExg0UyssjEM1UAJ18jw&s=bm9Kqkwb8W8ClkdHFvnnH60BmArjys > l02dP_3 > >> TAjwew&e= > > > > _______________________________________________ > > Id-event mailing list > > Id-event@ietf.org > > https://www.ietf.org/mailman/listinfo/id-event > > > > _______________________________________________ > > Id-event mailing list > > Id-event@ietf.org > > https://www.ietf.org/mailman/listinfo/id-event > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event >
- [Id-event] SecEvent draft minutes - IETF-101 (Lon… Yaron Sheffer
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Phil Hunt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Phil Hunt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Mike Jones
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Yaron Sheffer
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Benjamin Kaduk
- Re: [Id-event] SecEvent draft minutes - IETF-101 … John Bradley
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … John Bradley
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Morteza Ansari (moransar)
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Dick Hardt
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Marius Scurtescu
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Richard Backman, Annabelle
- Re: [Id-event] SecEvent draft minutes - IETF-101 … Yaron Sheffer