IETF Logo Mail Archive

Re: [mile] Working group last call for ROLIE

Adam Montville <adam.w.montville@gmail.com> Thu, 20 April 2017 19:16 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EA6C129BA0 for <mile@ietfa.amsl.com>; Thu, 20 Apr 2017 12:16:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8n7w_McZTSg for <mile@ietfa.amsl.com>; Thu, 20 Apr 2017 12:16:35 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938301292F4 for <mile@ietf.org>; Thu, 20 Apr 2017 12:16:35 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id r16so79659937ioi.2 for <mile@ietf.org>; Thu, 20 Apr 2017 12:16:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KCp4u7x1+ArCSdoxuVcfS546gwX1l/8TjFp0fpiPwnE=; b=W1+YptTiN1cb9xPUycHsM4XX/lxV/q7TQefGOxRKy4o74lrnghzgnNs9tS2o56btRJ cQ7f7TrM7OiRnWAPkkiBsUF8KlAyBDnH/bs/sQi8waWUUjku/JlrdpXBrf5+5K4uGRf8 vZtUks+Wu2f78Gafzp9nSPdlmZn+3uipaTVd8JMB8fcwpSWiWxsQ34NhevE0FsaYb1Kh Ewo1fLU2nOKSPflFtcEjiqyY28Z3jyquurGYlvcz69dGcXKPIyp+2HaEMxZyBCWN0iQY Gpc3MbzTG6GWzgzCXa7gwfvykTJU6PmCEw+/ZLAyTIy5l0GrUPZxNOChnat3TYqvGnDS UR4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KCp4u7x1+ArCSdoxuVcfS546gwX1l/8TjFp0fpiPwnE=; b=f2L1LtH22pPgECf8Xz9aks8Q62x7Uobjmi/W6/ID2mgowhAa/i+7NiYsWg2h66ScPc uQwyCmQ42b3o809pqlTZzoxKiRyqT3HRv8kkugzC4qi0drwOAWr/xWQP5vJeukB4KFCi 6efvtAp1ts/upXRMRPEnVZ38WFSJVjnyUEBLcEAeW90hzIoa5Xjj4qhw3oOCPxc8dl8A kB1jIpSda41yTOJ8+enBgrNBX/tsZDnxHIW2NPxBLiTurAedOYx2pDbjTvuPoHOstb0f +1Lhd3JxloN+J2elAAvsTkOjl2AZZYx2e2r8sJjA5x3KikV1sSzHQ3eMd2HkSfVS8Obl l4Hw==
X-Gm-Message-State: AN3rC/6d0WHbq85KKcapEC+0TENcAHGGjKV3efaVOkjTwvL0lLNaI15c JSN7VYvTiid0zCqg4Qu6U6U6x8dAug==
X-Received: by 10.36.178.1 with SMTP id u1mr5683929ite.12.1492715789262; Thu, 20 Apr 2017 12:16:29 -0700 (PDT)
MIME-Version: 1.0
References: <CC7AB8C2-66EC-4B75-9CFA-F9A1D7A9C46D@cisco.com> <CACknUNWg=1ZCtaajq8HzFtMboiZ8L7W1jiUvnDf+n9EuUr3gYw@mail.gmail.com> <DM5PR09MB1307253E0E2F0707B83A06DCF01B0@DM5PR09MB1307.namprd09.prod.outlook.com>
In-Reply-To: <DM5PR09MB1307253E0E2F0707B83A06DCF01B0@DM5PR09MB1307.namprd09.prod.outlook.com>
From: Adam Montville <adam.w.montville@gmail.com>
Date: Thu, 20 Apr 2017 19:16:18 +0000
Message-ID: <CACknUNWkSs6_D++m-tc-64shbL0-eC_fyq-W2sFBrDv9jkae0Q@mail.gmail.com>
To: "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>, "mile@ietf.org" <mile@ietf.org>
Content-Type: multipart/alternative; boundary="f403045d9c0e5ea8be054d9dfae8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/RA74x6UwHbxYMOv2aNlvUxUaDEI>
Subject: Re: [mile] Working group last call for ROLIE
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2017 19:16:38 -0000

More inline :-)

On Thu, Apr 20, 2017 at 10:57 AM Banghart, Stephen A. (Fed) <
stephen.banghart@nist.gov> wrote:

> Hey Adam,
>
>
>
> Thanks for the review, responses inline.
>
>
>
> -Stephen
>
>
>
> *From:* mile [mailto:mile-bounces@ietf.org] *On Behalf Of *Adam Montville
> *Sent:* Wednesday, April 19, 2017 2:14 PM
>
>
> *To:* Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>; mile@ietf.org
> *Subject:* Re: [mile] Working group last call for ROLIE
>
>
>
> Hi all.
>
>
>
> I've read through the entire draft and found it to be a decent draft. Keep
> in mind that I've not attempted an implementation, and must rely on
> implementers to pick out any technical impacts from this specification.
> That said, I have two broad categories of feedback. The first includes
> suggestions and concerns that are something more than nits. The second are
> really just nits and stylistic (i.e. take them or leave them) types of
> concerns.
>
>
>
> Suggestions/Concerns More Than Nits...
>
>
>
> Page 6: There are two similar terms in the second paragraph of section
> 4.2: "endpoint management system" and "endpoint monitoring system". Are
> they intended to be distinct, or interchangeable in this context? I could
> conclude either way, but if they are intended to be interchangeable, then I
> recommend picking and using one.
>
>
>
> They were originally meant to be interchangeable, I’ve changed them both
> to “endpoint management system” to avoid confusion.
>

Thanks!


>
>
> Page 10: I've probably missed something along the way -- perhaps out of a
> secdir lunch or other discussion -- but it really seems like section 5.3
> could be dramatically reduced by saying, follow RFC7589. There are a lot of
> non-ROLIE-specific things happening in this section, which mostly amount to
> good practice overall (so I don't necessarily mind having the information
> in here), but imagine this information being available in every draft
> intended to be, in part, secured using TLS. That sounds like a nightmare
> for managing requirements.
>
>
>
> We’ve selectively chosen pieces out of RFC7589 to put into ROLIE, so
> referencing the whole document may include unintended requirements. That
> said, there may be a way to shorten this section slightly if you are
> concerned about section length.
>

Understood. Also, my comments were not so much about length as about
contributing to a potential rats nest of requirements. But, shortening
would be good too. :-)


>
>
> Page 11: First paragraph at the top of that page (part of section 5.3)
> says, "The server MUST support certificate-based client authentication..."
> Why is this not a SHOULD? Yes, we'd like them to, but there are perfectly
> valid cases where they needn't support client authentication. Of course, if
> a proper TLS server implementation does this already, then my previous
> comment applies here as well.
>
>
>
> Page 11: First pargraph of section 5.4. A similar concern to the previous,
> the first sentence reads, "Implementations MUST support user
> authentication." Why not SHOULD? Again, there are valid cases where
> authentication is not, strictly speaking, needed.
>
>
>
> We decided that implementations MUST support the authentication in both of
> these cases to maintain secure interoperability between implementations. A
> given ROLIE repo does *not* have to actually use the authentication.
> Panos had similar comments to these two as well, so I’ve added a paragraph
> in section 2 that clarifies that all requirements in the ROLIE
> specification are conformance requirements for implementations, and are not
> usage requirements.
>

Right, but therein is sort of the rub. Maybe it's a red herring, but if
there's code sitting there that'll never really be used, isn't that a bad
thing?



>
>
> Page 12: Section 5.5 treats GET and POST, but ignores the other methods
> that may be treated similarly by stating, in section 5.6, "Servers MAY
> accept request methods beyond those specified in this document." Do we
> really want to leave those undefined? PUT? DELETE? I'm not an expert in
> this area, but PUT could be treated similarly to POST. DELETE is probably
> something that SHOULD be implemented only for user agents properly
> authenticated and authorized, etc.
>
>
>
> Section 5.5 only applies to requests sent to the “/” resource to maintain
> RID compatibility. GET,POST,PUT,DELETE,etc are all defined for general
> usage in the Atom Publishing Protocol specification
>
>
>
> Sections 6.1 and 6.2 and maybe others I can't recall: These sections
> provide an informative syntax for a given element that is a "stricter
> representation" than the original RFC, but they don't ever really state
> which part of that element is stricter, which forces the reader out to that
> original RFC. If there is a way to make the statement right there, please
> do so.
>
>
>
> The definitions for elements we’ve provided in ROLIE are full definitions,
> so a reader shouldn’t need to flip back to RFC4287 in order to get the
> whole picture. Any element defined in ROLIE does a full override of the
> 4287 element, and any element not defined in ROLIE fully inherits from
> 4287. Would it help if I added some text describing that relationship in
> more detail somewhere?
>

It might, but I'm a voice of one, so if others are like "dude, what's this
guy talking about?" then I wouldn't worry about it.



>
>
> Page 15: First sentence of section 6.1.3 indicates that "the atom:updated
> element MUST be populated with the current time at the instant the Feed
> representation was last updated..." Is "instant" sufficient definition?
>
>
>
> Time being the beast that it is I’m not sure how to better describe the
> requirement. Do you have any suggestions/recommendations on how to define
> it?
>

LOL. Nope. If we're not concerned, then that's fine. Does the Atom spec
indicate the timestamp format? That's probably sufficient.


>
>
> Nits and Such...
>
>
>
> Page 5: Second sentence of section 3.2. Strike "However, " from the
> beginning.
>
>
>
> Changed
>
>
>
> Page 5: Last sentence of section 3.2. Proposed change: "A non-normative
> RELAX NG Compact Schema..." or "An informative RELAX NG Compact Schema..."
>
>
>
> Added
>
>
>
> Page 5: Last sentence of only paragraph in Section 4 (proper). Proposed
> change: "...human-in-the-loop sharing arise...". It just reads funny (to
> me) using "become apparent" followed by something else that "becomes
> apparent".
>
>
>
> Agreed, changed the sentence to avoid the repetition.
>
>
>
> Page 19: First sentence of first bullet point in section 6.2.5. Proposed
> change: "...have an atom:link element...".
>
>
>
> Changed
>
>
>
> Page 26: Last sentence in first paragraph of section 9. Proposed change:
> "...All that follows is guidance.  More specific instruction is out of
> scope for this document."
>
>
>
> Changed
>
>
>
> Page 26: The term CSIRT is used in the last paragraph on this page. Not
> sure whether we would prefer to use a more generalized example, as CSIRTs
> may not be the only type of sharing consortium.
>
>
>
> Agreed, changed to “consortium”.
>
>
>
> Kind regards,
>
>
>
> Adam
>
>
>
> On Tue, Mar 28, 2017 at 6:27 PM Nancy Cam-Winget (ncamwing) <
> ncamwing@cisco.com> wrote:
>
> Colleagues,
>
>
>
> Given the significant changes made to the last draft, we are doing another
> 30day WGLC for
>
> https://tools.ietf.org/html/draft-ietf-mile-rolie-06
>
>
>
> Please provide comments before May 1st and provide your support and/ or
> raise any issue you feel are yet to be addressed.
>
>
>
> Regards, Nancy
>
> _______________________________________________
> mile mailing list
> mile@ietf.org
> https://www.ietf.org/mailman/listinfo/mile
>
>

v2.23.0 | Report a Bug | By Email