Re: [mile] Artart last call review of draft-ietf-mile-rolie-10
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 19 October 2017 18:24 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38D74126E64; Thu, 19 Oct 2017 11:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBPFoSBeHvLa; Thu, 19 Oct 2017 11:24:27 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87DD313239C; Thu, 19 Oct 2017 11:24:27 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id b79so7182082pfk.5; Thu, 19 Oct 2017 11:24:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8FMJEfQF3D2VS/7FWYGlnxy9CLNrGEEYEdarXOebSHI=; b=sHdXdULqmnLYejY4pv2dj2/vFqjExisWdFatP396r8duvh6ysNOSAHz+OTsAjqAIoj sos1s4MLrGwUyQCH1K/2blx7IWkGGk2bML2chE3qXtEwEAeioKXzSXQf1Nu1W/pXTFcG 6lqgp6gORRKosOcLhexTghZY4ZhoE2uqKSfN6ZbzM3yWneRGRObXlPWNyPRcJk7j3JJ6 yiVXlPqYTDcyJAT5Y5if/Y4qzl2QpyX/gZDUb5NBZNhFyVf+Uo5CUVQp3VHK2PByvmWK yz5kFCPswKr+x7NCDDn5dlRMgV7r7OXt/0A1BzBwabymvzZPON9gVk27WL6DstVdeFUx KoOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8FMJEfQF3D2VS/7FWYGlnxy9CLNrGEEYEdarXOebSHI=; b=rq3feQqfJqQVEfCnS7oBrS+ESqU8+JftbL2vB9LciGgSrhWJ+bQuiFLtQZlaKtieCR UANkQjjJ+h97rBAm5vxtzSucvxBt/iedlPOyYXyZAmTRUofTrEQFXZnX0aCAsbon0882 inLiJbS8gGOciU53x1KawaRwSyL3smZJyXG/xOJOQTro8yjNgX8F11Qx9HUIowOXEmTV 5APhwUqFa/W7Jm5OU+8NoTR6h3tOyrhJi2nusTlFjCo0X8J0zsyXg9mHZN8t3usiBkq/ vtEycnFF0qlNnCwb7XB6/UmGggZgORH9WU3R7UeN0GF6jQ3Ks3Qj8aOV0Qg1zC8MtpZp o9jA==
X-Gm-Message-State: AMCzsaX+4abZEdjPRrA3jQP0+Df37AqtZBw16lvPKXEP9S6Dr6MfiZtm dPKeiAH5XrgpHFlFbE0y3DR6kX/BFNnDenjqC68=
X-Google-Smtp-Source: ABhQp+QqmihL8v78BaxXLKdgltFAAlKsLdlUPfc/WxGkEgEfInkW0X5/ZNtBg1jzf83KnT3D952B9ADuD4v+lJZNHms=
X-Received: by 10.101.83.12 with SMTP id m12mr2039708pgq.153.1508437467007; Thu, 19 Oct 2017 11:24:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.186.194 with HTTP; Thu, 19 Oct 2017 11:23:46 -0700 (PDT)
In-Reply-To: <DM5PR09MB130725DB7415E73FF1868369F0420@DM5PR09MB1307.namprd09.prod.outlook.com>
References: <150752570618.18384.5615358468704377459@ietfa.amsl.com> <DM5PR09MB13070FC0B54EB6DB8C707EE7F0420@DM5PR09MB1307.namprd09.prod.outlook.com> <CAHbuEH5PMrNLTbpxru=ks-JwcpzG3hABb39itZAWK+WQtr48eA@mail.gmail.com> <DM5PR09MB130725DB7415E73FF1868369F0420@DM5PR09MB1307.namprd09.prod.outlook.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 19 Oct 2017 14:23:46 -0400
Message-ID: <CAHbuEH4fUo56Q6fKtV6nXRvP80TK+zknrR6edMiTiaGjqmLBgA@mail.gmail.com>
To: "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>
Cc: "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rolie.all@ietf.org" <draft-ietf-mile-rolie.all@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/IrEjsB88XNHj94qM4iJZjvZSwFo>
Subject: Re: [mile] Artart last call review of draft-ietf-mile-rolie-10
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2017 18:24:29 -0000
Hi Stephen, On Thu, Oct 19, 2017 at 1:39 PM, Banghart, Stephen A. (Fed) <stephen.banghart@nist.gov> wrote: > Kathleen, > > Just to clarify, there were no normative changes to the use of TLS 1.3 or TLS 1.2 in this -11 update. The latter three paragraphs were truncated as it was duplicated text out of RFC 7525 and RFC 7589. > > The normative requirements for TLS remain as follows: > > A "MUST" for implementing TLS 1.2 with a "SHOULD" for following the BCPs as described in RFC 7525 > A "RECOMMENDED" for implementing the most recent version of TLS (At the moment, TLS 1.3) also being supported. > > The non-normative recommendation that 0-RTT be disabled remains unchanged. When you mention that "waiting may be worth having the normative language" are you referring to this recommendation or another requirement? I should have looked back at the draft. I thought you had a normative statement for 0-RTT and that it had changed from the phrasing in your email. If nothing of substance changed, then we're fine. Thanks, Kathleen > > Thanks, > Stephen > >> -----Original Message----- >> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] >> Sent: Thursday, October 19, 2017 1:17 PM >> To: Banghart, Stephen A. (Fed) <stephen.banghart@nist.gov> >> Cc: Martin Thomson <martin.thomson@gmail.com>; mile@ietf.org; draft- >> ietf-mile-rolie.all@ietf.org >> Subject: Re: [mile] Artart last call review of draft-ietf-mile-rolie-10 >> >> Hi Stephen, >> >> On Thu, Oct 19, 2017 at 12:24 PM, Banghart, Stephen A. (Fed) >> <stephen.banghart@nist.gov> wrote: >> > Martin, >> > >> > I've put the rest of my comments inline, and uploaded a -11 version of >> ROLIE to the Github with the changes. Providing there are no additional >> major comments I'll post this version to datatracker today. >> > >> > Thanks again for the great review, >> > Stephen >> > >> >> -----Original Message----- >> >> From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Martin Thomson >> >> Sent: Monday, October 09, 2017 1:08 AM >> >> To: art@ietf.org >> >> Cc: mile@ietf.org; ietf@ietf.org; draft-ietf-mile-rolie.all@ietf.org >> >> Subject: [mile] Artart last call review of draft-ietf-mile-rolie-10 >> >> >> >> Reviewer: Martin Thomson >> >> Review result: Almost Ready >> >> >> >> I have reviewed this document, and - despite what appears to be a >> >> lengthy list of issues - I think that it is in pretty good shape. >> >> It's clear, readable, and addresses the requirements well. Most of >> >> my comments should be trivial to resolve. >> >> >> >> Major: >> >> >> >> The decision to define a .well-known URI without a discovery story is >> >> - in my opinion - inadvisable. Such a registration is usually >> >> appropriate if you design a protocol that depends on discovery by >> >> hostname and port. As such, this does not use that at all. A >> >> configuration system can (and should) accept a complete URI for the >> >> service endpoint. It would be better to defer creation of yet >> >> another .well-known URI registration until the working group is certain >> that discovery requires it. >> > >> > Discussed in a separate thread. >> > >> >> The same comment applies to the .well-known resource for the category >> >> document. >> >> Given that this sort of document is readily discoverable via the >> >> service document, I would say that the need for a .well-known >> >> resource is less well- justified than the service document. >> > >> > We agree, removed the registration for the category document location. >> > >> >> The requirements in Section 5.3 on TLS use are unnecessarily strict. >> >> It's great to recommend the use of TLS 1.2, but given that the >> >> document has no real requirement on any particular version of TLS, >> >> the use of "MUST" here is not needed. Similarly, the prohibition on >> >> the use of 0-RTT is groundless. The lengthy list of requirements >> >> around certificate validation only risk creating a conflict with >> >> advice in other RFCs. Many, if not all, of these requirements are >> >> transitively included by way of referencing HTTPS documents. I would >> prefer to see this entire section reduced to a simple RFC 7525 reference. >> > >> > The majority of the section has been reduced to a RFC 7525 reference. We >> believe that the benefits provided by 0-RTT don't outweigh the loss of >> forward secrecy. The text currently places this as a suggestion from the >> authors, and not a normative requirement. >> >> This is a substantial change as a result of just one reviewer. The only thing >> the MUST does is hold up final publication until an RFC # is assigned for TLS >> 1.3. TLS 1.3 shouldn't be too far off, so waiting may be worth having the >> normative language. I think this is one the WG needs to weigh in on to >> change and tradeoffs of waiting for final publication. It's not just the editors >> that recommend this, I do as am sure others do as well. >> >> Best regards, >> Kathleen >> > >> >> User authentication is under-specified. >> > >> > As any repository using user authentication is already inherently pre- >> communicating with its consumers, we felt that underspecifying >> authentication mechanisms allowed for each sharing consortium to control >> their own repositories. Whatever system they are using already for >> internal/external sharing authentication can be used here as long as it meets >> the ROLIE requirements. >> > >> >> * Section 5.3 mandates the use of TLS cipher suites that support >> >> client authentication using certificates, but offers no further >> >> advice. Aside from being an unnecessary requirement - cipher suites >> >> that support certificate- based authentication of servers all allow >> >> for client authentication - this sort of requirement is rarely >> >> sufficient for interoperation. For instance, you need to specify how >> >> a server will request a certificate such that clients can select the >> >> correct certificate. If a client and server have agreed to share >> >> information on terms that rely on authentication of clients, it is better for >> those peers to arrange the terms on which they will authenticate. >> > >> > Removed cipher suite text as these recommendations are provided by RFC >> 7525. >> > >> >> * Section 5.4 uses "SHOULD" regarding client authentication using >> >> federation, but offers no hints about what this entails. It also >> >> uses "SHOULD" regarding authorization checks, which isn't an >> >> interoperability requirement. It's more of a "don't be silly" type >> >> of requirement, which doesn't need to be written down in an RFC. >> > >> > While its true that this is a "don't do anything stupid" requirement, I think >> that its valuable as a reminder that the authorization checks need to support >> full granularity through the entire resource tree. >> > >> >> Section 5.5 prohibits the use of GET on "/". This prohibits use of >> >> the resource for other purposes. It seems reasonable to accept POST >> >> messages as defined in RFC 6546, but this requirement is overly >> >> strict (and further entrenches the violation of RFC 7320). If, for >> >> instance, the server operator wishes to provide HTML in response to a >> >> GET request to "/", this would prohibit that. The requirement to >> >> return 404 if RFC 6546 is not supported is worse; not supporting RFC >> >> 6546 might be a choice that a deployment makes to avoid the need to >> reserve "/" for that protocol. >> > >> > Cleaned up the text describing this requirement to be more clear that they >> only trigger when an implementation has decided to support RFC 6546. >> Removed the 404 requirement when not supporting RFC6546, as I agree that >> it was overly restrictive. >> > >> >> In Section 6.2.3, what is the advantage of "rolie:format" over having >> >> a well- defined media type? Media types can take advantage of >> >> content negotiation, existing support in link relations, and other >> >> existing tools >> >> >> >> -- >> >> Best regards, >> Kathleen -- Best regards, Kathleen
- [mile] Artart last call review of draft-ietf-mile… Martin Thomson
- Re: [mile] [art] Artart last call review of draft… Mark Nottingham
- Re: [mile] Artart last call review of draft-ietf-… Benjamin Kaduk
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Benjamin Kaduk
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Peter Saint-Andre
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Alexey Melnikov
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)