IETF Logo Mail Archive

Re: [mile] Working group last call for ROLIE

Adam Montville <adam.w.montville@gmail.com> Fri, 21 April 2017 19:26 UTC

Return-Path: <adam.w.montville@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7428C127286 for <mile@ietfa.amsl.com>; Fri, 21 Apr 2017 12:26:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.697
X-Spam-Level:
X-Spam-Status: No, score=-2.697 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVS1IOqjV9eg for <mile@ietfa.amsl.com>; Fri, 21 Apr 2017 12:25:58 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32FD01287A0 for <mile@ietf.org>; Fri, 21 Apr 2017 12:25:58 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id k87so132988450ioi.0 for <mile@ietf.org>; Fri, 21 Apr 2017 12:25:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wTis42XUY1hdJdBxdhMhF0LUK6zb5HkzOyoLPguhVS4=; b=KCMTdVSYMC5DvJ0lbUJaqnctltpIqbfS9JDtjWJ29Q8+hF3Bop1a11QM7+mLHuqzdu xHXE6YFEVNXcSbi8L4oV2/9GCkJYzsgRxGwVCrVBP/pxXDPVqCPSnDorD1fiq1N0tWxr klAAkT+3vYmp5NuUGz1Mgy9CKEZwjeqOsQWxe2smFQMLc2lp9BqZMAFuBpO7WaoRZDms 8FOiWkKicqmuZ7xNJCzzixsQWCR5WVw97ilXAkgiCYKJ9UI7s7Aigsahd7ssk8nX+nlI FPPGEnRf1X1MWQFfO6A/ds8jh0i0pX2KASZSNYs0esVUL03hcbMjAWbnEQkmIk+EKFSU BISA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wTis42XUY1hdJdBxdhMhF0LUK6zb5HkzOyoLPguhVS4=; b=ZULQl4xrfWmM7iu5BISdsORVZMLCBCW8zu/XdilucAHNwf4y9lB+mGSSCyi/gRB2ov xYiM3U0ocyoOvl3CxCuZop7f2wrfebq1Jj2cIeqWd4rGq6GPdbq/no+cUJXNq5v9KlMk T0b7DusBfOvpfCr/PMwF3v8nsip/fEwAFM7HgZwcrClXaxtkSvnjA3pU1uc9j6kUOhdD tRUWVGbzdNCXSv7Rx0DRSt07rCTrIFcqEfRFS1Ild6Tq11w1bALSDr9DSyLw7ophZLfB RQNDmUkF1CNPG9MQ2wEN7Wv/SjuURQ8smiFWtaipLNzGa9Zh3zkp0POZLTdA/zGejGF+ 99HA==
X-Gm-Message-State: AN3rC/5xUGIXupIV6biDgXnZ9rpZPN9quNKoxsvWR6Hf7ywvBWpPcsrZ u6h+4MHVNlHnua2jvNycRCG+3Ba35A==
X-Received: by 10.36.69.195 with SMTP id c64mr355768itd.12.1492802730210; Fri, 21 Apr 2017 12:25:30 -0700 (PDT)
MIME-Version: 1.0
References: <CC7AB8C2-66EC-4B75-9CFA-F9A1D7A9C46D@cisco.com> <CACknUNWg=1ZCtaajq8HzFtMboiZ8L7W1jiUvnDf+n9EuUr3gYw@mail.gmail.com> <DM5PR09MB1307253E0E2F0707B83A06DCF01B0@DM5PR09MB1307.namprd09.prod.outlook.com> <CACknUNWkSs6_D++m-tc-64shbL0-eC_fyq-W2sFBrDv9jkae0Q@mail.gmail.com> <CAC0wChGaKXs5ZCg4hXUWm4JS8yf+oQ0JDzHQxJukEDzsj8BEWg@mail.gmail.com>
In-Reply-To: <CAC0wChGaKXs5ZCg4hXUWm4JS8yf+oQ0JDzHQxJukEDzsj8BEWg@mail.gmail.com>
From: Adam Montville <adam.w.montville@gmail.com>
Date: Fri, 21 Apr 2017 19:25:18 +0000
Message-ID: <CACknUNVA2t5YcOcwOLMpuqqEretPQ8tdePRL6dDUmDizufYqGQ@mail.gmail.com>
To: John Field <jfield@pivotal.io>
Cc: "Banghart, Stephen A. (Fed)" <stephen.banghart@nist.gov>, "mile@ietf.org" <mile@ietf.org>
Content-Type: multipart/alternative; boundary="001a113a81c8743955054db2381f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/p3nzMSgHNc3DtmywNGM0Se4kaxg>
Subject: Re: [mile] Working group last call for ROLIE
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Apr 2017 19:26:01 -0000

Thanks for the additional perspective. It's all good, and I like the idea
of upping the game. Just felt, for some reason, compelled to ask about it.

On Fri, Apr 21, 2017 at 11:47 AM John Field <jfield@pivotal.io> wrote:

> Hi All,
>
> Thanks Adam for the review comments.
>
> With regard to your specific comments on page 11 of the draft, i.e. MUST
> versus SHOULD, this is a very good point.  I too struggled with this
> question in the earlier drafts.  I can see the motivation to not exclude
> legitimate use cases or specific deployments that for whatever reason might
> not require mutually authenticated TLS.  But, at the end of the day, I
> agree with Stephen's response that as ROLIE is a security service endpoint,
> we should keep this as a MUST in terms of conformance.  Here's my rationale:
>
> In general, we want to raise the bar -- in terms of current best practice,
> and use "TLS everywhere."  This ensures privacy (and, depending upon
> specific cipher suite, perfect forward secrecy). Going the next step, and
> requiring mutually authenticated TLS, helps by defining at least 1
> specific, and consistent client authentication mechanism, and so should
> promote better interoperability.
>
> As a practical matter, there are many tools and libraries available to
> implementers, and so the associated certificate issuance is just not as big
> a burden as it might first seem.
>
> Also, ensuring data integrity will be an important security characteristic
> for any ROLIE implementation.  Although specific audit requirements are out
> of scope, requiring mutually authenticated TLS will provide a
> standards-based way for a server to associate an identity with a client
> endpoint and provide accountability/audit of client actions. This could be
> useful as a remember-me, even if the identity provisioning process does not
> involve strong vetting.
>
> Of course, implementations may choose to support additional authentication
> mechanisms as needed.  There is a brief discussion of this in the 3rd
> paragraph of section 9, security considerations, where guidance is given to
> align the client authentication requirement to the threat model.
>
> Regards,
> John
>
>
> On Thu, Apr 20, 2017 at 3:16 PM, Adam Montville <
> adam.w.montville@gmail.com> wrote:
>
>> More inline :-)
>>
>> On Thu, Apr 20, 2017 at 10:57 AM Banghart, Stephen A. (Fed) <
>> stephen.banghart@nist.gov> wrote:
>>
>>> Hey Adam,
>>>
>>>
>>>
>>> Thanks for the review, responses inline.
>>>
>>>
>>>
>>> -Stephen
>>>
>>>
>>>
>>> *From:* mile [mailto:mile-bounces@ietf.org] *On Behalf Of *Adam
>>> Montville
>>> *Sent:* Wednesday, April 19, 2017 2:14 PM
>>>
>>>
>>> *To:* Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>; mile@ietf.org
>>> *Subject:* Re: [mile] Working group last call for ROLIE
>>>
>>>
>>>
>>> Hi all.
>>>
>>>
>>>
>>> I've read through the entire draft and found it to be a decent draft.
>>> Keep in mind that I've not attempted an implementation, and must rely on
>>> implementers to pick out any technical impacts from this specification.
>>> That said, I have two broad categories of feedback. The first includes
>>> suggestions and concerns that are something more than nits. The second are
>>> really just nits and stylistic (i.e. take them or leave them) types of
>>> concerns.
>>>
>>>
>>>
>>> Suggestions/Concerns More Than Nits...
>>>
>>>
>>>
>>> Page 6: There are two similar terms in the second paragraph of section
>>> 4.2: "endpoint management system" and "endpoint monitoring system". Are
>>> they intended to be distinct, or interchangeable in this context? I could
>>> conclude either way, but if they are intended to be interchangeable, then I
>>> recommend picking and using one.
>>>
>>>
>>>
>>> They were originally meant to be interchangeable, I’ve changed them both
>>> to “endpoint management system” to avoid confusion.
>>>
>>
>> Thanks!
>>
>>
>>>
>>>
>>> Page 10: I've probably missed something along the way -- perhaps out of
>>> a secdir lunch or other discussion -- but it really seems like section 5.3
>>> could be dramatically reduced by saying, follow RFC7589. There are a lot of
>>> non-ROLIE-specific things happening in this section, which mostly amount to
>>> good practice overall (so I don't necessarily mind having the information
>>> in here), but imagine this information being available in every draft
>>> intended to be, in part, secured using TLS. That sounds like a nightmare
>>> for managing requirements.
>>>
>>>
>>>
>>> We’ve selectively chosen pieces out of RFC7589 to put into ROLIE, so
>>> referencing the whole document may include unintended requirements. That
>>> said, there may be a way to shorten this section slightly if you are
>>> concerned about section length.
>>>
>>
>> Understood. Also, my comments were not so much about length as about
>> contributing to a potential rats nest of requirements. But, shortening
>> would be good too. :-)
>>
>>
>>>
>>>
>>> Page 11: First paragraph at the top of that page (part of section 5.3)
>>> says, "The server MUST support certificate-based client authentication..."
>>> Why is this not a SHOULD? Yes, we'd like them to, but there are perfectly
>>> valid cases where they needn't support client authentication. Of course, if
>>> a proper TLS server implementation does this already, then my previous
>>> comment applies here as well.
>>>
>>>
>>>
>>> Page 11: First pargraph of section 5.4. A similar concern to the
>>> previous, the first sentence reads, "Implementations MUST support user
>>> authentication." Why not SHOULD? Again, there are valid cases where
>>> authentication is not, strictly speaking, needed.
>>>
>>>
>>>
>>> We decided that implementations MUST support the authentication in both
>>> of these cases to maintain secure interoperability between implementations.
>>> A given ROLIE repo does *not* have to actually use the authentication.
>>> Panos had similar comments to these two as well, so I’ve added a paragraph
>>> in section 2 that clarifies that all requirements in the ROLIE
>>> specification are conformance requirements for implementations, and are not
>>> usage requirements.
>>>
>>
>> Right, but therein is sort of the rub. Maybe it's a red herring, but if
>> there's code sitting there that'll never really be used, isn't that a bad
>> thing?
>>
>>
>>
>>>
>>>
>>> Page 12: Section 5.5 treats GET and POST, but ignores the other methods
>>> that may be treated similarly by stating, in section 5.6, "Servers MAY
>>> accept request methods beyond those specified in this document." Do we
>>> really want to leave those undefined? PUT? DELETE? I'm not an expert in
>>> this area, but PUT could be treated similarly to POST. DELETE is probably
>>> something that SHOULD be implemented only for user agents properly
>>> authenticated and authorized, etc.
>>>
>>>
>>>
>>> Section 5.5 only applies to requests sent to the “/” resource to
>>> maintain RID compatibility. GET,POST,PUT,DELETE,etc are all defined for
>>> general usage in the Atom Publishing Protocol specification
>>>
>>>
>>>
>>> Sections 6.1 and 6.2 and maybe others I can't recall: These sections
>>> provide an informative syntax for a given element that is a "stricter
>>> representation" than the original RFC, but they don't ever really state
>>> which part of that element is stricter, which forces the reader out to that
>>> original RFC. If there is a way to make the statement right there, please
>>> do so.
>>>
>>>
>>>
>>> The definitions for elements we’ve provided in ROLIE are full
>>> definitions, so a reader shouldn’t need to flip back to RFC4287 in order to
>>> get the whole picture. Any element defined in ROLIE does a full override of
>>> the 4287 element, and any element not defined in ROLIE fully inherits from
>>> 4287. Would it help if I added some text describing that relationship in
>>> more detail somewhere?
>>>
>>
>> It might, but I'm a voice of one, so if others are like "dude, what's
>> this guy talking about?" then I wouldn't worry about it.
>>
>>
>>
>>>
>>>
>>> Page 15: First sentence of section 6.1.3 indicates that "the
>>> atom:updated element MUST be populated with the current time at the instant
>>> the Feed representation was last updated..." Is "instant" sufficient
>>> definition?
>>>
>>>
>>>
>>> Time being the beast that it is I’m not sure how to better describe the
>>> requirement. Do you have any suggestions/recommendations on how to define
>>> it?
>>>
>>
>> LOL. Nope. If we're not concerned, then that's fine. Does the Atom spec
>> indicate the timestamp format? That's probably sufficient.
>>
>>
>>>
>>>
>>> Nits and Such...
>>>
>>>
>>>
>>> Page 5: Second sentence of section 3.2. Strike "However, " from the
>>> beginning.
>>>
>>>
>>>
>>> Changed
>>>
>>>
>>>
>>> Page 5: Last sentence of section 3.2. Proposed change: "A non-normative
>>> RELAX NG Compact Schema..." or "An informative RELAX NG Compact Schema..."
>>>
>>>
>>>
>>> Added
>>>
>>>
>>>
>>> Page 5: Last sentence of only paragraph in Section 4 (proper). Proposed
>>> change: "...human-in-the-loop sharing arise...". It just reads funny (to
>>> me) using "become apparent" followed by something else that "becomes
>>> apparent".
>>>
>>>
>>>
>>> Agreed, changed the sentence to avoid the repetition.
>>>
>>>
>>>
>>> Page 19: First sentence of first bullet point in section 6.2.5. Proposed
>>> change: "...have an atom:link element...".
>>>
>>>
>>>
>>> Changed
>>>
>>>
>>>
>>> Page 26: Last sentence in first paragraph of section 9. Proposed change:
>>> "...All that follows is guidance.  More specific instruction is out of
>>> scope for this document."
>>>
>>>
>>>
>>> Changed
>>>
>>>
>>>
>>> Page 26: The term CSIRT is used in the last paragraph on this page. Not
>>> sure whether we would prefer to use a more generalized example, as CSIRTs
>>> may not be the only type of sharing consortium.
>>>
>>>
>>>
>>> Agreed, changed to “consortium”.
>>>
>>>
>>>
>>> Kind regards,
>>>
>>>
>>>
>>> Adam
>>>
>>>
>>>
>>> On Tue, Mar 28, 2017 at 6:27 PM Nancy Cam-Winget (ncamwing) <
>>> ncamwing@cisco.com> wrote:
>>>
>>> Colleagues,
>>>
>>>
>>>
>>> Given the significant changes made to the last draft, we are doing
>>> another 30day WGLC for
>>>
>>> https://tools.ietf.org/html/draft-ietf-mile-rolie-06
>>>
>>>
>>>
>>> Please provide comments before May 1st and provide your support and/ or
>>> raise any issue you feel are yet to be addressed.
>>>
>>>
>>>
>>> Regards, Nancy
>>>
>>> _______________________________________________
>>> mile mailing list
>>> mile@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mile
>>>
>>>
>> _______________________________________________
>> mile mailing list
>> mile@ietf.org
>> https://www.ietf.org/mailman/listinfo/mile
>>
>>
>
>
> --
>
> John P. Field | Security PM | Pivotal
>
> Direct: (908) 962-3394 | jfield@ <jfield@gopivotal.com>pivotal.io
>

v2.23.0 | Report a Bug | By Email