Re: [regext] Secdir last call review of draft-ietf-regext-epp-eai-12
"Gould, James" <jgould@verisign.com> Mon, 13 June 2022 15:35 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 809CFC14F612; Mon, 13 Jun 2022 08:35:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUHN3QW6wgbj; Mon, 13 Jun 2022 08:35:24 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CCDEC14EB1E; Mon, 13 Jun 2022 08:35:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=4476; q=dns/txt; s=VRSN; t=1655134524; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=hNeF5E8+CwkYCY/AMtD29yDqHs70zAqRtRwS4SgYsqc=; b=miErCqVKxMdZ+zmcHXwb59KfnI7ocZtv+Q/GOmILCt1nXc5Z0fAy5LJ5 zDTQKMUQXpQ2WS23O143+Lj/cIZMQNlF71F1JcPqd2TURSOX42BjymNRK 68loQ0CfEH0caA9l56LdMPHNmKHgH88k1QU6hOkaeP68L9UlUbGA4chpd CrCWGAXaSPLyjXwMTSEWNE46cU+6prigN2/n2RexufNsFL87jUvC7XhAs vZxssj5mBRlfXmHptHKRUynyc+r8poIT/Kniv35VXRsFpXyiDr4v2URBg oZkTS5t4J8jqS9+Bclh7sQ7eCA5lAET3VPvVDPuGdR5OhIaH8ygqjSMdk A==;
IronPort-Data: A9a23:JwDWNa8KOlxpME2io0q1DrUDlX+TJUtcMsCJ2f8bNWPcYEJGY0x3y WAWWG3XaKuINmGhLYgga4iz/R4F65SEx9Q1HQZp+y4xFiIbosf7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVEOCXhqoPUUIYoAAgoLeNfYHpn2EsLd9IR2NYy24DnWljV4 LsenuWEULOb828sWo4rw//bwP9flKyaVOQw5wFWiVhj5TcyplFNZH4tDfjZw0jQG+G4KtWHq 9Prl9lVyEuCpktwVYn1+lrMWhZirrb6ZWBig1IIA/Ty2kAqSiYais7XP9JEAatbZqngc3mcB 7yhuLTpITrFMJEgl8wZDENWPTEuPZYB4ZvsCHm5jPWB6H/JJi6EL/VGVCnaPKUywMAuPkdjx aRBbi4GaQqbweu6hqyhUe8qjcMmRCXpFNpH/Cg/lneAUK1gHcCrr6bivLe02B8yicdTGfr2e ccDaCFuYxKGaBpKUrsSIMtizLn41ySlG9FegEiuhrgXvUmL9Tx4zLjPIcbRV9Wwf9oAyy50o UqDpQwVGCoyMNuZ1zuO8TSti/PBtSz+UYMWUra/85ZCm1CYym0JIBwbSVX9puO24mayQdtRN wkV9zYg6LI/+0G7UpzwRwX9rXeF+BcYX/JRHvE0rgaXxcL85w+CGi0PRzpFQN0rqMFwQiYlv neTktzkFSBHsbCJRzSa7Lj8kN+pESIPKzYdYyIUFVJA+Mf55oQylVfFSZBpCqjsyMPvAje2y DePxMQju4guYQcw//3T1Tj6b/iE//AlkiZdCt3rY1+Y
IronPort-HdrOrdr: A9a23:wm/anKhOkgkYqFEHcdBfGCxaVXBQXv4ji2hC6mlwRA09TyXBrb HNoBwavSWZtN6IMEtQ4uxoS5PwJE80kqQFm7X5XI3SJDUO11HJEGgP1+HfKl7balDDH4xmpM RdmsFFYbWaMbEQt6nHCXyDcurIt+PozEnHv4rjJjxWPGVXgulbnmBE4kzwKDwReOBpP+tBKK ah
X-IronPort-AV: E=Sophos;i="5.91,297,1647316800"; d="scan'208";a="14868952"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.24; Mon, 13 Jun 2022 11:35:21 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2375.024; Mon, 13 Jun 2022 11:35:21 -0400
From: "Gould, James" <jgould@verisign.com>
To: "lonvick.ietf@gmail.com" <lonvick.ietf@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-regext-epp-eai.all@ietf.org" <draft-ietf-regext-epp-eai.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-regext-epp-eai-12
Thread-Index: AQHYfzsxEbZCQlxp4EGIp08L8psB0Q==
Date: Mon, 13 Jun 2022 15:35:21 +0000
Message-ID: <91052E99-9C78-4D96-83E7-F9B47D3B3182@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.59.22031300
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <04A30AF683730842AC6BA59CC2369D85@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/Kr_Aj804ejiVb7oXF8Ad-Se1hug>
Subject: Re: [regext] Secdir last call review of draft-ietf-regext-epp-eai-12
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2022 15:35:28 -0000
Chris, Thank you for the review, feedback, and recommended text. You mention an interesting use case of a client or server that signals the support EAI, but that can't meet the obligations defined in section 5.3.1 "EAI Functional Extension Negotiated". The negotiation is handled when the EPP session is established via the list of services provided by the server in the greeting and the client in the login command. In EPP there is no functional capability to not accept the service URI at the time of EPP session establishment based on determining compliance with a service / extension obligation. For EAI, the negotiated services will imply the normative language in section 5.3.2 "EAI Functional Extension Negotiated" for the server and the client, respectively. We could add the following to the security considerations section to cover the risk of negotiating EAI support without fully complying with the obligations defined in section 5.3.1: When the EAI functional extension is negotiated by both the client and the server, the client and server obligations defined in Section 5.3.1 MUST be satisfied. If the obligations are not satisfied by either the client or server, the EAI address may be mishandled in processing or storage and be unusable. Any thoughts on the language is appreciated. Thanks, -- JG James Gould Fellow Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 6/12/22, 8:48 PM, "Chris Lonvick via Datatracker" <noreply@ietf.org> wrote: Reviewer: Chris Lonvick Review result: Has Issues Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is that it has issues. The document is well written and the Security Considerations seems appropriate. However, there is insufficient guidance given regarding when the EAI functional extension is negotiated, but when the server cannot satisfy the required obligations. The specification says that when the client and server negotiate the EAI functional specification that, "implies the possibility to process the EAI address". The draft needs to specify what happens if the client and server negotiate the EAI functional extension, but when the server cannot fulfill its obligations to provide the required information, or when the client cannot process the received information. This may be easily fixed by saying in the specification that the server will only accept the negotiation if it can (MUST) provide the required information specified in section 5.3.1 and that the client can (MUST) accept and act upon that received information. The specification should also go on to say what MUST happen if those conditions are not met. Best regards, Chris
- [regext] Secdir last call review of draft-ietf-re… Chris Lonvick via Datatracker
- Re: [regext] Secdir last call review of draft-iet… Gould, James
- Re: [regext] Secdir last call review of draft-iet… Gould, James
- Re: [regext] Secdir last call review of draft-iet… Gould, James