[paws] Fwd: Stephen Farrell's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS and COMMENT)
Pete Resnick <presnick@qti.qualcomm.com> Wed, 20 August 2014 01:56 UTC
Return-Path: <presnick@qti.qualcomm.com>
X-Original-To: paws@ietfa.amsl.com
Delivered-To: paws@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68431A86E9 for <paws@ietfa.amsl.com>; Tue, 19 Aug 2014 18:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.669
X-Spam-Level:
X-Spam-Status: No, score=-7.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPF73bNmvch6 for <paws@ietfa.amsl.com>; Tue, 19 Aug 2014 18:56:45 -0700 (PDT)
Received: from wolverine02.qualcomm.com (wolverine02.qualcomm.com [199.106.114.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B1661A6F9B for <paws@ietf.org>; Tue, 19 Aug 2014 18:56:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1408499805; x=1440035805; h=message-id:date:from:mime-version:to:subject; bh=2ne4fdtaq7eCVpjyJXsv63XuPxgEpY3KAkDCOAaB5Oo=; b=fH5D+vsYw0F3wGwQTjUK8e563DATQAvaZTxEoegYDVaj0R41CePhIPyj HVTIUldMWLmy+zmtCIBnMdBc5KITzsd+hqr3AM+DKBjJGzsch5vPekkGh zxgxolkTMrTGuGmc6Px99ZhXxAGMMuAZk5IY1+03o3F5vC33xf3WunANj Q=;
X-IronPort-AV: E=McAfee;i="5600,1067,7535"; a="150689958"
Received: from ironmsg02-lv.qualcomm.com ([10.47.202.183]) by wolverine02.qualcomm.com with ESMTP; 19 Aug 2014 18:56:45 -0700
X-IronPort-AV: E=Sophos;i="5.01,898,1400050800"; d="eml'208?scan'208,208";a="30399372"
Received: from nasanexhc01.na.qualcomm.com ([10.46.57.53]) by ironmsg02-lv.qualcomm.com with ESMTP/TLS/RC4-SHA; 19 Aug 2014 18:56:45 -0700
Received: from nasanexhc05.na.qualcomm.com (172.30.48.2) by NASANEXHC01.na.qualcomm.com (10.46.57.53) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 19 Aug 2014 18:56:44 -0700
Received: from resnick2.qualcomm.com (172.30.48.1) by qcmail1.qualcomm.com (172.30.48.2) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 19 Aug 2014 18:56:44 -0700
Message-ID: <53F4005B.3060800@qti.qualcomm.com>
Date: Tue, 19 Aug 2014 20:56:43 -0500
From: Pete Resnick <presnick@qti.qualcomm.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.1.9) Gecko/20100630 Eudora/3.0.4
MIME-Version: 1.0
To: "paws@ietf.org" <paws@ietf.org>
Content-Type: multipart/mixed; boundary="------------040802020708070400040605"
X-Originating-IP: [172.30.48.1]
Archived-At: http://mailarchive.ietf.org/arch/msg/paws/0e3Aq5-08t_qQM2tezAS-rzbRlE
Subject: [paws] Fwd: Stephen Farrell's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS and COMMENT)
X-BeenThere: paws@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Protocol to Access White Space database \(PAWS\)" <paws.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/paws>, <mailto:paws-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/paws/>
List-Post: <mailto:paws@ietf.org>
List-Help: <mailto:paws-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/paws>, <mailto:paws-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 01:56:47 -0000
--- Begin Message ---Stephen Farrell has entered the following ballot position for draft-ietf-paws-protocol-14: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-paws-protocol/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Hi, I've a few things to discuss, but I think only the first is possibly tricky... (1) 4.4.1 - why are location and deviceOwner required? The FCC may require those but why does the protocol? I don't see that those are needed for interop. Isn't that latter the right criterion for inclusion as a required field? I could see a reason for the location-from-which-I-want-to-use-WS but that's not what is described I think. The discuss here is both relating to the privacy issues with requiring exposure of identifying information but also relating to the criteria used to determine required vs. optional and how those map to interop vs. to current known sets of regulatory rules. (Same for 5.2 serialNumber, though there a dynamic/random choice may be needed instead.) (2) 4.4.1 - is the location here the location of the device or the location from which spectrum is to be used? I think you need to disambiguate those. I continue to think there should be a way to ask for spectrum in London, tomorrow; even whilst still in Dublin, today. 4.5.1 seems to imply this may be allowed sometimes, but I'm not clear if that works - how would the "tomorrow" value be sent? (3) Section 7: I think it'd be a good idea to either reference the UTA TLS BCP for ciphersuites etc or else (if you'd rather not have a dependency to another WG's I-D, which I'd understand) to specify some here. The MTIs from 5246 are looking pretty jaded right now. You may also want to mandate use of OCSP or even stapling - there are a few more TLS things you can do that help interop and to speed things up. I'm not trying to insist you do/document all of those things, but would like to chat about it for a bit. (4) Section 7: You are assuming some kind of PKI is used to authenticate DBs. Now that might work with the current Web PKI, except that then any public Web PKI CA can fake any DB but are regulator's ok with that? Secondly, TLS requires that the DB nominate the acceptable CAs for client auth, so there's a bit of specification missing here which is maybe that a DB's description needs to include information about its acceptable trust anchors. I don't think you necessarily need to fix all of that in this document, but what is the plan here? (And maybe some of it ought be fixed here, not sure.) ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- - write-up: its a pity that coders haven't gotten together more openly and done interop, but I guess different businesses are different. - section 1, last para: I realise authorized devices is what the WG are interested in, but the protocol ought not require that, so the last sentence here is wrong - it surely should be: s/device is authorized to operate/device operates/ - Ruleset: I hope there's a NULL, meaning "no rules":-) - 4.4.1 - nothing stops a device lying about location, right? - 4.5 - the slave location vs. master location seems unclear to me. Can you clarify? - 4.5.1 - timestamp has to be UTC right? You only seem to indicate that via the "Z" in the timestamp format which I expect could be easily missed. Suggest you emphasise that. You should probably also say if truncated timestamps are ok, for example just to the minute granularity without specifying seconds. I assume that's not allowed? And lastly, please specify if the start (resp. end) of the second (or whatever) unit is when a device gains (resp. looses) spectrum. (Or add a global statement on timezones where you earlier said that identifiers are case sensitive by default.) Some of this is in 5.14, but I'm not sure if that's enough. (It could be.) - 5.2 - I don't get why you need X.520 here. - 5.5 - could a vCard value just be (the moral equivalent of) "Internet" or "I'm not telling"? - section 7: Saying the master device MUST implement server auth is confusing, since the master device is the TLS client, right? - Section 10: Under the privacy bullet you should also recognise that an authorized entity can be privacy invasive (e.g. selling contact information, sending all on to law enforcement without permission). - Section 10: Given diginotar and similar (incl. by nation states), having the master device send its identifying information in its first message means that simply saying "use TLS" is not enough. You need to say "TLS, assuming the PKI used is ok,..." or similar.--- End Message ---
- [paws] Fwd: Stephen Farrell's Discuss on draft-ie… Pete Resnick