IETF Logo Mail Archive

Re: [regext] Document Shepherd Write Up of Login-Security

"Gould, James" <jgould@verisign.com> Mon, 30 September 2019 21:46 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D442120170 for <regext@ietfa.amsl.com>; Mon, 30 Sep 2019 14:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7bKxTgQ-w-j for <regext@ietfa.amsl.com>; Mon, 30 Sep 2019 14:46:30 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD81912013D for <regext@ietf.org>; Mon, 30 Sep 2019 14:46:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=77722; q=dns/txt; s=VRSN; t=1569879989; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=P+5gpvmLycCBOjFqmdKQEa03d9bTwvr3NMVZUOftJMA=; b=Er3LlnSEga6KA1/KThFSHRGLbj3at9g8/zRDlqoBD7jSAnJ+anK93yG9 5A89FMwBWy0UbVktZU+6FSXlHOIzDFMv7ESeFhDRAvKkbltVEk70JjKOu hrlPFbubvLYuLSoVowjTwx6nsaajl57TIfCeCfDZq22WJrN3jEyAQvvqM O+TjnL2D16g+Q1m5Kk6BgQxbL8JFxlOr8XLsnHQxxvVsryhfHsoYH2okL vWbtkt/OAq5gmRsYRz/jsAbzFj0VkSruV9Tvef//7fvVqdVElVDUk46h7 8BBzjuv3YK8gaOy4mXEgimr85JtIZENdZf89J9a0HLhJkU8rSheMVz3xa A==;
X-IronPort-AV: E=Sophos;i="5.64,568,1559534400"; d="png'150?scan'150,208,217,150";a="8519684"
IronPort-PHdr: 9a23:3oA1yx/lkoRVNv9uRHKM819IXTAuvvDOBiVQ1KB22+gcTK2v8tzYMVDF4r011RmVBN6dt6gP0rSO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxhGiTanbr5+Mhq6oRjQu8UKnIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRQT2gykbKTE27GDXitRxjK1FphKhuwd/yJPQbI2MKfZyYr/RcdYcSGFcXMheSjZBD5u8YYUREuQBIehWoYrzp1QMoxS+BBWjC+z0xz9SmnP22Lc33/g7HAzE2gErAtIAsG7TrNXwLKoeX+G7zK7VzTXHcvxawSr25ozSfRAkv/6MRrx8etfWxEktGAPFiUiQqYj4MD6OyOQCrXKb7+t7VeKuhG4nrRt9rSSoxscpk4TEgJ8exF7D9SV82ok1JNu4RVZlYdG6CptQtjqaN4p5QsMkQmFovjo1xqcatp68eSgG0JUnyADDa/yJaYSI5QjjVOmXLDxlh3xlYKqyiwuu/US61+HxVMe53ExXoidFnNTArH8A2h/L5sSaVvdx5Fqt1DST2wzJ9+1JLkM5mbDGJ5Mi2rIwmIQcvEffEiLznUj5lqybe0E/9eWt5enrfKjpq56ZOoBvjgzzM6Yjl8mxDOk2MAUBQm6W8vmm2rL55032WrBKg+UzkqnerZ/VO9wWprW8Aw9JyoYj7Au/Dyu+3NQYg3YHKFVFdQqagob1I1/CPfD3A++wjVutjDtn2urKPqP9DZXKNHjDiK3tcqxg5EJG1goz18tf55ROBr4dJ/LzX1f9tN3eDhAnLwy52/vrBMln2o8DW2+CDLWVPL7SvFKG/O4iLOqBaJcQuDnnKvgl4/DujWU+mV8YZaSp35QXaHelHvRiPkqUemTsjckbEWcLpQo+TePqiFuYXTFPYHayWrow5isnB4K+EYfDWoetjaSD3Ca7AJJZeHtLBUqCEXfpc4WEWu0DaDmILs9glDwEW7+hQZc71R6yrA/616ZnLu3M9y0Cq53j28Z65uLPlRwp9Dx7Edid02+XQ2FzhGMISGx+4Kcqg0tmx0+DmZl1jrQMF81e6ttAXAY+NJfHie18BdekCSzbedLcAnmhX9GqRXkTR9c82JVGN0RyHMimgjjd0jCrGL4akfqAA5liofGU5GT4O8sokyWO76ImlVRzB5IXbWA=
X-IPAS-Result: A2EGAACXdpJd/zCZrQpjAxkBAQEBAQEBAQEBAQEMAQEBAQEBgVUCAQEBAQELAYEbgW+BLwqEGI4+ghslgwpjlTeBPxclCQEBAQEBAQEBAQMBAwElCgEBAoQ+AheDUDYHDgIMAQEBBAEBAQEBBQMBAQEChhYMgjopAWIvCQEyAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBBQIIBzQZBzUSAQEYAQEBAQMFAR0CCAFLEAIBCA4DAwECBgEBAQ4BCQEGAwICAgUQDwwUCQgCBA4EAQ6DFAGCGa4MdYEyhDgBE0FAhGAQgTQBjCWBQT6BEScME4FOfj6CYQIDAYFHLQkBFQgJAQKCQzKCBCIEj2GFLSRtiBeFEIJhhngDB4IihW8BgRWFFIMWboUJgjdyiwaLB4xviFR2kQcCBAIEBQIVgVkGggVwFWUBgg0BMwlHEBSBWxeDUIUUhT90CQMBJY4eDR6BBIEjAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Mon, 30 Sep 2019 17:46:27 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Mon, 30 Sep 2019 17:46:27 -0400
From: "Gould, James" <jgould@verisign.com>
To: Joseph Yee <jyee@afilias.info>
CC: regext <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Document Shepherd Write Up of Login-Security
Thread-Index: AQHVc+BGZaSIGbMarU+vhm7zGdiB5Kc85UgAgAfj/YA=
Date: Mon, 30 Sep 2019 21:46:27 +0000
Message-ID: <38D9EDAE-3DD0-4244-A5AE-CE1E110A371B@verisign.com>
References: <CAF1dMVH5W_dA_0jJaK9OceSGcwek6y-GnaGRyFqnQdWbtoAGAQ@mail.gmail.com> <80680E0B-2ECB-47E1-B248-ED236F100A47@verisign.com> <CAF1dMVEQjNh6kCyZ4G8aqK89aBpzxEafgOu0xrGHrgWpqeZ4Vw@mail.gmail.com> <8E847B5A-7C0C-4F75-B37B-1238FA56714A@verisign.com>
In-Reply-To: <8E847B5A-7C0C-4F75-B37B-1238FA56714A@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.e.190909
x-originating-ip: [10.170.148.18]
Content-Type: multipart/related; boundary="_006_38D9EDAE3DD04244A5AECE1E110A371Bverisigncom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/CeS5GdGaJXmWhQj1OOY5GAgwBhQ>
Subject: Re: [regext] Document Shepherd Write Up of Login-Security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 21:46:34 -0000

Joseph,

I went ahead and posted draft-ietf-regext-login-security-04 with the updates based on your review feedback.  Let me know if you find any other issues.

Thanks,

--

JG

[cid:image001.png@01D255E2.EB933A30]

James Gould
Distinguished Engineer
jgould@Verisign.com<applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com<http://verisigninc.com/>

From: James Gould <jgould@verisign.com>
Date: Wednesday, September 25, 2019 at 5:16 PM
To: Joseph Yee <jyee@afilias.info>
Cc: regext <regext@ietf.org>
Subject: Re: [EXTERNAL] Re: [regext] Document Shepherd Write Up of Login-Security

Joseph,

See my feedback below.

--

JG

[cid:image001.png@01D255E2.EB933A30]

James Gould
Distinguished Engineer
jgould@Verisign.com<applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com<http://verisigninc.com/>

From: Joseph Yee <jyee@afilias.info>
Date: Wednesday, September 25, 2019 at 4:31 PM
To: James Gould <jgould@verisign.com>
Cc: regext <regext@ietf.org>
Subject: [EXTERNAL] Re: [regext] Document Shepherd Write Up of Login-Security

Hi Jim and all,

comments inline

On Tue, Sep 24, 2019 at 5:01 PM Gould, James <jgould@verisign.com<mailto:jgould@verisign.com>> wrote:
Joseph,

Thank you for performing the document shepherd review and creating the writeup.  You brought up 2 points in your comments, that I provide thoughts on below:


1.       Section 3.1 - the paragraph that specifies when “name” must be mandatory.  The text needs more work to be precise. The current text only specifies “name” is required when “type”==“custom”, where “name” is mandatory too when “type”==“stat”.

a.       When the “type” is “stat”, then the use of the “name” is mandatory to define the “stat” sub-type, per the definition of the “stat” type and the definition of the “name” attribute.  I include both below for reference:

                                                              i.      "stat":  Provides a login security statistical warning that MUST set the "name" attribute to the name of the statistic.

1.       How about updating this description to highlight that the “name” is used to define the statistic sub-type, such as “Provides a login security statistical warning that MUST set the "name" attribute to the name of the statistic sub-type.”?  When using the “stat” type, the use of the sub-type is required by using the “name” attribute.

                                                            ii.      "name":  Used to define a sub-type when the "type" attribute is not "custom" or the full type name when the "type" attribute is "custom".

1.       This description is accurate for the “stat” type, since the “name” attribute is used to define the sub-type.

I have a bit of hard time reading your comment due to the numbering. As long as the the description "name" paragraph in some way specifies that both "stat" and "custom" MUST define "name" it will be fine IMHO.


JG – The “stat” and “custom” types already define that the “name” attribute is required, so why would the “name” attribute need to include the reverse statement?  The change that I proposed was to ensure that the definition of the “stat” type used the appropriate language by referring to the use of the “name” attribute to define the statistic sub-type.  The definition of the “stat” type would read “Provides a login security statistical warning that MUST set the "name" attribute to the name of the statistic sub-type.”  The “name” attribute defines either the sub-type or the full type name when the type is “custom”.  The requirement for the inclusion of the “name” attribute is defined by the type.


1.

2.       In Section 4.1, <loginSec:userAgent> specifies that one of the child element must be included if the request contained <loginSec:userAgent>.  In the Formal Syntax section, the XML does not enforce it.  If the XML syntax uses what XML Schema offers, then editors should check on <choice> element.

a.       I’m unaware of a clean method to enforce having at least one of the sub-elements (app, tech, and os) via the XML schema, since there can be one to three of the elements that is not well suited for the use of a <choice>.  We need to ensure that there are no duplicates and maintaining the order would be preferred.  Do you or anyone else have a proposal that can be used?  My recommendation is to keep the XML schema as is and to have the server validate the existence of at least one sub-element after the XML parser, per the language of the specification.

The original schema can maintain order, but can't maintain the presence.

The following could work (in XML schema, <choice> can contain <sequence>, not just <element>, I haven't build any code to confirm it):

***
<choice>
  <sequence>
    <element name="app" />
    <element name="tech" minOccurs="0"  />
    <element name="os" minOccurs="0" />
  </sequence>
  <sequence>
    <element name="tech" />
    <element name="os" minOccurs="0" />
  <sequence>
  <element name="os" />
</choice>
***

JG – Yes, your proposal should work fine with the inclusion of the type=”token” for each of the elements and fixing the last <sequence> with </sequence>, as in:

  <complexType name="userAgentType">
            <choice>
              <sequence>
                        <element name="app" type="token" />
                        <element name="tech" type="token" minOccurs="0"  />
                        <element name="os" type="token" minOccurs="0" />
              </sequence>
              <sequence>
                        <element name="tech" type="token" />
                        <element name="os" type="token" minOccurs="0" />
              </sequence>
              <element name="os" type="token"/>
            </choice>
  </complexType>

I can modify the XML schema in the draft to include this.

Best,
Joseph



1.

a.
Thanks,

--

JG

[cid:image001.png@01D255E2.EB933A30]

James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com<http://verisigninc.com/>

From: regext <regext-bounces@ietf.org<mailto:regext-bounces@ietf.org>> on behalf of Joseph Yee <jyee@afilias.info<mailto:jyee@afilias.info>>
Date: Tuesday, September 24, 2019 at 3:09 PM
To: regext <regext@ietf.org<mailto:regext@ietf.org>>
Subject: [EXTERNAL] [regext] Document Shepherd Write Up of Login-Security

All,

I had uploaded the document shepherd write up of login-security and available at the link below for your reference:

https://datatracker.ietf.org/doc/draft-ietf-regext-login-security/shepherdwriteup/

Best,
Joseph

v2.23.0 | Report a Bug | By Email