IETF Logo Mail Archive

Re: [Pearg] [Secdispatch] Numeric IDs: Update to RFC3552

Eric Rescorla <ekr@rtfm.com> Fri, 19 April 2019 14:47 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C6D120159 for <pearg@ietfa.amsl.com>; Fri, 19 Apr 2019 07:47:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RH4noTCeNovK for <pearg@ietfa.amsl.com>; Fri, 19 Apr 2019 07:47:50 -0700 (PDT)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C6751202E4 for <pearg@irtf.org>; Fri, 19 Apr 2019 07:47:47 -0700 (PDT)
Received: by mail-lj1-x241.google.com with SMTP id p14so4872707ljg.5 for <pearg@irtf.org>; Fri, 19 Apr 2019 07:47:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ncKEyVHeVOiesfYYk73ytfIB1Si52lC5VYv63SnAKAY=; b=aZL7w3hXwKRC6khfWsypFcncU67PL8pCdmKQcoL5HS3RFtucHMCXuw71lRGsvIpRQq 88N1c4TeagVLvylrNMZumY1D3n+j0jHITvg9n32CEQKTZbdGYPnyrGLiKwvaPz+YaqRW jAO5E3FKcqBQeGVOF5wKg4r6APvOG3QjvuIRbHWnzXCW6gSj4OIv4le9r71KODQfjasc ULdvoHC5N2ZqWjCiJWMtjS6OmrRyCo4+64uAQLIQcEf4oqzas/MWZYHCIS82qV2xsOB6 bIme2lH/o0sS+izaRkha970FudzwiWaGlw76lopp0r4OCPiqq5mnyATAFVMq0gvojbXD m9PA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ncKEyVHeVOiesfYYk73ytfIB1Si52lC5VYv63SnAKAY=; b=ZLlG1ts6VTiehwtAbmxx2JTu0wa1enUlzlPl3jsBEvTOPyoo3v8Rfgl9SoIiPSJKIg HXryEHP/nSIQJJ3MMxwVp0NArF96Hd7m2nXEZWCQW7V7vs07ZTHR5H6leaVc5m3FKyOX 3sr2J6gqT10sqvGSQu+E7HMsRvTYdWHmvEaSNwrENHJ7VxpAk0C2pmjR4rCYs7efvdAK Sxhd5YP8GwTAeIMiZNq5I5BTDAqa6JKKorvE2taLy6PxzUqDumQ1Zcqhr8dvWdiiK16c vzv5jl+3u57uR8HnnXjXupZI6U8IKGwbkL+TXLS7s75Z1pvowscS1uMY9U8VlCpgBO49 8T+g==
X-Gm-Message-State: APjAAAWPszNBXjRfw8qr3br7Pg4ROSmie9EAq59zdtegWmn2illIFzCU 230/PJdz35OYDgZlZfellBVIkTYrUsNQKmmsu+wcrA==
X-Google-Smtp-Source: APXvYqzybPfoKyQQEU4eO1jdERF9iOOv87keKd33kz5nC2rzwzlbNxwIiWmh1Zh1pqdXGoiU1slSCYwtSyi9yvB8eVM=
X-Received: by 2002:a2e:9194:: with SMTP id f20mr2561166ljg.10.1555685265516; Fri, 19 Apr 2019 07:47:45 -0700 (PDT)
MIME-Version: 1.0
References: <4ac730a6-73ca-74cd-e848-4a6645bd0403@si6networks.com> <CABcZeBOy6MB0OG2cs=EE6hWB4pXBuNzW=LcQ+1dKmJzHBOUR-g@mail.gmail.com> <bc733114-6f97-532b-02d5-2730e834340a@si6networks.com> <CABcZeBPr2rfVkib684Gz4uCPWtFc4trwusJxNRJ6EPPpA=d0QA@mail.gmail.com> <f3607e4f-c805-3cb5-110b-f09cb8748577@si6networks.com> <CABcZeBPwVDiMKSR-w-oq16FN__j8c8dEqutL3Z92SXKF5RT_Uw@mail.gmail.com> <20190419012507.GB95327@kduck.mit.edu>
In-Reply-To: <20190419012507.GB95327@kduck.mit.edu>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 19 Apr 2019 07:47:07 -0700
Message-ID: <CABcZeBNVUvvF9Y8nMk=dRpfH0RNeWtVsfnT2jXWd3w=NGC0_mA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Fernando Gont <fgont@si6networks.com>, IETF SecDispatch <secdispatch@ietf.org>, pearg@irtf.org, "Iván Arce (Quarkslab)" <iarce@quarkslab.com>, secdispatch-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a259630586e333da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/C1jIZVTiZwnQ5E4P-mm6O_UVfo0>
Subject: Re: [Pearg] [Secdispatch] Numeric IDs: Update to RFC3552
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2019 14:47:52 -0000

On Thu, Apr 18, 2019 at 6:25 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Thu, Apr 18, 2019 at 05:01:17PM -0700, Eric Rescorla wrote:
> > On Thu, Apr 18, 2019 at 4:40 PM Fernando Gont <fgont@si6networks.com>
> wrote:
> >
> > > On 19/4/19 01:09, Eric Rescorla wrote:
> > > >
> > > >
> > > > On Thu, Apr 18, 2019 at 3:03 PM Fernando Gont <fgont@si6networks.com
> > > > <mailto:fgont@si6networks.com>> wrote:
> > > >
> > > >     On 18/4/19 15:45, Eric Rescorla wrote:
> > > >     >
> > > >     >
> > > >     > On Tue, Apr 16, 2019 at 2:07 AM Fernando Gont
> > > >     <fgont@si6networks.com <mailto:fgont@si6networks.com>
> > > >     > <mailto:fgont@si6networks.com <mailto:fgont@si6networks.com>>>
> > > wrote:
> > > >     >
> > > >     >     Folks,
> > > >     >
> > > >     >     At the last secdispatch meeting I presented our I-D
> > > >     >     draft-gont-predictable-numeric-ids.
> > > >     >
> > > >     >     >From the meeting discussion, it would seem to me that
> there
> > > >     is support
> > > >     >     for this work.
> > > >     >
> > > >     >     It would also seem to me that part of this work is to be
> > > >     pursued in an
> > > >     >     appropriate IRTF rg, while the update to RFC3552
> > > >     >     (draft-gont-numeric-ids-sec-considerations) should be
> pursued
> > > >     as an
> > > >     >     AD-sponsored document.
> > > >     >
> > > >     >
> > > >     > I'm somewhat skeptical on an update to 3552; the proposed set
> of
> > > >     things
> > > >     > to be improved seems unclear.
> > > >
> > > >     Can you please state what's unclear?
> > > >
> > > >
> > > > I understand the list of things in your document. However, there have
> > > > been proposals for a larger revision to 3552.
> > >
> > > There was an effort to revise RFC3552. It just didn't happen. Looks
> like
> > > trying to boil the ocean wasn't the best idea.
> > >
> >
> > Yes.
> >
> >
> >
> > >
> > > It's a total of 9 pages. If you remove abstract, boilerplate, and
> > > references, you end up with ~4 pages. In fact, the update (and
> > > indispensable text) is that in Section 5, and boils down to:
> > >
> > > ---- cut here ----
> > > 5.  Security and Privacy Requirements for Identifiers
> > >
> > >    Protocol specifications that specify transient numeric identifiers
> > >    MUST:
> > >
> > >    1.  Clearly specify the interoperability requirements for the
> > >        aforementioned identifiers.
> > >
> > >    2.  Provide a security and privacy analysis of the aforementioned
> > >        identifiers.
> > >
> > >    3.  Recommend an algorithm for generating the aforementioned
> > >        identifiers that mitigates security and privacy issues, such as
> > >        those discussed in [I-D.gont-predictable-numeric-ids].
> > > ---- cut here ----
> > >
> >
> > Eh, I think something like this would have been OK in 3552; I'm not
> > sure that it's necessary to add at this point to the list of things that
> > 3552 considers.
> >
> >
> >
> > > >     That said, this document is *updating* RFC3552, rather than a
> > > revision
> > > >     of RFC3552. Therefore, the content in this document wouldn't
> become
> > > part
> > > >     of RFC3552, necessarily.
> > > >
> > > >
> > > > Well, the semantics of "Updates" would be somewhat confusing here.
> > > > Certainly I don't think that this document is something we need to
> > > > transitively incorporate into 3552, but I care a lot less about the
> > > > contents of this header than I do about whether 3552 should be
> updated
> > > > to include this material.
> > >
> > > I do think RFC3552 should be updated as indicated (this stuff is
> general
> > > enough to be covered there).
> > >
> > > That said, the high-order bit here is to do something to prevent the
> bad
> > > history we have wrt numeric ids from repeating itself.
> > >
> > > If the whole point is that you'd like the "Updates: 3552 (if approved)"
> > > header to be removed (along with references to "updating RFC3552"),
> > > please say so.
> >
> >
> > No, that's not my point. As I said, I don't think we should publish a new
> > version
> > of 3552 with this material or similar material in it. I don't much care
> one
> > way
> > or the other whether this document is published, and while I don't think
> > marking
> > it as updating 3552 is that helpful, I'm not going to die on that hill
> > either.
>
> Do you care to state an opinion on "Updates: 3552" vs. an additional
> document in BCP 72 (vs. both or none)?
>

I don't really think either of them matters much one way or the other.

-Ekr


> Thanks,
>
> Ben
>
> --
> Pearg mailing list
> Pearg@irtf.org
> https://www.irtf.org/mailman/listinfo/pearg
>

v2.14.0 | Report a Bug | By Email