IETF Logo Mail Archive

Re: [NNTP] Fwd: Last Call: <draft-murchison-nntp-compress-05.txt> (Network News Transfer Protocol (NNTP) Extension for Compression) to Proposed Standard

Julien ÉLIE <julien@trigofacile.com> Mon, 19 September 2016 01:18 UTC

Return-Path: <ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org>
X-Original-To: ietfarch-nntpext-archive@ietfa.amsl.com
Delivered-To: ietfarch-nntpext-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2748812B17D for <ietfarch-nntpext-archive@ietfa.amsl.com>; Sun, 18 Sep 2016 18:18:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.215
X-Spam-Level:
X-Spam-Status: No, score=-4.215 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RP_MATCHES_RCVD=-2.316] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IM_0M-rw3Wdm for <ietfarch-nntpext-archive@ietfa.amsl.com>; Sun, 18 Sep 2016 18:18:50 -0700 (PDT)
Received: from hope.eyrie.org (hope.eyrie.org [166.84.7.155]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2402512B0CB for <nntpext-archive@ietf.org>; Sun, 18 Sep 2016 18:18:50 -0700 (PDT)
Received: from hope.eyrie.org (localhost [IPv6:::1]) by hope.eyrie.org (Postfix) with ESMTP id 5941867FA7 for <nntpext-archive@ietf.org>; Sun, 18 Sep 2016 18:18:49 -0700 (PDT)
X-Original-To: ietf-nntp@lists.eyrie.org
Delivered-To: ietf-nntp@lists.eyrie.org
Received: from smtp.smtpout.orange.fr (smtp13.smtpout.orange.fr [80.12.242.135]) by hope.eyrie.org (Postfix) with ESMTP id AD41767E14 for <ietf-nntp@lists.eyrie.org>; Sun, 18 Sep 2016 18:18:47 -0700 (PDT)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d70 with ME id l7yj1t00117Lgi4037yjyL; Sun, 18 Sep 2016 21:58:43 +0200
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWU0ODdAd2FuYWRvby5mcg==
X-ME-Date: Sun, 18 Sep 2016 21:58:43 +0200
X-ME-IP: 92.170.5.52
To: ietf-nntp@lists.eyrie.org
References: <147370585231.3841.13116072033078869671.idtracker@ietfa.amsl.com> <ac156e10-4a21-d3fc-4121-c8183fde0851@trigofacile.com> <87k2e980ak.fsf@hope.eyrie.org>
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
Message-ID: <1aa22bfc-6c3f-168b-1878-d77b2e33be01@trigofacile.com>
Date: Sun, 18 Sep 2016 21:58:42 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <87k2e980ak.fsf@hope.eyrie.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [NNTP] Fwd: Last Call: <draft-murchison-nntp-compress-05.txt> (Network News Transfer Protocol (NNTP) Extension for Compression) to Proposed Standard
X-BeenThere: ietf-nntp@lists.eyrie.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: NNTP protocol discussion <ietf-nntp.lists.eyrie.org>
List-Unsubscribe: <https://lists.eyrie.org/mailman/options/ietf-nntp>, <mailto:ietf-nntp-request@lists.eyrie.org?subject=unsubscribe>
List-Archive: <https://lists.eyrie.org/pipermail/ietf-nntp/>
List-Post: <mailto:ietf-nntp@lists.eyrie.org>
List-Help: <mailto:ietf-nntp-request@lists.eyrie.org?subject=help>
List-Subscribe: <https://lists.eyrie.org/mailman/listinfo/ietf-nntp>, <mailto:ietf-nntp-request@lists.eyrie.org?subject=subscribe>
Errors-To: ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org
Sender: ietf-nntp <ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org>

Hi Russ,

>> The NNTP COMPRESS extension is currently in IETF Last Call.
>> You can see the current document here:
>>     https://tools.ietf.org/html/draft-murchison-nntp-compress-05
>
> Here are a few comments (which I had already sent to Julien privately).
> There was some follow-up discussion since I misunderstood a couple of
> points; I'll let Julien summarize that.

OK, I'll do that.  Thanks again for having taken time to read the document.


> - Section 3 is marked as informative rather than normative, but section
>   3.1 uses normative keywords (MUST and SHOULD).  I think you can only do
>   one or the other.  If that section is supposed to be normative, maybe
>   make it section 4 instead?

Yes, making it section 4 would be better.


> - I don't understand what this bit in Security Considerations means:
>
>      Implementations SHOULD use a default configuration with disabled
>      compression when a security layer is active, and MUST support an
>      option to allow compression to be enabled when a security layer is
>      active.  Such an option can be either with global scope or server/
>      connection based.  Implementations MAY unconditionally allow
>      compression to be enabled when no security layer is active.
>
>   Generally, protocol specifications don't get to mandate what
>   implementations MUST do in local configuration, but apart from that, I'm
>   not sure what this is even driving at.  You're trying to say that
>   implementations SHOULD default to disabling compression when there's a
>   security layer active but MUST support configuring the implementation to
>   allow it?  Why would that be something we would need to constrain?  As
>   written, this paragraph appears to declare noncompliant an
>   implementation that only supports COMPRESS when there is no security
>   layer, and I'm not sure why we would want to do that.

You're totally right that the MUST is not good here.
The point of the paragraph is to say that, to maximize security, 
compression should not be enabled by default when a security layer is 
active.
On second thoughts, I think either the whole paragraph you quote should 
be removed or reworded to something like:

       Implementations are encouraged to unconditionally allow
       compression when no security layer is active, and to support
       an option to enable or disable compression when a security layer
       is active.  Such an option could for instance be with global
       scope or server/connection based.

Would it sound good to you?  (or perhaps without the second sentence, 
that may be superfluous?)


> - I think you want an explicit reference to RFC 4422 the first time you
>   mention security layer in the Security Considerations section, since
>   it's not otherwise obvious that you're specifically talking about a SASL
>   security layer.  (For instance, one might reasonably assume TLS is a
>   security layer if the term was used in the general sense, since it's a
>   protocol layer that adds a security feature.)

In fact, when we use "security layer" in the document, it refers to both 
TLS and SASL.  I'll try to reword it in a more understandable way.
Security considerations apply to the use of COMPRESS with TLS and also 
to the use of COMPRESS with a SASL security layer.
Moreover, we can have both TLS and a SASL security layer in place during 
the same NNTP session.


> - RFC 1951 definitely needs to be a normative reference.  (It's already
>   listed in DownrefRegistry, so shouldn't be a problem.)
>
> - I'm pretty sure RFC 4643 needs to be a normative reference, since you
>   mention it in conjunction with normative requirements about sequencing
>   and security considerations.

Yep.  I confess not having given much importance to the sorting between 
normative/informative references.  I'll review that.


> I'm going to try to serve as the document shepherd unless someone with
> more time than I have (which isn't much at the moment) volunteers.  :)

Thanks again for your comments, and the proposal to shepherd the 
document if no one else wishes to.

-- 
Julien ÉLIE

« Ça n'a été qu'un coup de glaive dans l'eau. » (Astérix)

v2.23.0 | Report a Bug | By Email