Re: [mile] Artart last call review of draft-ietf-mile-rolie-10
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 10 October 2017 03:05 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5DF13431D; Mon, 9 Oct 2017 20:05:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6k5615ee3IV7; Mon, 9 Oct 2017 20:05:57 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64ADF1323B4; Mon, 9 Oct 2017 20:05:57 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id q4so47407772qtq.8; Mon, 09 Oct 2017 20:05:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pPNso3UHrRR1l5704Hozpp4yXMwx0f/qKXq03DR27ic=; b=YfOhzwM0+CDrTAtmm4oKcbnLmHZUv1Wb7S+5yRyDlp+sch1qLtq4dnMXweUBUiIbY+ 4spH1Rmf5rfpaqeghAbP8LFDNOvhzmtQJnkkpNNzwZUh8xWrA2lfLNfJ3D3iTTfFtRCJ plg0RwrSd+fFtqVo4O6cTL7omH7KIZQ5PB3GR9FOqmNvoPSTjmm5urAEr3+EilSiorty zkmnMv9KcN3C0AueFVyor2pjPes11MYOQBTQerSzthcJzrstMq2zELwFGXhxbyAYaNPI 6X0dlio7KqHPglUujetPtfigWy/JkGRp5tjlFLfPtxISv14mzQ0NQ9hAHOMaIH9Dvq/9 Lwsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pPNso3UHrRR1l5704Hozpp4yXMwx0f/qKXq03DR27ic=; b=sNb2Jcpqnb/89fHBflsZQxyrSWhx4p+7hjvghfEVRl4/ljeRe4vQoC/ugZ79PnGbMJ jT8oEJGCIGs6CvVlS6t5WoPrxq7VNpQ/euQQOuYgIPOH0st1aw9nadllGgWHUicwDaYj Yd3gXMb42zs9TFPvNwxANktthZmvQablafb8Yo4vAbg8pg5x8DoU6XRVwtwTqKPzQFFF C+Us0xZYkmBqRspHjwLjvFrKm0kAq7kB4fPNlaIPlI02HWeX6yd5rxQac5/C7b/70bbS 9a1lk7G1sJ2SUN2x54Hqo2U7p5WVKdmyt1gkzGJdy8PV2K6GIRgEi4+6/2rrgENdklFy dajQ==
X-Gm-Message-State: AMCzsaXPwpiCeh9Y7nO0aA0ezjK3eyH2BdLJqdQkE0M6P385Vu2ts4+A sN9lyXW/ejQ/asgyeOfCYZg=
X-Google-Smtp-Source: AOwi7QDQwiTaErKRdgFINE0id3LKPUWwSvNVGk+WnTV8JZ2xjo8Ebj0ZPnj5D6mAQ4AJ9dZmVa1fsQ==
X-Received: by 10.55.126.2 with SMTP id z2mr12631313qkc.39.1507604756549; Mon, 09 Oct 2017 20:05:56 -0700 (PDT)
Received: from [192.168.1.6] (209-6-124-204.s3530.c3-0.arl-ubr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.124.204]) by smtp.gmail.com with ESMTPSA id n4sm5650376qkf.49.2017.10.09.20.05.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Oct 2017 20:05:55 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <CABkgnnU8BAdaB05-VQR6R=Ei-E_Ji=OZvVXa=JzX=UoFFDS2wA@mail.gmail.com>
Date: Mon, 09 Oct 2017 23:05:53 -0400
Cc: Benjamin Kaduk <kaduk@mit.edu>, ART Area <art@ietf.org>, MILE IETF <mile@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, draft-ietf-mile-rolie.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1D786709-4F2C-4D39-B55D-A4F9EBE82C99@gmail.com>
References: <150752570618.18384.5615358468704377459@ietfa.amsl.com> <20171009235717.GN96685@kduck.kaduk.org> <CABkgnnXdq6GKBXrowPTva1MU+X6WSMR2uB7df-2oHaKv=_2rdA@mail.gmail.com> <CAHbuEH5C_GAkeLj6Pda5usY4PYXb1uwY8jzwnnvAV6Ao7v+d2A@mail.gmail.com> <CABkgnnU8BAdaB05-VQR6R=Ei-E_Ji=OZvVXa=JzX=UoFFDS2wA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/ubEiBiVA7ctNUF0IZCpyqbFiSEs>
Subject: Re: [mile] Artart last call review of draft-ietf-mile-rolie-10
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 03:05:59 -0000
Sent from my iPhone > On Oct 9, 2017, at 9:55 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > > On Tue, Oct 10, 2017 at 12:32 PM, Kathleen Moriarty > <kathleen.moriarty.ietf@gmail.com> wrote: >>> This is quite explicitly using HTTP, which has a profile (work in >>> progress). If that profile is somehow inadequate, then a case should >>> be made in the draft explaining why (hence the choice of the word). A >>> reference to TLS 1.3 also has the unfortunate effect of delaying >>> publication of this draft. >> >> Can you provide a pointer? The profile is likely inadequate for this >> and many other uses of HTTP/TLS if early data is permitted. 0RTT has >> a large impact across many protocols including those that use >> HTTP/TLS. > > https://datatracker.ietf.org/doc/draft-ietf-httpbis-replay/ > Editor's copy (with a number of changes): > http://httpwg.org/http-extensions/replay.html > >> If there is no normative language, then it can continue on to be >> published with the draft for TLS 1.3 being used. This is an >> application where security is very important, so decisions like this >> that can be made now should be prior to implementers testing TLS 1.3. > > Currently there is normative language, and it wouldn't make sense to > make any sort of statement with respect to 0-RTT without making that > statement normative. However, I think that it would be wiser to rely > on HTTP doing the right thing here. I would of course encourage you > and the document authors to review the draft above to see if we're > making completely unsuitable recommendations. > I'll review and see if the WG participants can as well. I think there will be many applications to follow with high security requirements and no tolerance for replay attacks. > I realize that security is very important here, but I don't think that > it is so significantly special that a whole new application profile of > HTTP is needed. HTTP can be very secure with the right configuration. Configuration mistakes happen and lead to big problems. > Strong recommendations about good practices for both configuration and > operation are appropriate. RFC 7525 is what I would use for that. > RFC 7525 covers all that the draft does and more. Yes, I had pointed that out in my review. Best, Kathleen
- [mile] Artart last call review of draft-ietf-mile… Martin Thomson
- Re: [mile] [art] Artart last call review of draft… Mark Nottingham
- Re: [mile] Artart last call review of draft-ietf-… Benjamin Kaduk
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Benjamin Kaduk
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Kathleen Moriarty
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Peter Saint-Andre
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Alexey Melnikov
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Banghart, Stephen A. (Fed)
- Re: [mile] Artart last call review of draft-ietf-… Martin Thomson
- Re: [mile] Artart last call review of draft-ietf-… Waltermire, David A. (Fed)