Re: [Int-area] Roman Danyliw's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Thu, 23 January 2020 13:22 UTC
Return-Path: <rdd@cert.org>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15B16120273; Thu, 23 Jan 2020 05:22:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id craRIrVL2lIE; Thu, 23 Jan 2020 05:22:03 -0800 (PST)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B5D51200D6; Thu, 23 Jan 2020 05:22:03 -0800 (PST)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 00NDM1VZ030700; Thu, 23 Jan 2020 08:22:01 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 00NDM1VZ030700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1579785721; bh=ib9qICbkqZoMNE9K9WuqFfLPRjKSyIPWKp2kelTLXcE=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=kPQzymBOa/CpUPf1V096N8xBAYIs3T5owCkETFwMrRBwyML94H0lgIndo2DopWaLj kx0oYAwqp/eJ72VgDB+yY7cHfW/VHsy7rah1b/0NIMPqUFroZa9dLC4X796Hl8Uet7 L0MQUPPdfGAat9oVYENIJXQ5ycCXMJie5Uzwli18=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 00NDLuDa017455; Thu, 23 Jan 2020 08:21:56 -0500
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0468.000; Thu, 23 Jan 2020 08:21:56 -0500
From: Roman Danyliw <rdd@cert.org>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
CC: Erik Kline <ek@loon.com>, "draft-ietf-intarea-provisioning-domains@ietf.org" <draft-ietf-intarea-provisioning-domains@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, The IESG <iesg@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Thread-Index: AQHV0UzMzXcDQdp3cESD7d3nYp7B1Kf3TdKAgADuHgA=
Date: Thu, 23 Jan 2020 13:21:56 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC0216F0CB7D@marchand>
References: <157971557533.12303.3211893249207374638.idtracker@ietfa.amsl.com> <4E9A7A35-2BEF-4F03-9DED-E9671F342229@apple.com>
In-Reply-To: <4E9A7A35-2BEF-4F03-9DED-E9671F342229@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/pKMa5vy7GbcpAqMPnjke38ldpXU>
Subject: Re: [Int-area] Roman Danyliw's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 13:22:06 -0000
Hi Tommy! Thanks for the quick response. What you are proposing below would address my concern. See below ... > -----Original Message----- > From: iesg <iesg-bounces@ietf.org> On Behalf Of Tommy Pauly > Sent: Wednesday, January 22, 2020 1:04 PM > To: Roman Danyliw <rdd@cert.org> > Cc: Erik Kline <ek@loon.com>; draft-ietf-intarea-provisioning- > domains@ietf.org; int-area@ietf.org; The IESG <iesg@ietf.org>; intarea- > chairs@ietf.org > Subject: Re: Roman Danyliw's Discuss on draft-ietf-intarea-provisioning- > domains-10: (with DISCUSS and COMMENT) > > Hi Roman, > > Thanks for the review! > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > Section 4.4. Per “When a host retrieves the PvD Additional > > Information, it MUST verify that the TLS server certificate is valid > > for the performed request (e.g., that the Subject Alternative Name is > > equal to the PvD ID expressed as an FQDN). This authentication > > creates a secure binding between the information provided by the > > trusted Router Advertisement, and the HTTPS server.”, what is the > > trust anchor the client is supposed to use to valid the server certificate is > valid? How is that trust anchor provisioned? > > There isn't any assumption that a non-default trust anchor needs to be used > by the client for this validation. By default, a client would use its system TLS > trust anchors to validate the server. This leaves open the possibility for > enterprise scenarios to configure custom trust anchor settings, but that is > currently beyond the scope of this document. > > Is there anything you'd like to see specifically covered in this text? Including a version of the text you wrote above would address my concern. The two key issues you hit are that (1) (obviously) a trust anchor should be used otherwise you not getting the authenticity you think you are; and (2) this anchor might need to be provisioned, whose complexity is out of scope (like you said). > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > I support Ben Kaduk and Adam Roach’s DISCUSS positions. > > > > Section 4.1. Per “If the HTTP status of the answer is between 200 and > > 299, inclusive, the host MAY get a file containing a single JSON > > object”, what should be the behavior of a host that gets 200 status > > code but no JSON object – should it try again, conclude (like in a > > 4xx status code) that there is not further information, etc.? > > > > > > Yes, I agree that this should be clarified—that will be covered as part of the > discuss from Adam. Makes sense. Thanks, Roman > Thanks, > Tommy
- [Int-area] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw via Datatracker
- Re: [Int-area] Roman Danyliw's Discuss on draft-i… Tommy Pauly
- Re: [Int-area] Roman Danyliw's Discuss on draft-i… Roman Danyliw