Re: [regext] [Ext] Benjamin Kaduk's Discuss on draft-ietf-regext-data-escrow-07: (with DISCUSS and COMMENT)

Gustavo Lozano <gustavo.lozano@icann.org> Thu, 16 April 2020 22:26 UTC

Return-Path: <gustavo.lozano@icann.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BE7A3A1254; Thu, 16 Apr 2020 15:26:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPGPMzJJa_jS; Thu, 16 Apr 2020 15:26:46 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B87FA3A1242; Thu, 16 Apr 2020 15:26:46 -0700 (PDT)
Received: from PFE112-CA-2.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) by ppa4.dc.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 03GMQg1h032542 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Apr 2020 22:26:43 GMT
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 16 Apr 2020 15:26:40 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1497.006; Thu, 16 Apr 2020 15:26:40 -0700
From: Gustavo Lozano <gustavo.lozano@icann.org>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-regext-data-escrow@ietf.org" <draft-ietf-regext-data-escrow@ietf.org>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>, "regext@ietf.org" <regext@ietf.org>, James Gould <jgould@verisign.com>
Thread-Topic: [Ext] Benjamin Kaduk's Discuss on draft-ietf-regext-data-escrow-07: (with DISCUSS and COMMENT)
Thread-Index: AQHWDb7v8GuqbHphb0ySYOwtzXFJdKh8YLOA
Date: Thu, 16 Apr 2020 22:26:40 +0000
Message-ID: <1FB5F69E-90FD-4069-B378-835EA4CEBE12@icann.org>
References: <158636167278.24432.4833820670236901134@ietfa.amsl.com>
In-Reply-To: <158636167278.24432.4833820670236901134@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: text/plain; charset="utf-8"
Content-ID: <FEDF3FDF8FBA374AB46877AC8E8C29E0@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-16_10:2020-04-14, 2020-04-16 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/BEv0cE7Tw1I_B70uCtebiVao1s4>
Subject: Re: [regext] [Ext] Benjamin Kaduk's Discuss on draft-ietf-regext-data-escrow-07: (with DISCUSS and COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 22:26:50 -0000

Thank you, Benjamin,

Comments inline, prefixed with GL -.

Regards,
Gustavo

On 4/8/20, 09:01, "Benjamin Kaduk via Datatracker" <noreply@ietf.org> wrote:

    Benjamin Kaduk has entered the following ballot position for
    draft-ietf-regext-data-escrow-07: Discuss

    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)


    Please refer to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_iesg_statement_discuss-2Dcriteria.html&d=DwICaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VbweciUcwYQpIOZDSxl0ezGd1hGDtd-0BvgAgfmwfE0&m=XLPt-K5FLKU1oce9PiZyutUV1_UJqbd348-sDIlLCD8&s=9EVCPSTvj9RgWF9Z3e7HBLsbaPg6R2CPwDhbFPM8sEM&e= 
    for more information about IESG DISCUSS and COMMENT positions.


    The document, along with other ballot positions, can be found here:
    https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dregext-2Ddata-2Descrow_&d=DwICaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VbweciUcwYQpIOZDSxl0ezGd1hGDtd-0BvgAgfmwfE0&m=XLPt-K5FLKU1oce9PiZyutUV1_UJqbd348-sDIlLCD8&s=Avsh9DG_m3aLijuq_I7ulh5IMkYG78XIOq1Puctc2ZU&e= 



    ----------------------------------------------------------------------
    DISCUSS:
    ----------------------------------------------------------------------

    Let's have a discussion about the overall plans for providing guidance
    on mechanisms for (e.g.) cryptographic confidentiality and integrity
    protection of data both in transit and at-rest,
    authentication/authorization requirements, etc..  In particular, what
    it's appropriate and necessary to include in this document vs. other
    documents, and how to provide some specific general baseline guidance
    that can be used in the absence of conflictinc scenario-specific
    deployment requirements.  Some further details in the COMMENT section,
    but in general, it seems like there should be some "off-the-shelf"
    mechanism that can be used without a need for every deployment to do a
    custom thing, for cases where there are not custom requirements.  It may
    not need to be part of this document, but we should have a plan for
    where it will be.

    Also, it's not clear to me whether we expect escrow of
    credentials/verifiers used to authenticate/authorize fourth parties that
    perform operations (e.g., registrations) at the registry (see comment on
    Section 3), and that is pretty important for knowing what security
    requirements to place on the escrow'd data.


GL - 

I interpret your message:

	A new draft could provide the guidelines to implement an escrow service that requires strong security controls. 

In the gTLD space, the legal agreements and processes (e.g. accreditation, etc.) that govern escrow services make the need for this new draft low priority. However, other parties (e.g., ccTLDs) interested in implementing an escrow service could benefit from such a document.

If the IESG does not object to this idea, probably the current security section in the draft could work with a few tweaks.

    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------

    I agree with Roman that the link to the charter is tenuous; perhaps this
    is a "data format for files exchanged between registration entities that
    needs extraction from EPP or RDAP", but it's not a perfect fit.

    Section 1

       The goal of data escrow is higher resiliency of registration
       services, for the benefit of Internet users.  The beneficiaries of a
       registry are not just those registering information there, but all
       relying parties that need to identify the owners of objects.

    Only relying parties that need to identify *owners* specifically (as
    opposed to consuming other registered data)?

GL - I think the following text addresses your comment, do you agree?

The goal of data escrow is higher resiliency of registration services, for the benefit of Internet users.  The beneficiaries of a registry are not just those registering information there, but also the users of services relying on the registry data.

       In the context of domain name registries, registration data escrow is
       a requirement for generic top-level domains and some country code
       top-level domain managers are also currently escrowing data.  There
       is also a similar requirement for ICANN-accredited domain registrars.

    Are there easy references for these requirements being requirements?

GL - I understand your comment: adding the documents where the requirements for escrow are defined for gTLDs as informative references in the draft. Am I correct?

    Section 2

       Watermark.  If the Timeline Watermark of an Incremental Deposit were
       to cover the Timeline Watermark of another (Incremental or
       Differential) Deposit since the last Full Deposit, the more recent
       deposit MUST contain all the transactions of the earlier deposit.

    Do we define what it means for one Timeline Watermark to "cover" another?

GL - I think the following text addresses your comment, do you agree?

If the Timeline Watermark of an Incremental Deposit were to cover (i.e., one or more Incremental or Differential deposits exist for the period between the Timeline Watermark of a Full and an Incremental or Differential Deposit) the Timeline Watermark of another Incremental or Differential Deposit since the last Full Deposit, the more recent deposit MUST contain all the transactions of the earlier deposit.

    Section 3

       Specifications covering the objects used by registration
       organizations shall identify the format and contents of the deposits
       a registry has to make, such that a different registry would be able
       to rebuild the registration services of the former, without its help,
       in a timely manner, with minimum disruption to its users.

    Rebuilding registration *services* as opposed to just *operation* sounds
    like it will require also escrowing credentials/credential verifiers
    used to authenticate to the registration organization in order to make
    use of such services. 

GL - Not necessarily. For example, in the case of a domain Registry, a domain Registrar could re-set the credential verifier. 

    Such credentials would of course need very
    careful protection both in transit and at rest, in order to avoid
    compromising the integrity of the primary operations of the current
    registration organization.

GL - Correct, escrowing of credentials/credential verifiers require strong security controls. See my suggestion at the DISCUSS section of this email.

       Given the requirement for confidentiality and the importance of
       accuracy of the information that is handled in order to offer
       registration services, parties using this specification shall define
       confidentiality and integrity mechanisms for handling the
       registration data.

    Do we have any recommendations/examples of such mechanisms in the
    pipeline?

GL - Not that I am aware of.

       Specifications covering the objects used by registration
       organizations shall not include in the specification transient
       objects that can be recreated by the new registry, particularly those
       of delicate confidentiality, e.g., DNSSEC KSK/ZSK private keys.

    I'm not sure this is going to be terribly helpful guidance for
    non-domain-name data.  I am acutely aware that cryptographic (symmetric
    and/or private) keys are not the only type of data that this could apply
    to, but it is the only type that I know of a concise/precise description
    for.  E.g., "cryptographic key material that is vital to the integerity
    and/or security of operation of the registry and the systems that rely
    on it but that is not vital to the continuity of operations (e.g.,
    DNSSEC KSK/ZSK private keys)".

    Also, I would assume that the authenticatoin credentials I mention above
    would not qualify for this requirement, since they are not things that
    can be recreated by the new registry.

       Details that are a matter of policy should be identified as such for
       the benefit of the implementers.

    (For human consumption or machine consumption?)

GL - Both. For example, in draft-ietf-regext-dnrd-objects-mapping, there is an object to specify aspects of policy for machine consumption.

    Section 4

    Could we maybe use the section title "Conventions Used in This
    Document"?  "General Conventions" could be interpreted as intended for a
    broader scope, though based on (e.g.) RFC 8748 I don't think that's the
    intent.

GL - Agree, changed the title to "Conventions Used in This Document" in the new version of the draft.

    Section 5

       registry.  The deposits are represented in XML.  Only the format of
       the objects deposited is defined, nothing is prescribed about the
       method used to transfer such deposits between the registry and the
       escrow agent or vice versa.

    nit: comma splice.

GL - Fixed in new version of the draft.

    Also, we said earlier that "parties using this specification shall
    define confidentiality and integrity mechanisms for handling the
    registration data" without, AFAICT, conditions on when that should be
    done.  So in some sense we do prescribe properties of the method used
    for transfer, if I'm reading that correctly.

GL - The sentence on section 5 is about not prescribing the transport mechanism.

    Section 5.1.1

       A REQUIRED <watermark> element contains the data-time corresponding
       to the Timeline Watermark of the deposit.

    I will offer a third opinion, that this was meant to be dateTime.

GL - Correct, changed to date-time in the new version of the draft.

    Section 5.1.2

    I'm confused about the relationship between the <objURI> elements in the
    <rdeMenu> and the objects in the <deletes> and <contents> elements -- is
    <rdeMenu> just a list of "here are all objects that this update
    touchers", with the details in the other sections?

GL - Correct. You may want to take a look at the examples in draft-ietf-regext-dnrd-objects-mapping for further clarity.

    Section 5.1.4

       If an object is present in the <contents> section of several deposits
       (e.g.  Full and Differential) the registry data from the latest
       deposit (as defined by the Timeline Watermark) SHOULD be used when
       rebuilding the registry.

    Why is this not a MUST?

GL - To cover the case when the more recent differential deposit is deemed to be invalid, and a previous differential deposit needs to be used for rebuilding a registry.

    Section 6.1

    Why is there a 13-character maximum for the deposit ID?
    But client IDs range from 3 to 16 characters (which seems kind of short
    as a maximum, especially if a registrar wants to use a domain name as an
    identifier)?

GL - Inherited from EPP.

        <!-- A RDE version number is a dotted pair of decimal numbers -->
        <simpleType name="versionType">
          <restriction base="token">
            <pattern value="[1-9]+\.[0-9]+"/>
            <enumeration value="1.0"/>
          </restriction>
        </simpleType>

    I assume the <pattern> is there to give the overall structure that
    subsequently defined <enumeration>s will adhere to?

GL - Correct.

    I see the rrType defined but not used anywhere; is it still needed in
    this document?

GL- The element is used in https://tools.ietf.org/html/draft-ietf-regext-dnrd-objects-mapping. The element is in the schema for backward compatibility. There is a comment in the schema explaining that these are auxiliary elements.

    Section 10

       Authentication of the parties passing data escrow deposit files is
       also of the utmost importance.  The escrow agent SHOULD properly
       authenticate the identity of the registry before accepting data
       escrow deposits.  In a similar manner, the registry SHOULD
       authenticate the identity of the escrow agent before submitting any
       data.

    I am failing to come up with a scenario in which these SHOULDs would be
    violated; should they be MUSTs instead?  (I'd like for the "encrypting
    the data" in the previous paragraph to be a MUST as well, but that case
    is less clear-cut.)

GL - I will change the authentication SHOULDs to MUSTs in the new version of the draft.

       Additionally, the registry and the escrow agent SHOULD use integrity
       checking mechanisms to ensure the data transmitted is what the source
       intended.  Validation of the contents by the escrow agent is

    It seems like if there are no integrity checks then the escrow mechanism
    is not really fit for purpose -- can't this be MUST?

GL - Sounds good, I will change this to a MUST.

    Section 11

       This specification defines a format that may be used to escrow
       personal data.  The process of data escrow is governed by a legal
       document agreed by the parties, and such legal document must regulate
       the particularities regarding the protection of personal data.

    "Regulate the particularities" is an interesting phrase, as it merely
    specifies that some restrictions be made, but nothing about the nature
    of them.  Shouldn't we be saying something like "ensure that
    privacy-sensitive and/or personal data receives appropriate protection"?

GL - I think the following text addresses your comment, do you agree?

This specification defines a format that may be used to escrow personal data.  The process of data escrow is governed by a legal document agreed by the parties, and such legal document must ensure that privacy-sensitive and/or personal data receives the required protection.

    Section 14, 15, 16

    Could we not reuse the same deposit-id for different examples?
    (Also, using 20191017001 with a watermark date of 2019-10-18
    midnight-UTC is perhaps unnecessary cognitive dissonance.)

GL - Agree, I will change this.

    Is it appropriate to use the urn:ietf:params:xml:ns:rdeObj[N] namespaces
    in the examples, vs. a dedicated "example" namespace?

GL - Agree, I will change this to the example URN namespace.