Re: [kitten] AD review of draft-ietf-kitten-krb-spake-preauth-06

[Benjamin Kaduk <kaduk@mit.edu>]

On Wed, Apr 29, 2020 at 01:50:47PM -0400, Robbie Harwood wrote:
> Benjamin Kaduk <kaduk@mit.edu> writes:
> 
> > On Tue, Apr 28, 2020 at 07:53:31PM -0400, Robbie Harwood wrote:
> >> Greg Hudson <ghudson@mit.edu> writes:
> >> 
> >>> Ben sent feedback on the SPAKE preauth draft a little over a year
> >>> ago.  I deferred acting on the smaller feedback items at the time,
> >>> while observing the CFRG's progress on PAKE algorithms.
> >>>
> >>> The CFRG has selected CPace over SPAKE2 for a balanced PAKE.  As
> >>> such I doubt there will be a need for a CFRG SPAKE2 document.  At
> >>> this time I don't think there would be sufficient interest in
> >>> retooling the Kerberos preauth mechanism for CPace, or making
> >>> breaking changes.  I have prepared changes to
> >>> draft-ietf-kitten-krb-spake-preauth to drop its dependency on
> >>> draft-irtf-cfrg-spake2, instead referring informatively to the
> >>> Abdalla/Pointcheval paper and describing the group operations
> >>> explicitly.
> >>>
> >>> These changes, as well as updates addressing the smaller feedback
> >>> items, are at
> >>> https://github.com/greghudson/ietf/commit/6ecf1b9dfacc804692d858c726888855a512b8b7
> >>> .  I will update the draft unless it seems like there isn't WG
> >>> consensus on this direction.
> >> 
> >> Appreciate you being proactive about picking up work on SPAKE again.
> >> 
> >>> Some responses to a few of the smaller feedback items:
> >>>
> >>> On 4/4/19 7:58 PM, Benjamin Kaduk wrote:
> >>>>
> >>>> In addition to potentially allocating a new value for the RFC
> >>>> version of this spec, we probably also want to say a bit more about
> >>>> the registration procedures.  Should requestors send the request
> >>>> directly to the list, or to IANA first and IANA sends to the list?
> >>>> Is the list publicly archived (and can anyone sign up as a member)?
> >>>
> >>> I'm a little lost here.  The mailing list was Nathaniel's idea and I
> >>> am not attached to it.  There are hundreds of IANA registries; it
> >>> seems like we should be picking from a few best practices for update
> >>> procedures rather than breaking ground.
> >> 
> >> CCing Nathaniel - anything to add?
> >> 
> >> I accept some of the blame for this - I think I wrote the language -
> >> but the mailing list was Nathaniel's request.  I believe I modeled
> >> what it specifies after RFC 7517 (there's no particular reason for
> >> that one, just what we happened to be working on at the time).
> >> 
> >> Is it normal for requests to be sent to IANA at all when Designated
> >> Experts are used?  Is the mailing list registration normally
> >> specified in this fashion?  I can't find anything in RFC 8126 about
> >> it, but I'm happy to make changes / accept changes to this document
> >> regardless.
> >
> > I think that the mailing list thing gained traction with a group of
> > folks in the OAuth community and expanded through to JOSE+JWT and then
> > the IoT analogues (COSE+CWT), at which point it was large enough that
> > other unrelated groups started picking up on it (including TLS).
> > There's nothing that requires having a mailing list, though it does
> > give the community some visibility into the workings of the DE review
> > process (as well as, depending on list permissions, a way to get
> > notified about pending allocations).
> >
> > That said, the default behavior you get for a registry if you don't
> > say otherwise, is that IANA is the first point of contact.  That is,
> > you ask IANA to allocate a value (usually via a webform), and behind
> > the scenes IANA goes off and talks to the Experts, before acting on
> > the decision of the Experts.  Sometimes IANA has to relay questions
> > and answers back and forth and it feels a bit silly, but that's the
> > way it's historically been done.
> >
> > As a couple examples, RFC 7519 (JWT) creates jwt-reg-review@ietf.org,
> > and https://datatracker.ietf.org/list/nonwg lists a few more.  I don't
> > think there is a perfect example yet of what text to use in the RFC
> > when using this sort of review process, though -- the examples that
> > come to mind still leave some ambiguity about what requestors and IANA
> > are supposed to do.
> 
> Thanks, that's helpful background.
> 
> Ben, how would you feel about changing the language to read something
> like:

That seems fine to me.  I care approximately zero about the details of the
procedure, and just want it to be clear to everyone (especially the experts
and IANA) what the procedure is.

-Ben

>     Registry entries are to be evaluated using the Specification
>     Required method.  All specifications must be be published prior to
>     entry inclusion in the registry.  Once published, they can be
>     submitted directly to the krb5-spake-review@ietf.org mailing list,
>     where there will be a three-week long review period by Designated
>     Experts.
> 
>     Prior to the end of the review period, the Designated Experts must
>     approve or deny the request.  This decision is conveyed to both IANA
>     and the submitter.  Since the mailing list archives are not public,
>     it should include both a reasonably detailed explanation in the case
>     of a denial as well as whether the request can be resubmitted.
> 
> (I'm not particularly attached to the mechanics of this.  My concerns
> are first requiring that a specification exists, and second that it be
> checked for reasonableness without being too arduous for submitters.)
> 
> Thanks,
> --Robbie