IETF Logo Mail Archive

Re: [mile] AD review of draft-ietf-mile-xmpp-grid-08

Peter Saint-Andre <stpeter@mozilla.com> Thu, 03 January 2019 18:38 UTC

Return-Path: <stpeter@mozilla.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EECC713124B for <mile@ietfa.amsl.com>; Thu, 3 Jan 2019 10:38:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXD2mtlzCdGw for <mile@ietfa.amsl.com>; Thu, 3 Jan 2019 10:38:28 -0800 (PST)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB4B130EFE for <mile@ietf.org>; Thu, 3 Jan 2019 10:38:28 -0800 (PST)
Received: by mail-io1-xd42.google.com with SMTP id f4so9501229ion.2 for <mile@ietf.org>; Thu, 03 Jan 2019 10:38:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=PmNEm5+ODqozt8WDxzHkZYOXtvNpDdn3ofIy54xwTn4=; b=ClgKGl+El/JSx9QbnSI3DT0rwR0M0TB+OV+r9X8YPoYWLStItY/Og8aFbHqGOgCyEX +o0wx2jMzrUbRIf+qIyxUhQspdF7ZtsC4+bXI4xe3Rv02ePKkg6XkZ7QlrDU+MbeA+uG KvTIn7y05/KhN7p46XGTGC/kRs4vChoIDa5JM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=PmNEm5+ODqozt8WDxzHkZYOXtvNpDdn3ofIy54xwTn4=; b=XU817eIAr2wbTmMbwH9S40KwtKFvxqZwB18EIU9nRlaf9fTc0QrbFKmesxiMR84XJJ sU8ygd+ToWZ1TrgLuCbl9iWbIGiKOSIRtb48yginplk7KxTaI6hiZ57BtlyIoav3DG7m KkNVJC4PnWEhVHuRcWSFgRWe3Ce5cRxlslQEEH3D4a4vlPr1ZFEIyEeWF16VCv+E2kbT SoyDzxWoIcgh00EQ8RQGBfme1naFf9P+yCXVtovuZrLddoH7u8+PBkBHQMmeyou6XvMF eOGGFIrBIEofaWYXGB7/EiJct8VRGxstF29/dGEU1YOEqi9dGpMMYVZopTWi9JDxn9UP nDsQ==
X-Gm-Message-State: AJcUukfYca9y6BXIS4KWfQ/1RfnaFBPwPCsovVq857iZTcBE3qC4vjKo zyGoeocYeTCc+JVTPfNLJ0VQCw==
X-Google-Smtp-Source: ALg8bN6QVQBW23/6enUat8Wuhs/rnjB9urBKuRPyV0pGkaCnf0Qhl84MypSLuav9MfXyOuvM2s+WWA==
X-Received: by 2002:a6b:1d8:: with SMTP id 207mr34827854iob.62.1546540707779; Thu, 03 Jan 2019 10:38:27 -0800 (PST)
Received: from dragon.local ([76.25.3.152]) by smtp.gmail.com with ESMTPSA id a12sm20998074ita.17.2019.01.03.10.38.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Jan 2019 10:38:27 -0800 (PST)
To: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "mile@ietf.org" <mile@ietf.org>
References: <63dc7282-3db0-08c0-64db-bc3280665048@isode.com> <325006F0-2786-46C0-BA93-BE253E538D25@cisco.com>
From: Peter Saint-Andre <stpeter@mozilla.com>
Openpgp: preference=signencrypt
Autocrypt: addr=stpeter@mozilla.com; prefer-encrypt=mutual; keydata= mQINBFonEf4BEADvZ+RGsJoOyZaw2rKedB9pBb2nNXVGgymNS9+FAL/9SsfcrKaGYSiWEz7P Lvc97hWH3LACFAHvnzoktv+4IWHjItvhdi9kUQ3Gcbahe55OcdZuSXXH3w5cHF0rKz9aYRpN jENqXM5dA8x4zIymJraqYvHlFsuuPB8rcRIV9SKsvcy14w9iRqu770NjXfE/aIsyRwwmTPiU FQ0fOSDPA/x2DLjed/GYHem90C5vF4Er9InMqH5KAMLnjIYZ9DbPx5c5EME4zW/d648HOvPB bm+roZs4JTHBhjlrTtzDDpMcxHq1e8YPvSdDLPvgFXDcTD4+ztkdO5rvDkbc61QFcLlidU8H 3KBiOVMA/5Rgl4lcWZzGfJBnwvSrKVPsxzpuCYDg01Y/7TH4AuVkv5Na6jKymJegjxEuJUNw CBzAhxOb0H9dXROkvxnRdYS9f0slcNDBrq/9h9dIBOqLhoIvhu+Bhz6L/NP5VunQWsEleGaO 3gxGh9PP/LMyjweDjPz74+7pbyOW0b5VnIDFcvCTJKP0sBJjRU/uqmQ25ckozuYrml0kqVGp EfxhSKVqCFoAS4Q7ux99yT4re2X1kmlHh3xntzmOaRpcZsS8mJEnVyhJZBMOhqE280m80ZbS CYghd2K0EIuRbexd+lfdjZ+t8ROMMdW5L51CJVigF0anyYTcAwARAQABtCdQZXRlciBTYWlu dC1BbmRyZSA8c3RwZXRlckBtb3ppbGxhLmNvbT6JAlQEEwEIAD4WIQQ1VSPTuPTvyWCdvvRl YYwYf2gUqQUCWicR/gIbIwUJCWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBlYYwY f2gUqdaREAChG8qU1853mP0sv2Mersns8TLG1ztgoKHvMXFlMUpNz6Oi6CjjaMNFhP7eUY4T D43+yQs7f4qCkOAPWuuqO8FbNWQ+yUoVkqF8NUrrVkZUlZ1VZBMQHNlaEwwu1CGoHsLoRohP SiZ0hpmGTWB3V6cDDK4KN6nl610WJbzE9LeKY1AxtePdJi2KM281U0Fz8ntij1jWu0gF2xU4 Sez46JDogHLWKgd0srauhcCVzZjAhiWrXp1+ryzSWYaZO8Kh8SnF1f4o6jtYikMqkxUaI5nX wvD3kNX4AMSkCAZfG7Jcfj/SLDojTcREgO87g7B9bcOOsHN4lj3lHoFV0aXpgPmjfIvAjJHu fHkXZAQAH8w0u9bgJqRn703+A4NPfLopnjegyhlNi7fQ3cMQV1H7Oj7WrB/pCcprx+1u/6Uq oTtDwWh1U5uVthVAI0QojpNWR08zABDX19TlGtVoeygaQV3CAEolxTiYQtCfVavUzUplCZ/t 3v4YiRov+NylflJd+1akyOs1IAgARf444BnoH1fotkpfXNOpp9wUXXwsQcFRdP7vpMkSCkc0 sxPNTVX3ei0QImp4NsrFdaep7LV3zEb3wkAp6KE5Qno4hVVEypULbvB0G6twNZbeRfcs2Rjp jnPb2fofvg2WhAKB20dnRfIfK8OKTD/P+JDcauJANjmekLkCDQRaJxH+ARAApPwkbOTChAQu jMvteb/xcwuL5JZElmLxIqvJhqybV7JknM+3ATyN0CTYQFvPTgIrhpk4zSn0A6pEePdK8mKK 5/aHyd7pr7rLEi1sI/X3UE8ld/E83MExksKrYbs0UX1wSQwYXU6g64KicnuP2Abqg+8wrQ18 1nPcZci9jJI75XVPnTdUpZD5aaQWGp7IJ06NTbiOk30I50ORfulgKoe4m3UfsMALFxIx3pJk oy76xC2tjxYGf+4Uq1M0iK3Wy655GrcwXq/5ieODNUcAZzvK5hsUVRodBq0Lq3g1ivQF4ba7 RQayDzlW6XgoeU49xnCr9XdZYnTnj4iaPmr2NtY6AacBwRz+bJsyugeSyGgHsnVGyUSMk8YN wZHvUykMjH21LLzIUX5NFlcumLUXDOECELCJwewui4W81sI5Sq/WDJet+iJwwylUX22TSulG VwDS+j66TLZpk1hEwPanGLwFBSosafqSNBMDVWegKWvZZVyoNHIaaQbrTIoAwuAGvdVncSQz ttC6KkaFlAtlZt3+eUFWlMUOQ9jxQKTWymyliWKrx+S6O1cr4hwVRbg7RQkpfA8E2Loa13oO vRSQy/M2YBRZzRecTKY6nslJo6FWTftpGO7cNcvbmQ6I++5cBG1B1eNy2RFGJUzGh1vlYo51 pdfSg0U1oPHBPCHNvPYCJ7UAEQEAAYkCPAQYAQgAJhYhBDVVI9O49O/JYJ2+9GVhjBh/aBSp BQJaJxH+AhsMBQkJZgGAAAoJEGVhjBh/aBSpAw0P/1tEcEaZUO1uLenNtqysi3mQ6qAHYALR Df3p2z/RBKRVx0DJlzDfDvJ2R/GRwoo+vyCviecuG2RNKmJbf1vSm/QTtbQMUjwut9mx6KCY CyKwniqdhaMBmjCfV2DB2MxxZLYMtDfx/2mY7vzAci7AkjC+RkSUByMEOkyscUydKC/ETdf9 tvI8GhTY/8Q7JSylS3lQA5pMUHiIf+KpSmqKZeBPkGc7nSKM1w1UKUvFAsyyVsiG6A/hWrTr 7tTQAl7YfjtOGE8n4IKGktvrT99bbh9wdWKZ5FdHUN9hx2Q8VP8+0lR1CH2laVFbEwCOv1vM W4cgQDLxwwpo1iOTdHBVtQDxlQ9hPMKVlB1KP9KjchxuiLc24wLmCjP3pDMml4LQxOYB34Eq cgPZ3uHvJZG309sb2wTMTWaXobWNI++ZrsRD5GTmuzF3kkx3krtrq6HI5NSaemxK6MTDTjDN Rj/OwTl0yU35eJXuuryB20GFOSUsxiw00I2hMGQ1Cy9L/+IW6Dvotd8O3LmKh2tFArzXaKLx /rZyGNurS/Go5YjHp8wdJOs7Ka2p1U31js24PMWO6hf6hIiY2WRUsnE6xZNhvBTgKOY6u0KT V6hTevFqEw7OAZDCWUoE2Ob2/oHGZCCMW5SLAMgp7eihF0kGf2S2CmpIFYXGb61hAD8SqSY7 Fn7V
Message-ID: <5df4fbed-6961-946d-2024-dc10209aaab6@mozilla.com>
Date: Thu, 03 Jan 2019 11:38:26 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <325006F0-2786-46C0-BA93-BE253E538D25@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/Bs7P4v-ZOeUaQFCEzPWBT8FSWqA>
Subject: Re: [mile] AD review of draft-ietf-mile-xmpp-grid-08
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2019 18:38:31 -0000

Thanks, Nancy, that all looks good to me.

On 12/29/18 7:28 PM, Nancy Cam-Winget (ncamwing) wrote:
> Hi Alexey,
> Thank you for your careful review (and Happy Holidays!).  Please see comments below (and the updates have been made to now version -09 draft
> https://datatracker.ietf.org/doc/draft-ietf-mile-xmpp-grid/):
> 
> 
> On 12/6/18, 04:21, "mile on behalf of Alexey Melnikov" <mile-bounces@ietf.org on behalf of alexey.melnikov@isode.com> wrote:
> 
>     Hi,
>     
>     This document reads well and I am grateful for the extensive Security 
>     Considerations section!
>     
>     Some specific comments, most of which are nits/minor things:
>     
>     The following references need to be Normative, as they describe 
>     documents that need to be read and understood in order to implement 
>     various requirements specified in this draft:
>     
>       [XEP-0060]
>     
>       [XEP-0030] (used in a SHOULD)
>     
>       [XEP-0004] (used in a SHOULD)
> [NCW] Updated in version -09
>     
>     
>     The following need to have References:
>     
>     SASL EXTERNAL - Normative reference to RFC 4422
>     
>     DHCP - Informative reference
> [NCW] Updated in version -09
>     
>     
>     8.2.1.  Network Attacks
>     
>         A variety of attacks can be mounted using the network.  For the
>         purposes of this subsection the phrase "network traffic" can be taken
>         to mean messages and/or parts of messages.  Any of these attacks can
>         be mounted by network elements, by parties who control network
>         elements, and (in many cases) by parties who control network-attached
>         devices.
>     
>         o  Network traffic can be passively monitored to glean information
>            from any unencrypted traffic
>     
>       [snip]
>     
>         o  A "Man In The Middle" (MITM) attack can be mounted where an
>            attacker interposes itself between two communicating parties and
>            poses as the other end to either party or impersonates the other
>            end to either or both parties
>     
>         o  Resist attacks (including denial of service and other attacks from
>            XMPP-Grid Platforms)
>     
>     This seems out of place or not worded quite right. All other items 
>     describe various attacks. What exactly does this item mean?
> [NCW] It was meant to be a general statement that other attacks could be there, but as you note,
> It seemed out of place and didn't really add to the considerations so I've removed it.
>     
>         o  Undesired network traffic can be sent in an effort to overload an
>            architectural component, thus mounting a denial of service attack
>     
>     
>     8.3.6.  Securing the Certification Authority
>     
>         As noted above, compromise of a Certification Authority (CA) trusted
>         to issue certificates for the XMPP-Grid Controller and/or XMPP-Grid
>         Platforms is a major security breach.  Many guidelines for proper CA
>         security have been developed: the CA/Browser Forum's Baseline
>         Requirements, the AICPA/CICA Trust Service Principles, etc. The CA
>         operator and relying parties should agree on an appropriately
>         rigorous security practices to be used.
>     
>         Even with the most rigorous security practices, a CA can be
>         compromised.
>     
>     I think it might be good to reference Certificate Transparency WG work 
>     here (informatively), see <https://datatracker.ietf.org/wg/trans/documents/
> [NCW] As I was trying to figure out how to work it in, I added a reference to RFC6962
> (the base draft from the trans WG) as another guideline....hopefully that satisfies your request?
>     
>     Best Regards,
>     
>     Alexey
>     
>     
>     
>     _______________________________________________
>     mile mailing list
>     mile@ietf.org
>     https://www.ietf.org/mailman/listinfo/mile
>     
> 
> _______________________________________________
> mile mailing list
> mile@ietf.org
> https://www.ietf.org/mailman/listinfo/mile
>

v2.23.0 | Report a Bug | By Email