IETF Logo Mail Archive

Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf-jmap-core-14: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Mon, 04 March 2019 03:02 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2A6130F09; Sun, 3 Mar 2019 19:02:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KtgnIactMNOf; Sun, 3 Mar 2019 19:02:25 -0800 (PST)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680129.outbound.protection.outlook.com [40.107.68.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D765A130ED4; Sun, 3 Mar 2019 19:02:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gL/Lc8Nkwk99EM8GIiGabaa8zbeIcvPckbQCn2LEi3g=; b=RAJa8iF3Evnkn6uZL+yUt0Y9889aw10yFwpEsy1j+xMPiXbyGU2zAxrF5MjChVsOdGZOx8GB3N1iNkIVSAWYonEJJY8emi7MioFVXjCX3d2QinWF6GNrozj1KyDZxNkhpbv289UrhMx6rmFi+iUSHgtK7PkNe0J01ycyRJ0bWgQ=
Received: from BN6PR0101CA0030.prod.exchangelabs.com (2603:10b6:405:2a::43) by BN8PR01MB5602.prod.exchangelabs.com (2603:10b6:408:be::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.15; Mon, 4 Mar 2019 03:02:22 +0000
Received: from DM3NAM03FT020.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::207) by BN6PR0101CA0030.outlook.office365.com (2603:10b6:405:2a::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1665.15 via Frontend Transport; Mon, 4 Mar 2019 03:02:22 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT020.mail.protection.outlook.com (10.152.82.193) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Mon, 4 Mar 2019 03:02:21 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2432HS5008620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 3 Mar 2019 22:02:19 -0500
Date: Sun, 03 Mar 2019 21:02:17 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Neil Jenkins <neilj@fastmailteam.com>
CC: iesg <iesg@ietf.org>, draft-ietf-jmap-core@ietf.org, Bron Gondwana <brong@fastmailteam.com>, jmap-chairs@ietf.org, IETF JMAP Mailing List <jmap@ietf.org>
Message-ID: <20190304030216.GL53396@kduck.mit.edu>
References: <155072687005.20308.1288342758446844678.idtracker@ietfa.amsl.com> <ebf89939-bf68-4458-a24f-5a37090385fd@beta.fastmail.com> <20190301200956.GR53396@kduck.mit.edu> <65cb60cd-073b-401a-b2bb-8c1024833400@beta.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <65cb60cd-073b-401a-b2bb-8c1024833400@beta.fastmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(396003)(136003)(346002)(376002)(39860400002)(2980300002)(55674003)(189003)(199004)(956004)(486006)(33656002)(11346002)(7696005)(126002)(26005)(86362001)(786003)(6916009)(305945005)(2906002)(229853002)(6306002)(50466002)(106466001)(316002)(8936002)(478600001)(186003)(36906005)(93886005)(55016002)(47776003)(97756001)(246002)(336012)(88552002)(53416004)(16586007)(58126008)(476003)(446003)(76176011)(26826003)(426003)(6246003)(1076003)(46406003)(23726003)(75432002)(5660300002)(356004)(54906003)(14444005)(106002)(104016004)(4326008)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR01MB5602; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4e5268d1-588d-4e41-eac4-08d6a04dd25c
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:BN8PR01MB5602;
X-MS-TrafficTypeDiagnostic: BN8PR01MB5602:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Exchange-Diagnostics: 1; BN8PR01MB5602; 20:fayowmEQRqxytVb3GA6YODby1ClgN8rJjWOXxYaE0o8bMSnCR6fmL3SCahlb9pU5ycHG8z+04swemC9Kqarz+mEBPUPhLg5AkzmBY6btwSO28oZsP/+0FCkRriqL8eIWF++JC1ZHYnsaA4hqd2KnbrxMxBUFlmnS54mROpLtidmfJ+r6DxssICS+985cq/Wfht/N7iB3ipeq/J1aD3XLJcFBlgu1eBrKaDcq08iBlR7zFO398uE8JX8ZHG4D5zmEVF9TI8YmRcq7udh3NyFjSAwu8seaHt8PLBqy/tuAmar7kdSDRoTQwcLxVR9elLxK4v0VvZFvTbWIgxmnONzQM6h4D3rMvar5kXdvzVicDJ+JuyTy8tgNo7ZU9SJFrtJnDaYkMr91fDSNuAF8/uMJu9KWQkUhl8Nm8yPX1o+MLrMTj+O4qJgi0WMLj98nLnA1+fiaWnu8yKA8p3mDE/qkUEzOB+Imk4yPpHczcXbXF1sBkP+zwPg3BsM1YrZ3Jdi9IYhmWXm823ZUydL5jbpv50pnbIbO3zjdeHhgQlWbSTLq6U7AoOEh+aQBEy/jl7bN0CO/yzzF3ksZVy8kxb5KTQFEfpE73+YyXoV1AFT6Y6I=
X-Microsoft-Antispam-PRVS: <BN8PR01MB56029E2062498E487C8AECE3A0710@BN8PR01MB5602.prod.exchangelabs.com>
X-Forefront-PRVS: 09669DB681
X-Microsoft-Exchange-Diagnostics: 1; BN8PR01MB5602; 23:wOXSalHt0e42yn6fuTW7jPPXJBLC7zjTWx0LyjOAZ+6/C3nyoRryw34GG/3xI8yVBH70c2iyHmDFYYVyqBMPZQsTO4M0n5sdILiUuYMlExVNLYOpuIUiKWOEhTradGyroVPnoETT8vAIedyNLbuqNIPrRo+cHoBGmCLWJhRqgYzaVOr5A3FNmTatVRi5jxPLtdlYjl6FgxWX8QSVBAVYiC4E2u31kB9/12Ys5CWLZjxv79fHSzfb6oVp29ffyBFBSTBMOm67EsPYL/hyN4PCM+Q/s4/7ut6rQYQVO2CMAXThGCIFKTJjdRA7ZI4VKEXugpJn9VuTCwycsysudi2lCHYYN+cfhaKZctcQYucD7GpKFJ5FTj/1/r1UDPr3vDDhUeQveJ383F7HE99uPnPEmV0TFd6+dA54SFmmH8poJxV/xNtDLfDZm/tb0JBE8PA9x1O+Yezmc42xPOR4MMO+nSbpxEU5pW83JYwy7A6WbFAsuCOJ3HTFVkKIsjGt2q1SidoQXzLP2lI1CFqsx2Mf2k+zqTNLFdAY6w38FWaABUzDwyWEDRrolqYaUcCDtynJ82osJRMf5JjMFlZY57d5S10Af/ak0TlYg8kewHGcGwyfO2Lv6c1XcVJkabimG2v/x9mfUzYWZhKxpfoIxIcDk1vjrzHR2jP2RaEkQJwLRF/UWKNGvTU+uSiIo588mVCoP8EM9o4VPVrZPRgZDG2lTMAraa/5SLSeQyIr+bL01jV/NKW9hsYSLLh5qrbkNE5x7RvfRrk+2/lK2gnHltwmRFd81MaF7yorZyyS9tUdi47appr15h5HZwIdQ7/ZPEyn+sv4ye3THtSPgZvrOeOjAN2TnjYk9vxiYlMaLJx0LaG/xa8xuWjKVCnRH3AsL7EOaNQoNnrCbjRhJ7TKebApvdBzS4yWSjL1aEwfEd8yF2Kzs6/XAU7vupzGpqUKP/RBahkk5+LsPn6rtpRJYKWDw0OK5lgh0SpkyGvY091tBciIOtTIfjsPpkrUbhjtiUV2He31bPQg9KpHCaqYBE+8fQoiD3m677QfCyxMVfKIWTuG4S5eZ9ALNEF9tl0zIRkPU0Llm+GQ63h7oFZzMCM+0nRE6rMq4Z94iQKVQxg0VZOcylscpAlg5GVaFqHG7N4YJO3MNuzfjPUplcjNZ+IyrI1sTjI9QxO464+vv8UXVhAEf+2FwdGKhTjTtW/Uyg2c2WQOYdWq9vRpsDM33OJvFRlUL3Kbf6g8UXE+w523Dj6AQQDQImipPxXohNiL9XC6
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: +QWJBcczZrADWLhtpwkRUiwHRm4PEIYchw2cy8IrS5qpA2fPTIZWBhkod+CyEplQD/DsJ4z5esmjnz2otzkbUYzMB8xIz/WdqOTBhjq6mvry3Xk2Dswc+QiPNJNlT+setPot4uTUZd7DWngy5aCNcynWYaBW4TXAPxv+SYmODjc6tBX16xF5pntM8UZYCnmkiKUeQ2zi8KNOS27G5asJAWaiAQbRk0/AIrAsqX5CBuKYM8xcdDPFW3KugPdVk/wfsEItWnpUPHYEUsM0G8/n+YMkJkZDY5Mz2AhN1YZSlLwbOdEWuOiGd9ApTSGjQ3wD37c1tY/NS7vSzWQlN9fxtsfKj63Mop8uDWBbH+EwgNag4RT13h7y3m1f4QeKqwo4gnEdtUlKnMn1J1CS33F2f1RvmLYoWRegTY0Zspjv1tg=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2019 03:02:21.6880 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e5268d1-588d-4e41-eac4-08d6a04dd25c
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR01MB5602
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/Fg-QBxWJ4UCjTXvruqpNZayPYtc>
Subject: Re: [Jmap] Benjamin Kaduk's Discuss on draft-ietf-jmap-core-14: (with DISCUSS and COMMENT)
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 03:02:28 -0000

On Sun, Mar 03, 2019 at 09:52:33PM -0500, Neil Jenkins wrote:
> On Sat, 2 Mar 2019, at 07:10, Benjamin Kaduk wrote
> > So this adversarial scenario just would need to change "create/update" to
> > "create/update/delete" to be covered.
> 
> Agreed, I'll make this change.
> 
> > > It's stating that on the next resync, whether that be due to a future push for the same type, or the client making any /get or /set for that type and seeing the different state string returned, will result in the client coming fully up to date. Losing the push does not mean there is data the client will now no longer see.
> > 
> > Perhaps there is room for a little more clarity on what "it syncs" means
> > (i.e., full sync or just scoped to a specific data type). To be clear,
> > this is a fine design; I just want to be sure that we have clarity of
> > language in describing it.
> 
> OK, how about this:
> 
> *It doesn't matter if some push events are dropped before they reach the client; next time it gets/sets any records of a changed type it will discover the data has changed and still sync all changes.*

That works (modulo the nit of "the next time").

> > > There isn't one, because as far as I can see RFC8291 <https://tools.ietf.org/html/rfc8291> doesn't have one and that's what this is supporting. What do you suggest?
> > 
> > The pragmatic thing to do would be to note in the security considerations
> > that there is no algorithm agility for Web Push Encryption, and if agility
> > becomes needed in the future a spec update would likely be needed to
> > provide it.
> 
> Sure, happy to do that.

I've been informed in the meantime that the idea of the HTTP Encryption
coding folks, as specified in Section 2 of RFC 8188, is that you define a
new content-coding scheme (i.e., other than "aes128gcm") if you need a new
cipher.  So it probably wouldn't be too painful if we did need to slot a
new one of these in.

> > > > Also, when these expirations fire (e.g., for Basic Authentication
> > > > credentials), we need a normative requirement to actually destroy the
> > > > private credentials; there's a lot going on here so maybe I missed it,
> > > > but I don't think I saw one.
> > > 
> > > I think we already have this. The spec says:
> > > 
> > > *The push subscription is tied to the credentials used to authenticate the API request that created it. Should these credentials expire or be revoked, the push subscription MUST be destroyed by the JMAP server.*
> > > 
> > > Or were you referring to something else?
> > 
> > I was thinking that you need to clear out the memory/disk storage that hold
> > the credentials (e.g., password), as well as destroying the subscription
> > object. We don't want plaintext credentials floating around longer than
> > needed.
> 
> Which credentials are you referring to here? The push subscription doesn't contain any except I guess for the URL itself; I can note that this and the encryption keys MUST be securely erased from memory/storage immediately when the subscription is destroyed? If you're referring to the client's credentials, we're explicitly talking about when they've been expired or revoked, so are already useless.

I may have been confused about whether this was JMAP Client/JMAP Server or
JMAP Server/push server interactions.  That is, I was thinking about the
JMAP server clearing out any keys or credentials it had for the second sort
of interaction.  So I guess that translates to "when the subscription
expires, wipe your copy of the client-generated encryption keys", right?

Thanks,

Benjamin

v2.23.0 | Report a Bug | By Email