Re: [Last-Call] Opsdir last call review of draft-hodges-webauthn-registries-05
Mike Jones <Michael.Jones@microsoft.com> Wed, 13 May 2020 23:50 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B86E3A0811; Wed, 13 May 2020 16:50:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.273
X-Spam-Level:
X-Spam-Status: No, score=-2.273 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8-RNEfE1m8N; Wed, 13 May 2020 16:49:58 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640101.outbound.protection.outlook.com [40.107.64.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240D33A07FD; Wed, 13 May 2020 16:49:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NdmvU5wKFYrz5qCMxZf4zi8rvOpE2x0xLSp/497wbW79gk7xsSZ8/7O0W3zffgAQeXbj2Go+IVj9ngp/HoQwDq1HQfUjhURFgBZGcpPuGj10z/VHIBmuyKPqoMkPgD/UXcOuGulTw4tfc4HCQhradXUmw9gkdSritYc5YS9nWBqCUHoEDrttdkULXEhYEzgifjfBmXNuyRsljxsuXNIa9htGktFWm28pCZEDt3JXVfjbFnpNSnbDQcg6NXPAAwoe9kPFzBNHjEPauHpMnGN5rWrtRPUXMA/NtCIa1K5Zk0aWweSvoNUv8BfF3k/r1/GGJ+IYq09Vo4OKHvGetFtO/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CH7kWZbgswBq/ZBPw4DPwv/+cmobKTa3R6NQqFJPfW0=; b=b/KBjypmOGCazkx5rS0ZcpYUK6eFFoQkmrsJpCmQAsxuIZstT1+NRVoplcxGNWOKNienHU7bf4qj84QbvmVd2dtvOPLNpzeoCxh5ZgDKmOoYZTJD2kQ/KR6GHKF5o1GJAqGcfbd/VYOzjcV2vrQcWSF4ehK1ojS17qbyIJ8xB5weCnvYec+OQxpSeKZJvUoECbWESNdorqaMrMososG2P7ELIpgwL6D6owDJhXV5rCgJrgbUQWE1kaLVJnOu7AF6wG9q0SJ5yNAQcC/X0Mbcbh02oh0FDQnqNqo/T/oWzz4/3F5WoHPcpcWcVzSBN1py6epPsXkk6VSff+ef26bWrg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CH7kWZbgswBq/ZBPw4DPwv/+cmobKTa3R6NQqFJPfW0=; b=XIJMWZ0zhc6w7X6tr1bcXVl3ArW2TSN4rDkafcPfVvhPO47dOxuQLFcH6ADOObMYa5+8mO1zx4h6G7Ah15jrV/axOvGve4CKdDXQQ6VgfCU+0lEMYc0KsouPPPOnUiszC5WgqRMn9h4sfakiysDpz3dxdEf+MB+EJTr4cQjLrIc=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (10.255.224.141) by MN2PR00MB0608.namprd00.prod.outlook.com (20.179.20.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3035.0; Wed, 13 May 2020 23:49:56 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::68f6:b54c:8d5e:d283%7]) with mapi id 15.20.3035.000; Wed, 13 May 2020 23:49:56 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Sarah Banks <sbanks@encrypted.net>, "ops-dir@ietf.org" <ops-dir@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-hodges-webauthn-registries.all@ietf.org" <draft-hodges-webauthn-registries.all@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: Opsdir last call review of draft-hodges-webauthn-registries-05
Thread-Index: AdYpdiX7xfbyTuYJTUy0BVTgxASbRA==
Date: Wed, 13 May 2020 23:49:56 +0000
Message-ID: <MN2PR00MB068688A312E67FE92ABCDF68F5BF0@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=6573bde2-1c8c-48b5-9a49-00008aa048cf; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-05-13T22:30:39Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: encrypted.net; dkim=none (message not signed) header.d=none;encrypted.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 853cc6e7-cf97-413f-a977-08d7f798571b
x-ms-traffictypediagnostic: MN2PR00MB0608:
x-microsoft-antispam-prvs: <MN2PR00MB06083C8E626D18ACF6C7AB55F5BF0@MN2PR00MB0608.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0402872DA1
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5Br9Art0VR36tfs/eZKy4yOJA2PfWjo9nTmpjf8HBbzwpIOJ2mGGesXEcwqYGicvT0dM8lgpu6FANpy1yfa4IfCV+I6lUQ1tcM041TBoyvC017S7YPhl1dCDQm3zE3bs0p+GEDGcQOc1GOTkCIg/EZd/mkG1FMuMWUWUBWzJF8BO5Ldeh0g5hAg8nu5EkWRnh+/F/+/FwNTT1Az0cpTXOsazi4v6l5sCAObsfXoCGIQI2OX1gq8+lgmXAwL9G3hwNCF7CLa6YxrsZxpXFrw7C5/ZAoSxUbwZ4Z2bC3jTDDdtWN2xxTFY9gEJtf7ZO+QvWu9R9SF8wUWM6WBPoHyXTTy+EnpEd0zjw0Ps2E3mCLH5p85jokd6IY4azKRIEilcjFFQm5oeFQm+ISXukPgh8g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0686.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(376002)(136003)(396003)(366004)(54906003)(82950400001)(110136005)(6506007)(66574014)(33656002)(86362001)(53546011)(4326008)(5660300002)(186003)(2906002)(8990500004)(966005)(66556008)(76116006)(7696005)(52536014)(71200400001)(66446008)(64756008)(55016002)(8676002)(66946007)(82960400001)(66476007)(26005)(8936002)(10290500003)(9686003)(316002)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ET5TCF26zPQCPJfiFZt5xem2s5+yWJn57jDpoA/0/jF726mVBZ/XOwItmUwPiJyEcRxUO9+mZXgmolSvYwj2MZsXLLb24TiFkxxqeTl9e+huqk1X3EeNCeVR2vebrtatmiB8OhR7vG0+O8qfNieD+DfxpJKZ4gauMmnoMSkx5UyjOpSYYQruHR4MjQl6VqqAsTxZH6vjS1ajIunE0Q4MCXw5DQWvrZUIlvOxqFqSHfCvuldpy31OMvkIZxzdb1kOPKFq2TLb6PDWvQe9lgpcYX/nx47iA8nlm0hH8+42syQDQe9cAl0L3KisdWaNwlTDezHIsiM3QVsq0oX9/Nnp0XPNzT9vrfVwj/yTzBi/UCKMm3+Khhc6SnIslZjAr3s/10Szm6QTaxY4zTh/zjvcnedHeeIULyUEghOj5upE+WErelLEiUTWJpDxuS5k6VSVZfdkBTXJh/FPCl6+5wV4zT0LXPrHYUd+QLVZbnt+3QU=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0686.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 853cc6e7-cf97-413f-a977-08d7f798571b
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2020 23:49:56.2833 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Z1VLr0Dl8gZkyhDOqu6Q6ym9rNazVJHyunvlTNC8OvOk1mHyq/L/NrT/Af0tAEGzzUv+O5A47ZoOJ06Z/tjxJg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0608
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/m-n4dbHhcI7XvmTK6kP7-4J8K58>
Subject: Re: [Last-Call] Opsdir last call review of draft-hodges-webauthn-registries-05
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 23:50:00 -0000
Thanks for the review, Sarah. My replies are inline below, prefixed by "Mike>". -----Original Message----- From: Sarah Banks via Datatracker <noreply@ietf.org> Sent: Tuesday, April 28, 2020 10:42 AM To: ops-dir@ietf.org Cc: last-call@ietf.org; draft-hodges-webauthn-registries.all@ietf.org Subject: Opsdir last call review of draft-hodges-webauthn-registries-05 Reviewer: Sarah Banks Review result: Has Issues Hello, I too share the concerns the GENART reviewer does. In addition, a few things: Mike> We've decided to delete the language about defining additional fields. (This language was copied from RFC 8288 but we decided that it wasn't needed for the purposes of this specification.) 1. As a personal nit, I'm slightly annoyed as a reader that the draft defines the registries, but another doc has the default values. Just ann FYI, and I realize this is a style choice. Mike> The WebAuthn specification from which the initial values come https://www.w3.org/TR/2019/REC-webauthn-1-20190304/ already defined these values. As an editorial choice, we decided that it would be less error prone to reference them there, than to repeat them here. 2. In section 2.1, it states: "Each attestation statement format identifier added to this registry MUST be unique amongst the set of registered attestation statement format identifiers.", and that they are case sensitive. Did you really intend to allow a conceptual overload where a string of "string" and "STRING" would be allowed? Mike> Fair question. You'll also notice that the instructions to the designated experts include this text: "Extension identifiers may not match other registered names in a case-insensitive manner unless the Designated Experts determine that there is a compelling reason to allow an exception." This is the same instruction text used by JOSE and OAuth RFCs, such as RFC 7515 and RFC 7519. 3. In a few spots it's written (see 2.2.2 for example): " As noted in Section 2.2.1, WebAuthn extension identifiers are registered using the Specification Required policy, implying review and approval by a designated expert.". Implied doesn't seem to be normative. Given the follow on text here, did you explictly NOT want to make this a normative requirement? Mike> I've deleted the "implied" text where it occurred. RFC 8126 already requires expert review when the Specification Required policy is used, so we didn't need to repeat it here. Mike> You can see proposed updated source for -06 at https://github.com/w3c/webauthn/pull/1415. Thanks, Sarah Thanks again, -- Mike
- [Last-Call] Opsdir last call review of draft-hodg… Sarah Banks via Datatracker
- Re: [Last-Call] Opsdir last call review of draft-… Benjamin Kaduk
- Re: [Last-Call] Opsdir last call review of draft-… Mike Jones