IETF Logo Mail Archive

Re: [mile] Artart last call review of draft-ietf-mile-rolie-10

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 10 October 2017 03:05 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5DF13431D; Mon, 9 Oct 2017 20:05:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6k5615ee3IV7; Mon, 9 Oct 2017 20:05:57 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64ADF1323B4; Mon, 9 Oct 2017 20:05:57 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id q4so47407772qtq.8; Mon, 09 Oct 2017 20:05:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pPNso3UHrRR1l5704Hozpp4yXMwx0f/qKXq03DR27ic=; b=YfOhzwM0+CDrTAtmm4oKcbnLmHZUv1Wb7S+5yRyDlp+sch1qLtq4dnMXweUBUiIbY+ 4spH1Rmf5rfpaqeghAbP8LFDNOvhzmtQJnkkpNNzwZUh8xWrA2lfLNfJ3D3iTTfFtRCJ plg0RwrSd+fFtqVo4O6cTL7omH7KIZQ5PB3GR9FOqmNvoPSTjmm5urAEr3+EilSiorty zkmnMv9KcN3C0AueFVyor2pjPes11MYOQBTQerSzthcJzrstMq2zELwFGXhxbyAYaNPI 6X0dlio7KqHPglUujetPtfigWy/JkGRp5tjlFLfPtxISv14mzQ0NQ9hAHOMaIH9Dvq/9 Lwsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pPNso3UHrRR1l5704Hozpp4yXMwx0f/qKXq03DR27ic=; b=sNb2Jcpqnb/89fHBflsZQxyrSWhx4p+7hjvghfEVRl4/ljeRe4vQoC/ugZ79PnGbMJ jT8oEJGCIGs6CvVlS6t5WoPrxq7VNpQ/euQQOuYgIPOH0st1aw9nadllGgWHUicwDaYj Yd3gXMb42zs9TFPvNwxANktthZmvQablafb8Yo4vAbg8pg5x8DoU6XRVwtwTqKPzQFFF C+Us0xZYkmBqRspHjwLjvFrKm0kAq7kB4fPNlaIPlI02HWeX6yd5rxQac5/C7b/70bbS 9a1lk7G1sJ2SUN2x54Hqo2U7p5WVKdmyt1gkzGJdy8PV2K6GIRgEi4+6/2rrgENdklFy dajQ==
X-Gm-Message-State: AMCzsaXPwpiCeh9Y7nO0aA0ezjK3eyH2BdLJqdQkE0M6P385Vu2ts4+A sN9lyXW/ejQ/asgyeOfCYZg=
X-Google-Smtp-Source: AOwi7QDQwiTaErKRdgFINE0id3LKPUWwSvNVGk+WnTV8JZ2xjo8Ebj0ZPnj5D6mAQ4AJ9dZmVa1fsQ==
X-Received: by 10.55.126.2 with SMTP id z2mr12631313qkc.39.1507604756549; Mon, 09 Oct 2017 20:05:56 -0700 (PDT)
Received: from [192.168.1.6] (209-6-124-204.s3530.c3-0.arl-ubr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.124.204]) by smtp.gmail.com with ESMTPSA id n4sm5650376qkf.49.2017.10.09.20.05.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Oct 2017 20:05:55 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <CABkgnnU8BAdaB05-VQR6R=Ei-E_Ji=OZvVXa=JzX=UoFFDS2wA@mail.gmail.com>
Date: Mon, 09 Oct 2017 23:05:53 -0400
Cc: Benjamin Kaduk <kaduk@mit.edu>, ART Area <art@ietf.org>, MILE IETF <mile@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, draft-ietf-mile-rolie.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1D786709-4F2C-4D39-B55D-A4F9EBE82C99@gmail.com>
References: <150752570618.18384.5615358468704377459@ietfa.amsl.com> <20171009235717.GN96685@kduck.kaduk.org> <CABkgnnXdq6GKBXrowPTva1MU+X6WSMR2uB7df-2oHaKv=_2rdA@mail.gmail.com> <CAHbuEH5C_GAkeLj6Pda5usY4PYXb1uwY8jzwnnvAV6Ao7v+d2A@mail.gmail.com> <CABkgnnU8BAdaB05-VQR6R=Ei-E_Ji=OZvVXa=JzX=UoFFDS2wA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/ubEiBiVA7ctNUF0IZCpyqbFiSEs>
Subject: Re: [mile] Artart last call review of draft-ietf-mile-rolie-10
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 03:05:59 -0000


Sent from my iPhone

> On Oct 9, 2017, at 9:55 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On Tue, Oct 10, 2017 at 12:32 PM, Kathleen Moriarty
> <kathleen.moriarty.ietf@gmail.com> wrote:
>>> This is quite explicitly using HTTP, which has a profile (work in
>>> progress).  If that profile is somehow inadequate, then a case should
>>> be made in the draft explaining why (hence the choice of the word).  A
>>> reference to TLS 1.3 also has the unfortunate effect of delaying
>>> publication of this draft.
>> 
>> Can you provide a pointer?  The profile is likely inadequate for this
>> and many other uses of HTTP/TLS if early data is permitted.  0RTT has
>> a large impact across many protocols including those that use
>> HTTP/TLS.
> 
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-replay/
> Editor's copy (with a number of changes):
> http://httpwg.org/http-extensions/replay.html
> 
>> If there is no normative language, then it can continue on to be
>> published with the draft for TLS 1.3 being used.  This is an
>> application where security is very important, so decisions like this
>> that can be made now should be prior to implementers testing TLS 1.3.
> 
> Currently there is normative language, and it wouldn't make sense to
> make any sort of statement with respect to 0-RTT without making that
> statement normative.  However, I think that it would be wiser to rely
> on HTTP doing the right thing here.  I would of course encourage you
> and the document authors to review the draft above to see if we're
> making completely unsuitable recommendations.
> 

I'll review and see if the WG participants can as well.  I think there will be many applications to follow with high security requirements and no tolerance for replay attacks.

> I realize that security is very important here, but I don't think that
> it is so significantly special that a whole new application profile of
> HTTP is needed.  HTTP can be very secure with the right configuration.

Configuration mistakes happen and lead to big problems.

> Strong recommendations about good practices for both configuration and
> operation are appropriate.  RFC 7525 is what I would use for that.
> RFC 7525 covers all that the draft does and more.

Yes, I had pointed that out in my review.

Best,
Kathleen

v2.23.0 | Report a Bug | By Email