Re: [P2PSIP] Mirja Kühlewind's No Objection on draft-ietf-p2psip-share-09: (with COMMENT)

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Fri, 04 November 2016 10:27 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: p2psip@ietfa.amsl.com
Delivered-To: p2psip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03A0A129BB1 for <p2psip@ietfa.amsl.com>; Fri, 4 Nov 2016 03:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.399
X-Spam-Level:
X-Spam-Status: No, score=-3.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEqQ6EhVL7gZ for <p2psip@ietfa.amsl.com>; Fri, 4 Nov 2016 03:27:44 -0700 (PDT)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DFC5129BC7 for <p2psip@ietf.org>; Fri, 4 Nov 2016 03:27:44 -0700 (PDT)
Received: (qmail 30318 invoked from network); 4 Nov 2016 11:20:59 +0100
Received: from p5dec2f5c.dip0.t-ipconnect.de (HELO ?192.168.178.33?) (93.236.47.92) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 4 Nov 2016 11:20:58 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <b15c05cd-847e-0e1e-e9c3-a395a8facc53@haw-hamburg.de>
Date: Fri, 4 Nov 2016 11:20:57 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BE2DB18-AE9E-4EE3-AD9C-D654C633AD8A@kuehlewind.net>
References: <02239df0a78b4b218f58e98d27f23405@HUB02.mailcluster.haw-hamburg.de> <b15c05cd-847e-0e1e-e9c3-a395a8facc53@haw-hamburg.de>
To: "Thomas C. Schmidt" <t.schmidt@haw-hamburg.de>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/p2psip/zgJ5v5zgH8t4cjdM0k-qY7KrqdI>
Cc: "draft-ietf-p2psip-share@ietf.org" <draft-ietf-p2psip-share@ietf.org>, "marc@petit-huguenin.org" <marc@petit-huguenin.org>, The IESG <iesg@ietf.org>, "p2psip-chairs@ietf.org" <p2psip-chairs@ietf.org>, "p2psip@ietf.org" <p2psip@ietf.org>
Subject: Re: [P2PSIP] =?utf-8?q?Mirja_K=C3=BChlewind=27s_No_Objection_on_draft?= =?utf-8?q?-ietf-p2psip-share-09=3A_=28with_COMMENT=29?=
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/p2psip/>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2016 10:27:46 -0000

Hi Thomas,

this is not a discus and I’m fine your reply. Still a few more comments:

> Am 31.10.2016 um 15:37 schrieb Thomas C. Schmidt <t.schmidt@haw-hamburg.de>;:
> 
> Hi Mirja,
> 
> you are right in the sense that (a) if all previous evaluations have been performed without a failure, and (b) if no revocation occurred (or (c) a previous revocation has cleaned up all further delegation entries), then the write procedure can rely on the single delegation entry that matches the current user name of the writer.

This comes down to me to only one ‚if‘ and that is actually point c. And I’d hope that c would always happen.

> 
> However, this includes several "ifs". For instance, if cleanup of the delegation list has not been completed at the time of granting write access, errors in the trust chain may occur. This could introduce unwanted attack surface.

Could you document this attack surface in the doc…?

> 
> Our rationale behind designing this complete, self-contained procedure was (a) writing an ACL list is not a frequent operation (so complexity is not the major concern), and (b) keeping all operations simple, robust, and of minimal dependence w.r.t. each other.

Don’t you have to do the check every time you check write access for a shared resource? That can be much more often.

Mirja


> 
> That's why it's like that.
> 
> Cheers,
> Thomas
> 
> On 31.10.2016 15:06, Mirja Kuehlewind wrote:
>> Mirja Kühlewind has entered the following ballot position for
>> draft-ietf-p2psip-share-09: No Objection
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-p2psip-share/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> Quick questions on sec 6.3. (Validating Write Access through an ACL):
>> Do I really need to validate the authorization chain in the ACL every
>> time I give access to a resource? Wouldn't I rather validate the ACL when
>> it's modified and then simply assume that it is sufficient that I have an
>> entry in the ACL to provide access?
>> 
> 
> -- 
> 
> Prof. Dr. Thomas C. Schmidt
> ° Hamburg University of Applied Sciences                   Berliner Tor 7 °
> ° Dept. Informatik, Internet Technologies Group    20099 Hamburg, Germany °
> ° http://www.haw-hamburg.de/inet                   Fon: +49-40-42875-8452 °
> ° http://www.informatik.haw-hamburg.de/~schmidt    Fax: +49-40-42875-8409 °
>