IETF Logo Mail Archive

Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf-jmap-core-14: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Fri, 01 March 2019 20:10 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85445130EBE; Fri, 1 Mar 2019 12:10:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMU-CRRI6jnW; Fri, 1 Mar 2019 12:10:05 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-eopbgr780112.outbound.protection.outlook.com [40.107.78.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D5CF130EBC; Fri, 1 Mar 2019 12:10:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L/xSqztzZeuPXzmXypzMNbS9WFF8UYC4boiWGXPF9eg=; b=n54Gxsr2PIf/SczJlHlEP8dmN6f3Oo7flMRJKRu8klHQODjiKNoWqyOeMySmwTXz7SLZ32LhmLZL1SAWyxZtTWAzomv7gpzge1zfHBrueB07xHWm715PCIhSQ2vj/DVT8Uh22JbRFDWWWXyj8tXnnB8erQXuCtTD+PGQor7r+CU=
Received: from DM5PR0101CA0005.prod.exchangelabs.com (2603:10b6:4:28::18) by BN8PR01MB5602.prod.exchangelabs.com (2603:10b6:408:be::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.15; Fri, 1 Mar 2019 20:10:02 +0000
Received: from BY2NAM03FT041.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e4a::209) by DM5PR0101CA0005.outlook.office365.com (2603:10b6:4:28::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1665.16 via Frontend Transport; Fri, 1 Mar 2019 20:10:01 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by BY2NAM03FT041.mail.protection.outlook.com (10.152.85.246) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Fri, 1 Mar 2019 20:10:01 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x21K9ulq029041 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 1 Mar 2019 15:09:58 -0500
Date: Fri, 01 Mar 2019 14:09:56 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Neil Jenkins <neilj@fastmailteam.com>
CC: iesg <iesg@ietf.org>, draft-ietf-jmap-core@ietf.org, Bron Gondwana <brong@fastmailteam.com>, jmap-chairs@ietf.org, IETF JMAP Mailing List <jmap@ietf.org>
Message-ID: <20190301200956.GR53396@kduck.mit.edu>
References: <155072687005.20308.1288342758446844678.idtracker@ietfa.amsl.com> <ebf89939-bf68-4458-a24f-5a37090385fd@beta.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ebf89939-bf68-4458-a24f-5a37090385fd@beta.fastmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(396003)(136003)(346002)(39860400002)(376002)(2980300002)(51914003)(199004)(189003)(1076003)(66574012)(966005)(426003)(8676002)(6246003)(54906003)(46406003)(4326008)(104016004)(106002)(14444005)(23726003)(75432002)(356004)(5660300002)(6916009)(305945005)(6306002)(16586007)(53416004)(58126008)(229853002)(50466002)(476003)(2906002)(126002)(7696005)(956004)(11346002)(486006)(86362001)(55016002)(47776003)(106466001)(478600001)(446003)(26826003)(76176011)(88552002)(336012)(186003)(26005)(316002)(786003)(8936002)(97756001)(246002)(33656002)(36906005)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR01MB5602; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d8c85915-f8c7-40d8-6517-08d69e81e30e
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:BN8PR01MB5602;
X-MS-TrafficTypeDiagnostic: BN8PR01MB5602:
X-MS-Exchange-PUrlCount: 2
X-Microsoft-Exchange-Diagnostics: 1; BN8PR01MB5602; 20:Fg+T7DXTDbySrZ8Hse8FknAeo96mLJ0Ob52Eiea2JmbrUkoZCEjGznE9S6Q+H/voRHrMfGe2QaeC6TFwQZ5RHnX9GAO7drZQZ5J8vH2xkpzzbXM6AvNhTqliiZPL4Xlrob1gkvDf/fS6MHAx8ZeiSNmv4vApEByNQiveFT5mvbd42QswJ8fuX0bbp3uQuNDurSEhwodzbq+Ml24hP529zizTnLFlYcyVucL82sh1dO77hTHPBbhliaikF93qymZHHFb5j26wd4+BooAauokzyXzQvegCQR3cZJEptH/t5mJJzRDnVFVQbtu/NyfWnQ0z9y3H45fRhURpiSI/jIq/BnIkfsOc85t9WTzRHBf756coeSb47h9JBqFod5hQcVub5tyyTDxIRURvHPqW8BmStQdgVhh1SKVe7FbIjRPzqaSQWGbSI1+b52wJD46qMTKotgxpKnEfgVM8wnecW02Zqg3SoPZFFdVs58OCiob2GtGjOOroffRntjPpsTCEYFErIkm4RjFB5dqL8Vk/Ig9nfO8P1h/Ayt7+FNx9SP+0jmaF4SpTRBSaaIbn0BbsxkQECr+1wCA5+XApV2D2gvljEWAPJgrvV6nzXzv5v5LyboY=
X-Microsoft-Antispam-PRVS: <BN8PR01MB56022D10125E295F16D371C3A0760@BN8PR01MB5602.prod.exchangelabs.com>
X-Forefront-PRVS: 09634B1196
X-Microsoft-Exchange-Diagnostics: 1; BN8PR01MB5602; 23:I6y1ZNIshASARolSGDIRdVWrbRRCRxL70OFfs7Sw5HZbUsK2b/T6XomBGCF9lejAWMvbGnxnQ4wdJ0pwBMZd2JYDNmHA0qBlyCB/mrO1XQ0DSj27hcN+W2zf87KXi54Z7YTGnN1XdHo1b1NyamU/v5RtbJZCyCR6RPekFMXl5xtFC4DiMbOcTb9mIvnalIifKUSX7PY0PpzDs6oXg+rJzyh5+fsKdEGyYRiWD7zmdmOZFp31ZTEjnY+lptA3J1aeyxvRLV4iHG0VaaD00p72NXQdKssA29PAy5AfFimNHPSz7OvLsIiq8MgSj3Ap2Kr4ao3qA47v1CA/l+whCHkDYma0xaG3N1fFtSGCDZsG9LFHZ/Eix9LlgVMB2rIGeQZBpbwEUNLpt4s5S0vPhMkwWK6ZCeP5NqFQS8e/kl64BMuyMgOjbqqsx4hOJGpxZ69zqOeTbs0z71fnDoJnz6v9QPM94YZrFJ9sdwyJKgUlFpbSuqmERMBU6oVCSe1Hr96FzuRVAl2OqJJPHre+fDoL8TTPg+zlfc5hvmUH289z0qF2tpf15A48fCgLwDEHf6IumMZ6WBwYLqXwTJNgaWVW+j75Q3/+fC+PkuhM4605wzoeYoXksdIIHdIVDZf0He+ORaUbES/khZlXUzaoZEDZHs7Ex50ilJFgYpe/v8egx1wZG68qYXVX+uiTg/ZX7/tjVzSusJdskZ8pTVoy070dZrPfi8q078WLohbk6LClyNsUl3wr2OqvA7gKNWbpdFLB8X++PrsmlyEO+fKagNx5J5sBhjlVpdH2tKjPwNs67jijZKrPNQErOw+zTWXPJbTeqw4R2XolOP1t80Xe7DEZ9VpDKbn7Rpo2MTFz6VdNbVGduEgjgCTTRDe+M4RtiQfJTk4HFEy1wLW1oVVA0yk3Q/pCHBc3kkhq4ZwZhAVSjCZNvtKSS1JmX4Kfe6eAZoExNPc1K+WDzEfZ9PokyT46w0EPyL6a7NddLVHPKVaC96BrXvfmGAH0Pt9eVfzTz7Pd+5lfv+vQcbIHaNikYQgMo5tQi8R1NlR6FS8KvTFjw+MGVZSdnmLKgXsRi/BeOedrfxv1fcnUt+Bc8a1U056DSg/dTBFsz8/+0eioW0lZs8TcWyx6xKZRvNyrl1vwj3BqPnRQsQyjk65PzelWRfueWqA3dJPT1ykkgpUaiTPETqsIlxbw+KqRvWK8uT7unrSqahQKeWaWR/ehcbov7hfTm3K3zQAcyxCpsf0DTJghdJfAaO2RtZ4ykjxs7dGXEcJD83nSICdMPpK+HOtPqA2sTw6P5iPOIur5Nrdif95PPks=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 6G43pRxbcx0xYe+ADjP9UmKh1iAAuFdpsbe0HgwCN79FQJviSkZedonWv1qD0bTGcD3n1thNdE5fqGYKDXAP2MmhwN8WR0n7POSb9fg8QgE4LBhgdpGQvxPqGWVUcth+H5pzGG/KTGwDE3BbwTgsWxa5u+ugwYzXexoqDcSOF1KfhVkMNYZFMvTbSmo9Ib8roKk83D2eHhjenAFFjTy8REFIsqA0eHl4/KRI730DORQ9KW7s7RzJgyGx8j5D7tydF4DfKQz/FYxJlDDUEswtoUynC1Y1mCPhTpWD2WJg8ohg3DHg+zDgFMu45108R5gdVAS9XYZFN/X0GqH3VCVJmUOoooA7HFrloWv2lZrf16KD17vxrl3fMr/5O5GI8G+HkTo30J2cZEIHzLVYRsh8VehfnBYHemU+2qubSQD6lt4=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2019 20:10:01.1941 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d8c85915-f8c7-40d8-6517-08d69e81e30e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR01MB5602
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/3zSBr9IN0Ju1HFYRG66nmJ6iQVc>
Subject: Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf-jmap-core-14: (with DISCUSS and COMMENT)
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 20:10:10 -0000

Just replying on the discussion points for now, as I want to also be
reviewing the jmap-mail document today...

Most of these look good, and thank you for the updates!

On Thu, Feb 28, 2019 at 01:14:44AM -0500, Neil Jenkins wrote:
> Thanks for the detailed feedback Benjamin.
> 
> *Discussion points*
> 
> > This document (twice) has a MUST requirement for HTTP over TLS, which
> > seems to exclude any future usage of HTTP/3 over QUIC. (It's also
> > probably not needed to repeat the normative requirement in two places; I
> > noted both in the COMMENT section.)
> 
> OK, I'm happy to change this to say https:// scheme instead. I've changed the text to just say:
> 
> *JMAP uses HTTP [@!RFC7230] to expose API, Push, Upload and Download resources. All HTTP requests MUST use the https:// scheme ([@!RFC2818] HTTP over TLS).*
> 
> I have moved the minimum TLS requirements to the security considerations, and removed the HTTP reference there, so the normative requirements are no longer duplicated.
> 
> > Section 1.6.2 asserts that "all data belong to a single account". And
> > yet, we seem to have PushSubscription objects in Sections 7.2.1 and
> > 7.2.2 that disclaim any relationship to an account, which seems
> > internally inconsistent. 
> 
> Yes, this was inconsistent; PushSubscription objects are special as they are tied to authentication credentials rather than an account. I have removed just this sentence, since I think the document is clear enough without it.
> 
> > It's also unclear to me from the text in the
> > latter sections what mechanism is used to determine whether a given
> > request is authorized to see a given PushSubscription object. Is it
> > supposed to be based on the authentication credentials to the API
> > service directly, or a user abstraction, or something else?
> 
> The authentication credentials. You're right this was not clear; I have added explicit statement of this to the document.
> 
> > Section 5.3
> > 
> >  Some records may hold references to other records (foreign keys).
> >  That reference may be set (via create or update) in the same request
> >  as the referenced record is created. To do this, the client refers
> >  to the new record using its creation id prefixed with a "#". The
> >  order of the method calls in the request by the client MUST be such
> >  that the record being referenced is created in the same or an earlier
> >  call. The server thus never has to look ahead. Instead, while
> > 
> > I think this means you need to specify what order the server does the
> > create, update, and destroy lists in -- that is, that all creates are
> > done before all updates, etc..
> 
> This is only true for objects with references to the same type (e.g. Mailbox). I have added this sentence to the end of that paragraph:
> 
> *In the case of records with references to the same type, the server MUST order the creates and updates within a single method call so that creates happen before their creation ids are referenced by another create/update in the same call.*
> 
> There is no need to specify more constraints than this for ordering as it would not be externally visible; servers should have the flexibility to optimise as they see fit.

I agree that this sort of ordering is the relevant part and we don't
actually need to specify an absolute order of operations.  Though I guess
if some client was silly enough to both create and delete the same item in
a single request, the delete would need to be referred to by the creation
ID, which would provide the needed dependency to force the ordering.  So
this adversarial scenario just would need to change "create/update" to
"create/update/delete" to be covered.

> > Section 5.5
> > 
> > The Unicode Collation Algorithm (<http://www.unicode.org/reports/tr10/>
> > is not listed in the IANA collation registry for internet application
> > protocols; since the session object limits the collationAlgorithms to
> > those in the registry, at present, it is not permitted to use that
> > collation algorithm. It would seem that this document should stimulate
> > the registration of that collation algorithm in some fashion (whether by
> > explicitly doing so in its IANA Considerations or otherwise).
> 
> There is no requirement in the spec for the default algorithm to be one of those listed in the collationAlgorithms capability; the server can do whatever it wants in the default case. We will certainly look at registering UCA, but such a registration doesn't belong in this document and will not materially change this document so should not block publication.

Rereading, I see that the example of Unicode Collation is just as one that
meets the requirements needed for a (server-dependent) default algorithm,
as you note.  So, sorry for misreading that (and I would have cleared
anyway with just a declaration of intent to register).

> > Section 7.1
> > 
> >  o *changed*: "Id[TypeState]" A map of _account id_ to an object
> >  encoding the state of data types that have changed for that
> >  account since the last StateChange object was pushed, for each of
> > 
> > I don't see how these semantics provide the properties stated in Section
> > 7, "[i]t doesn't matter if some push events are dropped before they
> > reach the client; it will still get all changes next time it syncs." In
> > particular, if the client misses a state change for the CalendarEvent
> > type, and then no other changes that affect CalendarEvents occur, the
> > client will remain unaware of the changes to CalendarEvents, even if
> > other push notifications for other types come in. Am I misunderstanding
> > one or more of the behavior or stated guarantees?
> 
> It's stating that on the next resync, whether that be due to a future push for the same type, or the client making any /get or /set for that type and seeing the different state string returned, will result in the client coming fully up to date. Losing the push does not mean there is data the client will now no longer see.

Perhaps there is room for a little more clarity on what "it syncs" means
(i.e., full sync or just scoped to a specific data type).  To be clear,
this is a fine design; I just want to be sure that we have clarity of
language in describing it.

> > Section 7.2
> > 
> >  As a push subscription causes the JMAP server to make a number of
> >  requests to a previously unknown endpoint, it can be used as a vector
> >  for launching a denial of service attack. To prevent this, when a
> >  subscription is created the JMAP server immediately sends a
> >  PushVerification object to that URL (see section 7.2.2). The JMAP
> >  server MUST NOT make any further requests to the URL until the client
> >  receives the push and updates the subscription with the correct
> >  verification code.
> > 
> > I think the JMAP server also needs to rate-limit even the initial
> > PushVerification generation, per-user(?), in order to close the DoS
> > and annoyance-vector risks.
> 
> Yes, for annoyance mitigation there should be some rate limits here. I don't think we need to be specific on how it is rate-limited; that's up to the server. I'll add a mention of this to the security considerations.
> 
> > 
> >  o *keys*: "Object|null" (immutable) Client-generated encryption
> >  keys. If supplied the server MUST use them as specified in
> >  [RFC8291] to encrypt all data sent to the push subscription. The
> >  object MUST have the following properties:
> > 
> >  * *p256dh*: the P-256 ECDH Diffie-Hellman public key as described
> >  in [RFC8291], encoded in URL-safe Base64 representation as
> > 
> > What's the crypto agility story for these web push encryption keys?
> > (See BCP 201.)
> 
> There isn't one, because as far as I can see RFC8291 <https://tools.ietf.org/html/rfc8291> doesn't have one and that's what this is supporting. What do you suggest?

The pragmatic thing to do would be to note in the security considerations
that there is no algorithm agility for Web Push Encryption, and if agility
becomes needed in the future a spec update would likely be needed to
provide it.

> > Also, when these expirations fire (e.g., for Basic Authentication
> > credentials), we need a normative requirement to actually destroy the
> > private credentials; there's a lot going on here so maybe I missed it,
> > but I don't think I saw one.
> 
> I think we already have this. The spec says:
> 
> *The push subscription is tied to the credentials used to authenticate the API request that created it. Should these credentials expire or be revoked, the push subscription MUST be destroyed by the JMAP server.*
> 
> Or were you referring to something else?

I was thinking that you need to clear out the memory/disk storage that hold
the credentials (e.g., password), as well as destroying the subscription
object.  We don't want plaintext credentials floating around longer than
needed.

-Benjamin

v2.23.0 | Report a Bug | By Email