Re: [nfsv4] [secdir] SECDIR Review of draft-ietf-nfsv4-umask-03

David Noveck <davenoveck@gmail.com> Wed, 07 June 2017 10:44 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A8212EB94; Wed, 7 Jun 2017 03:44:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUovDeiCXsm1; Wed, 7 Jun 2017 03:44:09 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F69012EB93; Wed, 7 Jun 2017 03:44:09 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id m47so109938541iti.1; Wed, 07 Jun 2017 03:44:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+EkJZ91wyojwlSww/8E+YBDpGXzOUwufkIG/+p4IM1A=; b=rrscI1izK5Yl7sowyVWykSyLaj8B5w9kMKCZGXfyKlHpNbSZkKKIIiPK2yT/z2OAqS tJuPfGKkDYbtw8iG2TAYt1UWvlnrAZgZ7jp73BijqX6pVXhF6WbkfSNC5gaf3pio5MFz tRtLMGRZXOKBQxv4+mMCmXYYSxU6+r6XfxkbKO4VjzNrlsXp0yByCJu1pRUm3CD04nx4 e2uVSNQtcIpl8KzcKo+20J9Q6XT2VxsANwQdNoLeu706hLWD3tv84lgekK0ggvGVffF9 gX4UBLY3qqBL6JDNyShm67/daamoetjg5G+BtKYs21vx3Yrticvm0CxA3Qd17NLhnSKy jGEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+EkJZ91wyojwlSww/8E+YBDpGXzOUwufkIG/+p4IM1A=; b=uRVsbgt8M3AQNfWR7gOFqw280iC2qR4ZwQWZl7/Q9sdeotRnokVGxeA0N8SnRKwIgM /D/NxvD7Cz0EghTAUXgUDaT/Cx00sRbYCc1OPqCd2PZTaYAFA6LH+qwxKlIWMx30ytF/ dx5LNfPT8g9MmXPspEgTLzfZsAo3Vb1nvo5MY7NBG2DptpM4DWFi+h9aQI3dbCKUlAVI k0aLYqNce562f/LP8KAnIlJJ9eN7BYXilWsAt6+852KhivpH9PsLn8k3Ilrv37l+JR7w e8rdJCsuYnYnQ7ojygstsrdz8B3+4v8znntt34jSHo2ZJFalM4o5TLyBCyUr8/re8VZ4 PhmQ==
X-Gm-Message-State: AODbwcA5R6vIJiW3i1PwKoalCHhn66x2b93yI7J4FlirKCRW01MTQCjx 9GndGNA4KwaBklVYjzrdADJedm6CEQ==
X-Received: by 10.36.246.67 with SMTP id u64mr913554ith.3.1496832248743; Wed, 07 Jun 2017 03:44:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.20.75 with HTTP; Wed, 7 Jun 2017 03:44:08 -0700 (PDT)
In-Reply-To: <CAKKJt-f4-+VzZD++bKS1-+ZyWzByuTE9tjncwnV_2Mhj4JucoA@mail.gmail.com>
References: <CAMm+Lwh+E+BsATQmmX6ccJou-sz1XNtFHxQZikohYCeT0qkfdQ@mail.gmail.com> <CAKKJt-fsJ1UinNiW2LitxVQT4M1YqnFF+1cygU132=bQNgiUnA@mail.gmail.com> <CADaq8jd+6gN2H0QWC+dM-e3pb1gUJKLE7=8PPpprGGKBQZhueg@mail.gmail.com> <CACsn0cnd0L2o2Db6OA1Uvp-C+geA+Ju-7E8Yo=OKS1V3P4G8sA@mail.gmail.com> <20170605165254.GE2903@localhost> <CADaq8jcOD8eodG6-jguvy3xytMkAwBhmWUTxF-eXhjxZGymXGA@mail.gmail.com> <20170606160032.GC3432@localhost> <CAKKJt-f4-+VzZD++bKS1-+ZyWzByuTE9tjncwnV_2Mhj4JucoA@mail.gmail.com>
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 07 Jun 2017 06:44:08 -0400
Message-ID: <CADaq8jeftsphCTEyAkSn9z3j9ffFRE+JfKT8V_MgdifKX0zL4w@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: Nico Williams <nico@cryptonector.com>, Watson Ladd <watsonbladd@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>, NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c12c430798dc905515c6aa5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/m9vW-72_CoWwLbFm88fIkoqLxZU>
Subject: Re: [nfsv4] [secdir] SECDIR Review of draft-ietf-nfsv4-umask-03
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 10:44:11 -0000

> Does that help?

Yes it does.  As NIco points out, implementations of this document will
help improve NFSv4 security, although the issues addressed seem to be
disjoint from the ones raised in the SECDIR review.  In any case, since
prototypes exist, I hope we will see iincreasing interoperability testing
of umask implementations,

On Wed, Jun 7, 2017 at 3:08 AM, Spencer Dawkins at IETF <
spencerdawkins.ietf@gmail.com> wrote:

> Hi, David,
>
> Speaking as the responsible AD ...
>
> On Tue, Jun 6, 2017 at 11:00 AM, Nico Williams <nico@cryptonector.com>
> wrote:
>
>> On Tue, Jun 06, 2017 at 11:21:13AM -0400, David Noveck wrote:
>> > > A more complete analysis of RPCSEC_GSS should really not be
>> > > done in the context of this I-D.
>> >
>> > I agree that it should not, but it is not clear exactly what is being
>> > asked for to get this document into the RFC editing process.  Unlike
>>
>> It's a secdir review.  It plays no official part in the publication
>> process.  It is merely a review meant to aid the IESG.
>>
>> > xattrs, this document actually has been approved.  The state is listed
>> > as "Approved-announcement to be sent::Point Raised - writeup needed"
>> > so we know it has been approved but are unclear about why this has not
>> > been announced, what exactly the point raised might be and how the
>> > issue/point is to be resolved.
>>
>> The secdir review may simply have been too late.  But it's still worth
>> responding to, which I have.
>>
>> I took up this sub-thread because I'm familiar enough with the subject
>> so I can, and because I think Phillip and Watson deserve getting answers
>> on this even if there's no procedural need to provide them.
>>
>> > I think the authors are entitled to a clearer treatment of these
>> matters.
>>
>> So are non-NFSv4 WG participants in this thread.  It's not every day you
>> get a free analysis of your protocol by folks like Watson.  Rejoice.
>
>
>  The document is approved. We now approve documents with no Discuss ballot
> positions, but can still make changes to resolve comments that arise during
> IESG Evaluation, if that's appropriate.
>
> I read Phillip's SECDIR review with interest. It does not seem to apply to
> this draft, any more than to the rest of NFSv4, so I wouldn't hold up this
> draft to pursue the issues Phillip raised.
>
> Those issues do seem to be a useful input to NFSv4, as the working group
> considers a charter update (after finishing quite a lot of work, and thanks
> to you all for that).
>
> Does that help?
>
> Spencer (D)
>