[Id-event] Review of draft-ietf-secevent-http-push-05
Mark Dobrinic <mark.dobrinic@curity.io> Wed, 27 March 2019 10:54 UTC
Return-Path: <mark.dobrinic@curity.io>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113FA120433 for <id-event@ietfa.amsl.com>; Wed, 27 Mar 2019 03:54:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzQMwvcRbyyg for <id-event@ietfa.amsl.com>; Wed, 27 Mar 2019 03:54:01 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5DAB12060E for <id-event@ietf.org>; Wed, 27 Mar 2019 03:54:00 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id v14so16230579wmf.2 for <id-event@ietf.org>; Wed, 27 Mar 2019 03:54:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=HLNXyUMAUYNC4Z/65gsFwOThexsDQQOF6jiSvK00CLY=; b=WTryEyypaFnNUpWFQA7bQWiE13pPGfnvoCaZr5xNBFgJRf1I7iUnIWvmmu9SHSfekV pPCwY8gUsNBqSeLLfd/ZQ3lOAGNl95jfrQcWXfWX30rPuUN3zGe6fC2uCzBsQnMwvAa/ sE4a8UdYSFh3KaF4J5SIO5/r6j1DWR7vYpb6jt3OyJnLw+BsxY5ftTl5FcSBnAXsAbNs nMtalfROW9olkaNVFTAXK2iRC7CscMs9+KNdxlspyU6FDrKzRRW3KmJq3ZrlaWhZq4G+ w9c+zDDcutirgv3tZWA6NyCjZCLn5QvUuIPXy8FF48Kae7aX7FMq+GLf5OrOmQo8NC+8 475Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=HLNXyUMAUYNC4Z/65gsFwOThexsDQQOF6jiSvK00CLY=; b=S73qRcGSqWFRFSyrWFqktVALJvy39VF0EMfq+LUG/xZxPQyQAJk6/jI7jw+WxSDSRZ jK7VM6XCdDI0RY6egHzt903JaMvaVwCW3ToGeuV4e3PPxl9aJoeiW/un+v/ShmG6IMsw rIKw1shHzOyzU0ThTnf4F0Up0Wi0pdc3/X83VLrf18N5kiAzlnpaZEi8CnoPcMAecoFi u1IZfiWxtZfL6ZTS04/1QMpXZysZfowG5dZLnSyxa+lLS7+pa3GMbX8ksMTwW/7pB6R9 zY3AFY7Vq0m52/WmgecsO4jC75GZQBqJQBXuYUgkB8pcCshp6q5KYn3o4z0Rem9btNtY e40Q==
X-Gm-Message-State: APjAAAWABCiLJwTytGKz8RK2czRCF/yZvlUKTM4UP2RbwIVLezKYNMpL HCAmasxqWe1TRaH/42Go8DhdomJ0mv2Y+A==
X-Google-Smtp-Source: APXvYqwK2Vlcb10yi/6v4ytQ4AXIvYRBOamiA2zIehY1smL16JCBVH8HobsxHx56WzedoXEqvGNv6Q==
X-Received: by 2002:a1c:4d02:: with SMTP id o2mr12018869wmh.134.1553684038794; Wed, 27 Mar 2019 03:53:58 -0700 (PDT)
Received: from dhcp-9c05.meeting.ietf.org ([2001:67c:1232:144:41e1:bae0:47c8:3b1f]) by smtp.gmail.com with ESMTPSA id y197sm37668893wmd.34.2019.03.27.03.53.57 for <id-event@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2019 03:53:57 -0700 (PDT)
To: id-event@ietf.org
From: Mark Dobrinic <mark.dobrinic@curity.io>
Message-ID: <71b9d281-46f9-8bb4-3524-211e5ab7fa55@curity.io>
Date: Wed, 27 Mar 2019 11:53:56 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:60.0) Gecko/20100101 Thunderbird/60.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/mG-Uto9grX_La5lmi5ZR64X8EmI>
Subject: [Id-event] Review of draft-ietf-secevent-http-push-05
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 10:54:16 -0000
Hi id-event,
Read through draft 05, and here's some of my findings. With the
disclaimer that I am not fully aware of the historical discussions that
led to this draft.
- Section 2.0 mentions: "Once a SET has been validated and persisted,
the SET Recipient SHOULD immediately return a response ..."; there's a
bit of a gap on what to do when the SET was validated but failed to
persist. The errors don't (and probably shouldn't?) cover this, as this
might be considered business logic on the recipient's part? Section 2.2
talks about "appropriate retention requirements", which is nicely
formulated. This type of wording might be also snuck in to the language
of section 2.0's paragraph ("Once the SET has been validated and
persisted ..")
- Is the `description` field in the error response REQUIRED?
- Is there a reason why the `authentication_failed` failure response
should not return a HTTP/401 Unauthorized HTTP status code?
- Section 5.1 talks about the SET Issuer being authorized to deliver the
SET; should this not be the SET Transmitter?
- Section 5.4 on authenticating persisted SETs; Not sure if I understood
this correctly, but if a SET Transmitter can send a SET that was issued
by a different SET Issuer, how would the signature verification key be
resolved to authenticate the SET? 5.4 talks about the SET *Transmitter*
signing the SET, should this not be the SET *Issuer*? Or is this out of
scope?
Nitpicks:
- The sentence above the examples (e.g. in section 2.2) should always
end with a colon ':' ("The following is ... a SET:"), or end with a
period '.'. Don't care which, but looks nicer if it's the same
everywhere. I think only 2.2 falls out of line.
- The text above Figure 5 says "SET Receiver", should be "SET Recipient"
Hope this helps to wrap it up to publication :)
--
Regards,
Mark Dobrinic
Software Engineer and Identity Specialist
Curity AB
mark.dobrinic@curity.io
www.curity.io
- [Id-event] Review of draft-ietf-secevent-http-pus… Mark Dobrinic
- Re: [Id-event] Review of draft-ietf-secevent-http… Dick Hardt
- Re: [Id-event] Review of draft-ietf-secevent-http… Richard Backman, Annabelle
- Re: [Id-event] Review of draft-ietf-secevent-http… Marius Scurtescu