Re: [Int-area] Roman Danyliw's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Tommy Pauly <tpauly@apple.com> Wed, 22 January 2020 18:04 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BA21120639; Wed, 22 Jan 2020 10:04:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mo-H7c5o4vlj; Wed, 22 Jan 2020 10:04:03 -0800 (PST)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01521202DD; Wed, 22 Jan 2020 10:04:02 -0800 (PST)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.27/8.16.0.27) with SMTP id 00MI2aZT057931; Wed, 22 Jan 2020 10:03:57 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=IfQ6M35GYe2TDTS1Vm7sDEx4oNl4qn+klwHDyw3L+ZM=; b=i4DmF/n2O0n5Ma4zCASTqN+RLwl8Ias9+NtgObAqQjdjwmIUSHOGKKY3Kados/n06rN8 wyssdfBlTWmZub+UQzVodsR/IQbAhiUBxToi6auH0xfotv8JkH2emIsrm70t+Pux9LWl o0/HQ5IjXh56swUvxUtxS4jrcTcepApqnS9YRJyXzR+e/zDUysxRYc9IwU0ZDoGnMuN9 tx0TKVap+vS6gw3bwh9lhRChgQmLpufnZcJqajzIzot0Y4DzstKJqI8Ai+AtorqQkwNh DmDD6DGPpI8KATC5vM7EQFax6/AOmb8PPqpHePNduns5PpT071o3KzPDPdaCUB8apJhH 4g==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by nwk-aaemail-lapp01.apple.com with ESMTP id 2xm1u5g95v-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 10:03:56 -0800
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0Q4I00G1PSUI2960@ma1-mtap-s02.corp.apple.com>; Wed, 22 Jan 2020 10:03:56 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q4I00F00S27UT00@nwk-mmpp-sz09.apple.com>; Wed, 22 Jan 2020 10:03:54 -0800 (PST)
X-Va-A:
X-Va-T-CD: a90511e1a04b19d78098f3dd78956d64
X-Va-E-CD: 20d6cced203da4ea20ede99c1943295d
X-Va-R-CD: 000a46f299361a8cbc29dde0de248073
X-Va-CD: 0
X-Va-ID: ec3c10ac-96e6-4e26-8de5-fa3c77d2ff10
X-V-A:
X-V-T-CD: a90511e1a04b19d78098f3dd78956d64
X-V-E-CD: 20d6cced203da4ea20ede99c1943295d
X-V-R-CD: 000a46f299361a8cbc29dde0de248073
X-V-CD: 0
X-V-ID: cfb74c8c-d00e-4f9a-aa82-e1933f5466c1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-22_08:,, signatures=0
Received: from [17.192.171.152] by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q4I0067OSUIL350@nwk-mmpp-sz09.apple.com>; Wed, 22 Jan 2020 10:03:54 -0800 (PST)
Sender: tpauly@apple.com
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <157971557533.12303.3211893249207374638.idtracker@ietfa.amsl.com>
Date: Wed, 22 Jan 2020 10:03:51 -0800
Cc: The IESG <iesg@ietf.org>, draft-ietf-intarea-provisioning-domains@ietf.org, Erik Kline <ek@loon.com>, intarea-chairs@ietf.org, int-area@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <4E9A7A35-2BEF-4F03-9DED-E9671F342229@apple.com>
References: <157971557533.12303.3211893249207374638.idtracker@ietfa.amsl.com>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-22_08:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/pHGXxwqLkxCC6EhR7cZWkRTDpdU>
Subject: Re: [Int-area] Roman Danyliw's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 18:04:04 -0000
Hi Roman, Thanks for the review! > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Section 4.4. Per “When a host retrieves the PvD Additional Information, it > MUST verify that the TLS server certificate is valid for the performed request > (e.g., that the Subject Alternative Name is equal to the PvD ID expressed as an > FQDN). This authentication creates a secure binding between the information > provided by the trusted Router Advertisement, and the HTTPS server.”, what is > the trust anchor the client is supposed to use to valid the server certificate > is valid? How is that trust anchor provisioned? There isn't any assumption that a non-default trust anchor needs to be used by the client for this validation. By default, a client would use its system TLS trust anchors to validate the server. This leaves open the possibility for enterprise scenarios to configure custom trust anchor settings, but that is currently beyond the scope of this document. Is there anything you'd like to see specifically covered in this text? > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I support Ben Kaduk and Adam Roach’s DISCUSS positions. > > Section 4.1. Per “If the HTTP status of the answer is between 200 and 299, > inclusive, the host MAY get a file containing a single JSON object”, what > should be the behavior of a host that gets 200 status code but no JSON object > – should it try again, conclude (like in a 4xx status code) that there is not > further information, etc.? > > Yes, I agree that this should be clarified—that will be covered as part of the discuss from Adam. Thanks, Tommy
- [Int-area] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw via Datatracker
- Re: [Int-area] Roman Danyliw's Discuss on draft-i… Tommy Pauly
- Re: [Int-area] Roman Danyliw's Discuss on draft-i… Roman Danyliw