Re: [mile] Working group last call for XMPP-grid
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Thu, 27 April 2017 17:28 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C66B129494 for <mile@ietfa.amsl.com>; Thu, 27 Apr 2017 10:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaFVBxOMesX8 for <mile@ietfa.amsl.com>; Thu, 27 Apr 2017 10:28:37 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 280B1129B44 for <mile@ietf.org>; Thu, 27 Apr 2017 10:25:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=59140; q=dns/txt; s=iport; t=1493313924; x=1494523524; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=2LRXhy0znLaIZ7zE4pQADNK8LwGNdMDDMKoCuUdkgcQ=; b=D0wJ6aZiihmcKz4uOugaLjYL9lhF85cHgYyNMWa2O8WO1QJL2aQisv/E zmjCnAAZLPFHubSEmKD6HxjIHViEE5bPFeWwY+92ytNAK0uTzw932ordF 1qbnDqIuIvQ2xAYoX7u3qrgxqFGj8Qstu++4H4Q03p3lClQvRlGNeiZIS 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B0AQDoKAJZ/5JdJa1cGQEBAQEBAQEBAQEBBwEBAQEBgm48K2GBDAeDYYoYkUqVbIIMAyEBCoV4AhqECT8YAQIBAQEBAQEBayiFFQEBAQEDAQEbBgo+AxcEAgEGAhEBAgEBAQ0UAQYDAgICJQsUAwYIAQEEARKKHAEOj12dYYImK4pZAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWEQ4NvK4JvhHYJFoJQgl8FkA+GQ4Z+AYcYi3OCAoU3iiWUJgEfOIEKbxVEEgGEXhyBY3UBhlErgQMBgQwBAQE
X-IronPort-AV: E=Sophos;i="5.37,384,1488844800"; d="scan'208,217";a="413725836"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Apr 2017 17:25:22 +0000
Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id v3RHPMd8002904 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Apr 2017 17:25:22 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 27 Apr 2017 13:25:21 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Thu, 27 Apr 2017 13:25:21 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, Takeshi Takahashi <takeshi_takahashi@nict.go.jp>, "mile@ietf.org" <mile@ietf.org>
Thread-Topic: [mile] Working group last call for XMPP-grid
Thread-Index: AdKp0cx73PIO71MiRLmhQ3n63vW2uAIOpaBQA1Vsi4A=
Date: Thu, 27 Apr 2017 17:25:21 +0000
Message-ID: <9E6495CE-DE8C-4FF5-89B7-1474097150DD@cisco.com>
References: <000901d2a9d1$eaff3ae0$c0fdb0a0$@nict.go.jp> <ff6fa23946aa42ddb69af2f009aa8928@XCH-ALN-010.cisco.com>
In-Reply-To: <ff6fa23946aa42ddb69af2f009aa8928@XCH-ALN-010.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [171.68.122.30]
Content-Type: multipart/alternative; boundary="_000_9E6495CEDE8C4FF589B71474097150DDciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/8Ntx2ordanbAA4EJWfAFppz0NtE>
Subject: Re: [mile] Working group last call for XMPP-grid
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 17:28:40 -0000
Hi Panos, Many thanks for the review!! Comments and answers below: From: Panos Kampanakis <pkampana@cisco.com> Date: Friday, April 14, 2017 at 1:12 PM To: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>, "mile@ietf.org" <mile@ietf.org>, "ncamwing@cisco.com" <ncamwing@cisco.com> Subject: RE: [mile] Working group last call for XMPP-grid Hello Nancy and team, I hadn’t gone through the doc before because of my lack of knowledge of XMPP-Grid. I just went through it as a non-XMPP-Grid expert. Below I have some comments and nits. I think the comments below would generated some significant changes to the doc, so it might not be ready for WGLC yet. · Nit: Add space in "[RFC6120]that" · [NCW] Will fix in next revision · · Nit: "and among network platforms, endpoints, and most any network connected device." Needs rephrasing. · [NCW] Will rephrase to: “among any network connected device” · · Section 1.4 should address RID vs ROLIE vs XMPP-Grid. We have now defined 3 transports for IODEF documents, so I think it would be beneficial to qualify where each one fits. · [NCW] I am not sure the comparison makes sense to have inside the XMPP-Grid spec, though your point is well taken. We can add applicability for when XMPP-Grid makes sense to use within the XMPP-Grid draft; and if the group warrants it, we can have a separate writeup that explains the differences between the three transports (at some point Kathleen had a wiki but not sure its up anymore?) and where/how each applies. · · Change all references of [RFC5070] to IODEF-bis [RFC7970]. · NCW] Will fix in next revision · · In Section 3, I think it would be worth to expand on the IODEF-bis attributes that could serve as filters. Also how Topics and Subtopics would be defined in the context of IODEF. Would there be any rules in searching for attributes that deep in IODEF classes like nodeRole attributes? · [NCW] The XMPP Pub/Sub or Query mechanisms allow for filtering on any attributes, do you have some to suggest from IODEF? We will rework the draft to show the applicability and definition of sharing IODEF as a Topic, as to the subtopics, I would think that it could depend on the publisher of the information as they code potentially define subtopics based on the Assessment impact vs. nodeRole or some other class type as well? · · Nit: There is an empty parent bullet over “Real-time event notifications through publish and subscribe.” · [NCW] I will sort out the formatting issues in the XML file, thanks for catching this one. · · I think section 2.6 should be in an appendix since it is mostly showcasing example xml form. · [NCW] Will consider moving it as we restructure the draft. · · In section 5.1.4, “Protect the confidentiality of the CA's private key” is inaccurate. The CA signs the public key but does not know the private key that corresponds to that public key. · That is correct; but the bullet refers to the CA protecting itself and thus protecting its own (CA) private key as it uses it to validate the issued certs. · · In section 5.1.4, it is not clear what “Issue certificates that go beyond name constraints or other constraints imposed by a relying party or a cross-certificate” means. · [NCW] We meant that the CA is only authorized to issue certs to secure the XMPP (XMPP-Grid) connections and thus should not be trusted to issue other types of certs. So we can just change it to one sentence (vs. the single bullet) to state: “The CA is not expected (trusted) to issue certificates beyond the constraints imposed by a relying party.” · · In section 5.2.2, could sharing info with other nodes be one more threat for the compromised XMPP-Node? · [NCW] Yes, the intent for the bullets was to cite some such examples. Do you have suggestions for improvement if it isn’t clear? · · Section 5.3.1 mentions that both mutual cert auth or HTTP Basic are acceptable, but section 2.4.1 only requires mutual cert auth. Are certs the only ones mandated? · [NCW] Yes, our implementation only uses x.509 certificates, but as XMPP uses SASL for authentication, other mechanisms can be used. So, I think its appropriate to add the guidance of SHOULD use certs for best security practices (vs. passwords or shared secrets). · · In section 5.3.1 s/certificate-based authentication SHOULD each verify the revocation status of the other party/certificate-based authentication SHOULD each verify the revocation status of the other party’s certificate · [NCW] Thanks, will do. · · 5.3.1 does not define ARC and SSRC · [NCW] Thanks, will do. · · 5.3.2 and 5.3.3 does not define TNC. · [NCW] Thanks, will do. A clarification question for my benefit: Is this draft intended to standardize XMPP-Grid and demonstrate its applicability in IODEF and other info sharing standards. Even though IODEF is one of the shared standards, the draft mostly focuses on setting the XMPP-Grid protocol and architecture up. I was curious if SACM had considered the draft back in the day as it is dealing with more broad set of info sharing standards instead of MILE whose charter was focusing on IODEF mostly. No worries, since it already is a MILE WG item anyway. NCW] Yes, the Intent is to standardize XMPP-Grid and show its applicability into IODEF (though we also state that other info sharing models can be used). The intent, which we’ll strengthen is to show how IODEF is transported thru XMPP-Grid Rgs, Panos -----Original Message----- From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Takeshi Takahashi Sent: Thursday, March 30, 2017 11:50 PM To: mile@ietf.org Subject: [mile] Working group last call for XMPP-grid Hello all, This is a WGLC for draft-ietf-mile-xmpp-grid. The version to be reviewed is https://tools.ietf.org/id/draft-ietf-mile-xmpp-grid-02.txt We will have 1 month for this call. Please provide comments before May 1st and provide your support and/ or raise any issue you feel are yet to be addressed. Thank you. Take _______________________________________________ mile mailing list mile@ietf.org<mailto:mile@ietf.org> https://www.ietf.org/mailman/listinfo/mile
- Re: [mile] Working group last call for XMPP-grid Panos Kampanakis (pkampana)
- Re: [mile] Working group last call for XMPP-grid Dave Cridland
- Re: [mile] Working group last call for XMPP-grid Adam Montville
- Re: [mile] Working group last call for XMPP-grid Peter Saint-Andre
- Re: [mile] Working group last call for XMPP-grid Dave Cridland
- Re: [mile] Working group last call for XMPP-grid Nancy Cam-Winget (ncamwing)
- Re: [mile] Working group last call for XMPP-grid Nancy Cam-Winget (ncamwing)
- Re: [mile] Working group last call for XMPP-grid Nancy Cam-Winget (ncamwing)
- Re: [mile] Working group last call for XMPP-grid Henk Birkholz
- [mile] Working group last call for XMPP-grid Takeshi Takahashi