IETF Logo Mail Archive

Re: [mile] Artart last call review of draft-ietf-mile-rolie-10

Martin Thomson <martin.thomson@gmail.com> Tue, 10 October 2017 01:56 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75EF133221; Mon, 9 Oct 2017 18:56:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lGUJbG9Efl0a; Mon, 9 Oct 2017 18:56:09 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90B061342E6; Mon, 9 Oct 2017 18:55:55 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id w197so38188343oif.6; Mon, 09 Oct 2017 18:55:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tqwLXpPx+1ogVGN6/nJv2z6hUOALnPEXYFHQdIKXsYg=; b=Tb9q2oX54MnHKUcr3vHh4HL29RSwq/L+FltyLPYec/1yrl40k4RQVWPE0J7F5NkUcZ eawDcgFYpgnMIb8+S8814uI7WQFDLtg3Fs5X/5dhktpkQa72yfm/UNfBtRyHUH28d5Sl 2ZakFuHgNvyvgDnGn3htiFRnWdFjE/MRy7HeOpTtgsJeHVoOkKZx0qyNaHDYAH01tARA GVUIoNJeqGjoOiRu+TViMlUkQo/TH0hl3G9INp4R2JWDvttiUcK/r/Pm8E/pfn/WRb/n FYNFOxUqPalofpRWWFe1MMtdqqkFjhtvsTQmUfnrqaDlAOT74974fpXmmeVrZG0uAELn xYKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tqwLXpPx+1ogVGN6/nJv2z6hUOALnPEXYFHQdIKXsYg=; b=d/QbNIOKdOHmi/Xv3j3HojJZIBVj+Tmvbpk6TG3oGeaefbc9GkRUOymisoFodSX1RX t0SrF76+tbMw8vUcC5bTeL4+S+Wz/G+VEWOUhNRjruv4zPDLyu234Jq2L4IzyqiooBtN JkrK8TNLzx8trRW1J6HkS6BRroBR3exBewZSvZYBZIzacuW1zVIlQ1MhQ4nEMIF3bpZS XCdOs7AsF+uEPkQcDNJKenJgBBi8beuCgkHUR8ZIpTCIqGgNb5Ay/PRbTvFLitFocYpg ZZ5Gejg9Kion3JAaencpmIl0J1CKMgG5YbrpTvcYcZbq/SBxox1Kc7fq3SXA8yz5h0UN xGoA==
X-Gm-Message-State: AMCzsaXMLgH6kWLml6aW3LZTUrj8q9/pHkZq6GdZ6w7ff6FCi3fQz2d4 jOCYbHQynNnrR2vbU1ETtEm1kAja4CG0i78qThI=
X-Google-Smtp-Source: AOwi7QCC+J4gGidHZ+zlvg91ga3CBP99fIN8Vhw3EvxNUN8wpRGgnZOzyXX4cjsx2XCTEvC1iviZ4uVzwXf8vKg2hQo=
X-Received: by 10.157.37.90 with SMTP id j26mr746772otd.401.1507600554870; Mon, 09 Oct 2017 18:55:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.72.178 with HTTP; Mon, 9 Oct 2017 18:55:54 -0700 (PDT)
In-Reply-To: <CAHbuEH5C_GAkeLj6Pda5usY4PYXb1uwY8jzwnnvAV6Ao7v+d2A@mail.gmail.com>
References: <150752570618.18384.5615358468704377459@ietfa.amsl.com> <20171009235717.GN96685@kduck.kaduk.org> <CABkgnnXdq6GKBXrowPTva1MU+X6WSMR2uB7df-2oHaKv=_2rdA@mail.gmail.com> <CAHbuEH5C_GAkeLj6Pda5usY4PYXb1uwY8jzwnnvAV6Ao7v+d2A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 10 Oct 2017 12:55:54 +1100
Message-ID: <CABkgnnU8BAdaB05-VQR6R=Ei-E_Ji=OZvVXa=JzX=UoFFDS2wA@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, ART Area <art@ietf.org>, MILE IETF <mile@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, draft-ietf-mile-rolie.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/V4fnZJ5DyTHiifiKoiPQW085nx4>
Subject: Re: [mile] Artart last call review of draft-ietf-mile-rolie-10
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 01:56:12 -0000

On Tue, Oct 10, 2017 at 12:32 PM, Kathleen Moriarty
<kathleen.moriarty.ietf@gmail.com> wrote:
>> This is quite explicitly using HTTP, which has a profile (work in
>> progress).  If that profile is somehow inadequate, then a case should
>> be made in the draft explaining why (hence the choice of the word).  A
>> reference to TLS 1.3 also has the unfortunate effect of delaying
>> publication of this draft.
>
> Can you provide a pointer?  The profile is likely inadequate for this
> and many other uses of HTTP/TLS if early data is permitted.  0RTT has
> a large impact across many protocols including those that use
> HTTP/TLS.

https://datatracker.ietf.org/doc/draft-ietf-httpbis-replay/
Editor's copy (with a number of changes):
http://httpwg.org/http-extensions/replay.html

> If there is no normative language, then it can continue on to be
> published with the draft for TLS 1.3 being used.  This is an
> application where security is very important, so decisions like this
> that can be made now should be prior to implementers testing TLS 1.3.

Currently there is normative language, and it wouldn't make sense to
make any sort of statement with respect to 0-RTT without making that
statement normative.  However, I think that it would be wiser to rely
on HTTP doing the right thing here.  I would of course encourage you
and the document authors to review the draft above to see if we're
making completely unsuitable recommendations.

I realize that security is very important here, but I don't think that
it is so significantly special that a whole new application profile of
HTTP is needed.  HTTP can be very secure with the right configuration.
Strong recommendations about good practices for both configuration and
operation are appropriate.  RFC 7525 is what I would use for that.
RFC 7525 covers all that the draft does and more.

v2.23.0 | Report a Bug | By Email