Re: [mile] Working group last call for ROLIE
Adam Montville <adam.w.montville@gmail.com> Thu, 20 April 2017 19:16 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EA6C129BA0 for <mile@ietfa.amsl.com>; Thu, 20 Apr 2017 12:16:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8n7w_McZTSg for <mile@ietfa.amsl.com>; Thu, 20 Apr 2017 12:16:35 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938301292F4 for <mile@ietf.org>; Thu, 20 Apr 2017 12:16:35 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id r16so79659937ioi.2 for <mile@ietf.org>; Thu, 20 Apr 2017 12:16:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KCp4u7x1+ArCSdoxuVcfS546gwX1l/8TjFp0fpiPwnE=; b=W1+YptTiN1cb9xPUycHsM4XX/lxV/q7TQefGOxRKy4o74lrnghzgnNs9tS2o56btRJ cQ7f7TrM7OiRnWAPkkiBsUF8KlAyBDnH/bs/sQi8waWUUjku/JlrdpXBrf5+5K4uGRf8 vZtUks+Wu2f78Gafzp9nSPdlmZn+3uipaTVd8JMB8fcwpSWiWxsQ34NhevE0FsaYb1Kh Ewo1fLU2nOKSPflFtcEjiqyY28Z3jyquurGYlvcz69dGcXKPIyp+2HaEMxZyBCWN0iQY Gpc3MbzTG6GWzgzCXa7gwfvykTJU6PmCEw+/ZLAyTIy5l0GrUPZxNOChnat3TYqvGnDS UR4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KCp4u7x1+ArCSdoxuVcfS546gwX1l/8TjFp0fpiPwnE=; b=f2L1LtH22pPgECf8Xz9aks8Q62x7Uobjmi/W6/ID2mgowhAa/i+7NiYsWg2h66ScPc uQwyCmQ42b3o809pqlTZzoxKiRyqT3HRv8kkugzC4qi0drwOAWr/xWQP5vJeukB4KFCi 6efvtAp1ts/upXRMRPEnVZ38WFSJVjnyUEBLcEAeW90hzIoa5Xjj4qhw3oOCPxc8dl8A kB1jIpSda41yTOJ8+enBgrNBX/tsZDnxHIW2NPxBLiTurAedOYx2pDbjTvuPoHOstb0f +1Lhd3JxloN+J2elAAvsTkOjl2AZZYx2e2r8sJjA5x3KikV1sSzHQ3eMd2HkSfVS8Obl l4Hw==
X-Gm-Message-State: AN3rC/6d0WHbq85KKcapEC+0TENcAHGGjKV3efaVOkjTwvL0lLNaI15c JSN7VYvTiid0zCqg4Qu6U6U6x8dAug==
X-Received: by 10.36.178.1 with SMTP id u1mr5683929ite.12.1492715789262; Thu, 20 Apr 2017 12:16:29 -0700 (PDT)
MIME-Version: 1.0
References: <CC7AB8C2-66EC-4B75-9CFA-F9A1D7A9C46D@cisco.com> <CACknUNWg=1ZCtaajq8HzFtMboiZ8L7W1jiUvnDf+n9EuUr3gYw@mail.gmail.com> <DM5PR09MB1307253E0E2F0707B83A06DCF01B0@DM5PR09MB1307.namprd09.prod.outlook.com>
In-Reply-To: <DM5PR09MB1307253E0E2F0707B83A06DCF01B0@DM5PR09MB1307.namprd09.prod.outlook.com>
From: Adam Montville <adam.w.montville@gmail.com>
Date: Thu, 20 Apr 2017 19:16:18 +0000
Message-ID: <CACknUNWkSs6_D++m-tc-64shbL0-eC_fyq-W2sFBrDv9jkae0Q@mail.gmail.com>
To: "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>, "mile@ietf.org" <mile@ietf.org>
Content-Type: multipart/alternative; boundary="f403045d9c0e5ea8be054d9dfae8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/RA74x6UwHbxYMOv2aNlvUxUaDEI>
Subject: Re: [mile] Working group last call for ROLIE
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 19:16:38 -0000
More inline :-) On Thu, Apr 20, 2017 at 10:57 AM Banghart, Stephen A. (Fed) < stephen.banghart@nist.gov> wrote: > Hey Adam, > > > > Thanks for the review, responses inline. > > > > -Stephen > > > > *From:* mile [mailto:mile-bounces@ietf.org] *On Behalf Of *Adam Montville > *Sent:* Wednesday, April 19, 2017 2:14 PM > > > *To:* Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>; mile@ietf.org > *Subject:* Re: [mile] Working group last call for ROLIE > > > > Hi all. > > > > I've read through the entire draft and found it to be a decent draft. Keep > in mind that I've not attempted an implementation, and must rely on > implementers to pick out any technical impacts from this specification. > That said, I have two broad categories of feedback. The first includes > suggestions and concerns that are something more than nits. The second are > really just nits and stylistic (i.e. take them or leave them) types of > concerns. > > > > Suggestions/Concerns More Than Nits... > > > > Page 6: There are two similar terms in the second paragraph of section > 4.2: "endpoint management system" and "endpoint monitoring system". Are > they intended to be distinct, or interchangeable in this context? I could > conclude either way, but if they are intended to be interchangeable, then I > recommend picking and using one. > > > > They were originally meant to be interchangeable, I’ve changed them both > to “endpoint management system” to avoid confusion. > Thanks! > > > Page 10: I've probably missed something along the way -- perhaps out of a > secdir lunch or other discussion -- but it really seems like section 5.3 > could be dramatically reduced by saying, follow RFC7589. There are a lot of > non-ROLIE-specific things happening in this section, which mostly amount to > good practice overall (so I don't necessarily mind having the information > in here), but imagine this information being available in every draft > intended to be, in part, secured using TLS. That sounds like a nightmare > for managing requirements. > > > > We’ve selectively chosen pieces out of RFC7589 to put into ROLIE, so > referencing the whole document may include unintended requirements. That > said, there may be a way to shorten this section slightly if you are > concerned about section length. > Understood. Also, my comments were not so much about length as about contributing to a potential rats nest of requirements. But, shortening would be good too. :-) > > > Page 11: First paragraph at the top of that page (part of section 5.3) > says, "The server MUST support certificate-based client authentication..." > Why is this not a SHOULD? Yes, we'd like them to, but there are perfectly > valid cases where they needn't support client authentication. Of course, if > a proper TLS server implementation does this already, then my previous > comment applies here as well. > > > > Page 11: First pargraph of section 5.4. A similar concern to the previous, > the first sentence reads, "Implementations MUST support user > authentication." Why not SHOULD? Again, there are valid cases where > authentication is not, strictly speaking, needed. > > > > We decided that implementations MUST support the authentication in both of > these cases to maintain secure interoperability between implementations. A > given ROLIE repo does *not* have to actually use the authentication. > Panos had similar comments to these two as well, so I’ve added a paragraph > in section 2 that clarifies that all requirements in the ROLIE > specification are conformance requirements for implementations, and are not > usage requirements. > Right, but therein is sort of the rub. Maybe it's a red herring, but if there's code sitting there that'll never really be used, isn't that a bad thing? > > > Page 12: Section 5.5 treats GET and POST, but ignores the other methods > that may be treated similarly by stating, in section 5.6, "Servers MAY > accept request methods beyond those specified in this document." Do we > really want to leave those undefined? PUT? DELETE? I'm not an expert in > this area, but PUT could be treated similarly to POST. DELETE is probably > something that SHOULD be implemented only for user agents properly > authenticated and authorized, etc. > > > > Section 5.5 only applies to requests sent to the “/” resource to maintain > RID compatibility. GET,POST,PUT,DELETE,etc are all defined for general > usage in the Atom Publishing Protocol specification > > > > Sections 6.1 and 6.2 and maybe others I can't recall: These sections > provide an informative syntax for a given element that is a "stricter > representation" than the original RFC, but they don't ever really state > which part of that element is stricter, which forces the reader out to that > original RFC. If there is a way to make the statement right there, please > do so. > > > > The definitions for elements we’ve provided in ROLIE are full definitions, > so a reader shouldn’t need to flip back to RFC4287 in order to get the > whole picture. Any element defined in ROLIE does a full override of the > 4287 element, and any element not defined in ROLIE fully inherits from > 4287. Would it help if I added some text describing that relationship in > more detail somewhere? > It might, but I'm a voice of one, so if others are like "dude, what's this guy talking about?" then I wouldn't worry about it. > > > Page 15: First sentence of section 6.1.3 indicates that "the atom:updated > element MUST be populated with the current time at the instant the Feed > representation was last updated..." Is "instant" sufficient definition? > > > > Time being the beast that it is I’m not sure how to better describe the > requirement. Do you have any suggestions/recommendations on how to define > it? > LOL. Nope. If we're not concerned, then that's fine. Does the Atom spec indicate the timestamp format? That's probably sufficient. > > > Nits and Such... > > > > Page 5: Second sentence of section 3.2. Strike "However, " from the > beginning. > > > > Changed > > > > Page 5: Last sentence of section 3.2. Proposed change: "A non-normative > RELAX NG Compact Schema..." or "An informative RELAX NG Compact Schema..." > > > > Added > > > > Page 5: Last sentence of only paragraph in Section 4 (proper). Proposed > change: "...human-in-the-loop sharing arise...". It just reads funny (to > me) using "become apparent" followed by something else that "becomes > apparent". > > > > Agreed, changed the sentence to avoid the repetition. > > > > Page 19: First sentence of first bullet point in section 6.2.5. Proposed > change: "...have an atom:link element...". > > > > Changed > > > > Page 26: Last sentence in first paragraph of section 9. Proposed change: > "...All that follows is guidance. More specific instruction is out of > scope for this document." > > > > Changed > > > > Page 26: The term CSIRT is used in the last paragraph on this page. Not > sure whether we would prefer to use a more generalized example, as CSIRTs > may not be the only type of sharing consortium. > > > > Agreed, changed to “consortium”. > > > > Kind regards, > > > > Adam > > > > On Tue, Mar 28, 2017 at 6:27 PM Nancy Cam-Winget (ncamwing) < > ncamwing@cisco.com> wrote: > > Colleagues, > > > > Given the significant changes made to the last draft, we are doing another > 30day WGLC for > > https://tools.ietf.org/html/draft-ietf-mile-rolie-06 > > > > Please provide comments before May 1st and provide your support and/ or > raise any issue you feel are yet to be addressed. > > > > Regards, Nancy > > _______________________________________________ > mile mailing list > mile@ietf.org > https://www.ietf.org/mailman/listinfo/mile > >
- Re: [mile] Working group last call for ROLIE Adam Montville
- Re: [mile] Working group last call for ROLIE Banghart, Stephen A. (Fed)
- Re: [mile] Working group last call for ROLIE Adam Montville
- Re: [mile] Working group last call for ROLIE Banghart, Stephen A. (Fed)
- Re: [mile] Working group last call for ROLIE John Field
- Re: [mile] Working group last call for ROLIE Adam Montville
- Re: [mile] Working group last call for ROLIE Banghart, Stephen A. (Fed)
- Re: [mile] Working group last call for ROLIE Schmidt, Charles M.
- Re: [mile] Working group last call for ROLIE Schmidt, Charles M.
- Re: [mile] Working group last call for ROLIE Nancy Cam-Winget (ncamwing)
- Re: [mile] Working group last call for ROLIE Waltermire, David A. (Fed)
- Re: [mile] Working group last call for ROLIE Waltermire, David A. (Fed)
- Re: [mile] Working group last call for ROLIE Nancy Cam-Winget (ncamwing)
- Re: [mile] Working group last call for ROLIE Kathleen Moriarty
- Re: [mile] Working group last call for ROLIE Nancy Cam-Winget (ncamwing)
- [mile] Working group last call for ROLIE Nancy Cam-Winget (ncamwing)
- Re: [mile] Working group last call for ROLIE Nancy Cam-Winget (ncamwing)
- Re: [mile] Working group last call for ROLIE Panos Kampanakis (pkampana)
- Re: [mile] Working group last call for ROLIE Banghart, Stephen A. (Fed)
- Re: [mile] Working group last call for ROLIE Nancy Cam-Winget (ncamwing)