Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de> Wed, 08 July 2020 20:02 UTC
Return-Path: <tigran.mkrtchyan@desy.de>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 236533A07A8 for <nfsv4@ietfa.amsl.com>; Wed, 8 Jul 2020 13:02:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.099
X-Spam-Level:
X-Spam-Status: No, score=-1.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=desy.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djOp8f1agNOS for <nfsv4@ietfa.amsl.com>; Wed, 8 Jul 2020 13:02:35 -0700 (PDT)
Received: from smtp-o-1.desy.de (smtp-o-1.desy.de [IPv6:2001:638:700:1038::1:9a]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03A893A07A2 for <nfsv4@ietf.org>; Wed, 8 Jul 2020 13:02:34 -0700 (PDT)
Received: from smtp-buf-1.desy.de (smtp-buf-1.desy.de [IPv6:2001:638:700:1038::1:a4]) by smtp-o-1.desy.de (Postfix) with ESMTP id 36084E070E for <nfsv4@ietf.org>; Wed, 8 Jul 2020 22:02:32 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp-o-1.desy.de 36084E070E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=desy.de; s=default; t=1594238552; bh=Xa9J8Ooba7fzelnQX0vUeo7LVQd8qZPQNYtM5QoDCMM=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=R5D2JvuSm3iwLn91rSrOdHR9RH9VQWkAk5bjwj6Iwvdf7rqO3rTvM1PS2RlORavWV xcTud8b3Ao8fOleDIMzdCOUXg6myr7xyjqufIhG1FQF+m467wFi8aH+0oauMFUL4lQ o18rklcOC1dCmO8bI8s8fL4yl/YiJAPu8wa61sVY=
Received: from smtp-m-1.desy.de (smtp-m-1.desy.de [IPv6:2001:638:700:1038::1:81]) by smtp-buf-1.desy.de (Postfix) with ESMTP id 25DE51201D4; Wed, 8 Jul 2020 22:02:32 +0200 (CEST)
X-Virus-Scanned: amavisd-new at desy.de
Received: from z-mbx-2.desy.de (z-mbx-2.desy.de [131.169.55.140]) by smtp-intra-2.desy.de (Postfix) with ESMTP id EF5F410007B; Wed, 8 Jul 2020 22:02:31 +0200 (CEST)
Date: Wed, 08 Jul 2020 22:02:31 +0200
From: "Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, nfsv4-chairs <nfsv4-chairs@ietf.org>, NFSv4 <nfsv4@ietf.org>, Chuck Lever <chuck.lever@oracle.com>
Message-ID: <143244284.2221159.1594238551646.JavaMail.zimbra@desy.de>
In-Reply-To: <9BEC1316-A219-408F-AB27-74B28D702148@oracle.com>
References: <159409225571.12966.1097397622994927028@ietfa.amsl.com> <9BEC1316-A219-408F-AB27-74B28D702148@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Zimbra 8.8.15_GA_3901 (ZimbraWebClient - FF78 (Linux)/8.8.15_GA_3895)
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
Thread-Index: zmZhwEDqQb5oor9jcdWOucuj9zlDyQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/JmEDpeiSrTTjUOhfXKVjw1eeWO8>
Subject: Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT)
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 20:02:37 -0000
Hi Roman, ----- Original Message ----- > From: "Chuck Lever" <chuck.lever@oracle.com> > To: "Roman Danyliw" <rdd@cert.org>, "Tigran Mkrtchyan" <tigran.mkrtchyan@desy.de> > Cc: "The IESG" <iesg@ietf.org>, draft-ietf-nfsv4-rpc-tls@ietf.org, "nfsv4-chairs" <nfsv4-chairs@ietf.org>, "NFSv4" > <nfsv4@ietf.org> > Sent: Wednesday, July 8, 2020 5:43:57 PM > Subject: Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfsv4-rpc-tls-08: (with DISCUSS and COMMENT) > Hi Roman- > > Here are my responses to your COMMENTs in Section 5. > > >> On Jul 6, 2020, at 11:24 PM, Roman Danyliw via Datatracker <noreply@ietf.org> >> wrote: >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> ** Section 5.2.1. Per “For services accessed by their network identifiers >> (netids) and universal network addresses (uaddr), the iPAddress subjectAltName >> SHOULD be present in the certificate and must exactly …”, why not a normative >> MUST? > > This language came from Tigran Mkrtchyan. Tigran, can you comment? The MUST implies that protocol require client to reject the connection to a server which doesen't provide ipAddress, however, with SHOULD protocol delegates the decision to the application, similar to how one can pass `-k` option to curl to bypass certificate validation. @Chuck Feel free to change it to MUST, if it's more appropriate. Thanks, Tigran. > > >> ** Section 5.2.1. Per “For example, if the Issuer is not in a trusted set of >> Issuers, the RPC server may decline to perform RPC transactions with this >> client.”, wouldn’t the TLS connection fail in this case and not even get to >> whatever authorization logic the RPC server might have? > > I can remove this sentence. > > >> ** Section 5.2.1. Per “As a suggestion, at least the following parameters of >> the X.509 client certificate SHOULD be exposed … Originating IP address”, how >> exactly should this IP address be exposed in the certificate, or is this >> intended to be the IP address of the peer which presented the certificate? > > I believe this is the IP address of the peer which presented the certificate. > > >> ** Section 5.2.2 and 5.2.4. Both 5.2.1 and 5.2.3 described what information >> should be exposed by implementations. These sections omit that information. >> For example, I would have expected Section 5.2.4 to discuss Token Binding IDs > > PSK and Token Binding were added on request, and no further details were > provided > by the requesters. > > >> ** Section 5.2.2. Is there any MTI guidance on the kinds of digests to support >> for these fingerprints? > > I've had some difficulty with this. Originally the document required SHA-1, as > it is the de facto standard algorithm for certificate fingerprinting. However, > subsequent security review pointed out that SHA-1 is deprecated. > > I changed the requirement to SHA-256, but this is problematic: most fingerprint > implementations I'm aware of use SHA-1. I have found no published document that > suggests that SHA-1 is a problem for certificate fingerprinting, and no standard > that specifically discusses certificate fingerprinting algorithms. > > During Gen-ART review, the reviewer complained about the comparative: > > Implementations MUST support SHA-256 > [FIPS.180-4] or stronger as the hash algorithm for the fingerprint. > > Suggesting that the document would need to provide a fixed list of particular > algorithms here, rather than an open-ended requirement. I punted and removed > the sentence. > > I'm not sure how to proceed. > > >> ** Section 5.2.4. Are there any MTI parameters for the token binding to >> specify? > > After reviewing RFC 8473, it appears that more changes to the RPC protocol would > be necessary to support Token Binding. Thus perhaps support for token binding in > this context should be deferred to a separate document. Can anyone with more > domain expertise comment? > > > -- > Chuck Lever
- [nfsv4] Roman Danyliw's Discuss on draft-ietf-nfs… Roman Danyliw via Datatracker
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Mkrtchyan, Tigran
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Roman Danyliw
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… David Noveck
- Re: [nfsv4] Roman Danyliw's Discuss on draft-ietf… Chuck Lever