Re: [regext] Alexey Melnikov's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)
"Alexey Melnikov" <aamelnikov@fastmail.fm> Mon, 27 January 2020 14:02 UTC
Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D3812004F; Mon, 27 Jan 2020 06:02:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=wETvgvmr; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=a1RZDhJ+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zP_xV2IQy1uZ; Mon, 27 Jan 2020 06:02:48 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25AB212004E; Mon, 27 Jan 2020 06:02:48 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 4355F220F1; Mon, 27 Jan 2020 09:02:47 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute7.internal (MEProxy); Mon, 27 Jan 2020 09:02:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm2; bh=uCfpRmkypzrnT8wYpxmjs8r8AXa8/Gi 4/Jo3HvKF/io=; b=wETvgvmra3Y/qhIU0ylD8xcFdRNMI60CeSZSYAxRQ+bqdcO GG2mZzZrm7i2PyZGBABWzvs0w1yj67/MarH4hRKugXVLQnl73xnZLxhQ2mu6+62a nJC8nyYMGGlXbqwmVpbcARXQ7e1JARjOPP35iVbcDwo98CKth1dUyxmmHhPTMXCw P86cvymukJ1jVjtYmjqBnJi4rG7gWMV1AHPwg8D0nZzAHSap3cyfUcNPmhtJnCWq hhto7rIsOwpXX0E6QaWB5/kLzKMgnM2mXu6afGvZWMFKYqxXKdHsSNzYv2ZC9bU/ iBFMex8s2Aj5+yF/QI6Gy0w2x/AjDcduL7bFZuw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=uCfpRm kypzrnT8wYpxmjs8r8AXa8/Gi4/Jo3HvKF/io=; b=a1RZDhJ+T74MdCtZ9oqIBj RO0ZGyT1gsRYsPd2Hrt/Mf9QNi5OPyj2p+Rt97D2W4n96D+X03B8xkuSxMX8zeDl fQLdcWfMGhy3716OcLpX00SXDTQLEkSabZpi+Qf05Sy/3mruS1O2MRVXggQCQer7 HjyA+JaPIDfqddvRuSjn6yEWA+lgaJ4VjfxUMXyq4aCp+VCfNFvQ5kGG1kxMlakF x8Pmb/WUUQgJxYL6QmDQVka6FsaxA3XicO2QfzqR6FaEUe3zWON6GgQwOnia3nUa i0aYa3LkBAOnfB/VHTDGVsLNRhIeQaBJFlTfFLK08925eNwoqMc/tjeKsfb0swpw ==
X-ME-Sender: <xms:h-0uXicM12cLA0s6RTSVCnpmtKj3xMzdg6DMFn9SPCdYJEWSN0vUAg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrfedvgdehlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderreejnecuhfhrohhmpedftehlvgig vgihucfovghlnhhikhhovhdfuceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfh hmqeenucffohhmrghinhepihgrnhgrrdhorhhgnecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomheprggrmhgvlhhnihhkohhvsehfrghsthhmrghilh drfhhm
X-ME-Proxy: <xmx:h-0uXo6CGX8LYtcr7ZXmwA-PORP1mjELKH1C-FojcD8jzL1El53GYA> <xmx:h-0uXnYN_gHC9C1G566JFywcKQNYT_rCuK8J5o763vGd7IxyShrySw> <xmx:h-0uXqGy0XOZ9Y6Yeo6_jHiVPTYod3nzOI9WMD3bQ7s9x2EtucwPXg> <xmx:h-0uXrkxKnz9VetLQtecs3lQIBRz_-WWj_y3P7pJT5532zkE3hRFuw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0A40FC200A4; Mon, 27 Jan 2020 09:02:47 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-777-gdb93371-fmstable-20200123v1
Mime-Version: 1.0
Message-Id: <c669382f-90f0-4f55-88b1-ba7c1b3a5566@www.fastmail.com>
In-Reply-To: <A5D19CB8-BEB8-4675-9C6E-43CE6C914464@verisign.com>
References: <157977713547.22794.12692666659052458667.idtracker@ietfa.amsl.com> <A5D19CB8-BEB8-4675-9C6E-43CE6C914464@verisign.com>
Date: Mon, 27 Jan 2020 14:02:25 +0000
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: James Gould <jgould@verisign.com>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-regext-login-security@ietf.org" <draft-ietf-regext-login-security@ietf.org>, Joseph Yee <jyee@afilias.info>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>, "regext@ietf.org" <regext@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/aRyp7AvaX-WAhT3AfKfZhy-Pq30>
Subject: Re: [regext] Alexey Melnikov's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 14:02:50 -0000
Hi James, On Thu, Jan 23, 2020, at 9:29 PM, Gould, James wrote: > Alexey, [snip] > > Thank you for this document. I have several small comments similar > to what was > raised by Roman and Ben: > > 1) In 4.1: > > <loginSec:userAgent>: OPTIONAL client user agent that identifies the > client application software, technology, and operating system > used by the server to identify functional or security > constraints, current security issues, and potential future > functional or security issues for the client. The > <loginSec:userAgent> element MUST contain at least one of the > following child elements: > > <loginSec:app>: OPTIONAL name of the client application software > with version if available, such as the name of the client SDK > "EPP SDK 1.0.0". > <loginSec:tech>: OPTIONAL technology used for the client > software with version if available, such as "Java 11.0.2". > <loginSec:os>: OPTIONAL client operating system used with > version if available, such as "x86_64 Mac OS X 10.11.6". > > Is there a registry of allowed values or at least some instructions how to > construct these values? There are probably several existing IETF registries > that can be reused. > > JG - I'm not aware of any registries that exist that describes how to > construct these values. I believe to address Roman's, Ben's and your > feedback, I will provide an example of how to construct these values. I am not insisting that you should use these, but some examples: https://www.iana.org/assignments/operating-system-names/operating-system-names.xhtml#operating-system-names-1 and probably more interesting: https://www.iana.org/assignments/iodef2/iodef2.xhtml#softwarereference-dtype The latter points to NIST's Common Platform Enumeration and ISO 19770 software identification (SWID). > > If these values are not supposed to be used by servers for anything > other than > logging (i.e. if they can't be used to work around bugs), then the > document > needs to say that. > > JG - The servers can leverage this information for more than logging; > although logging is the most common use case. The most useful element > for identification is the <loginSec:app>, where if there is a known > client application such as an EPP SDK, the server can key off of the > EPP SDK version to proactively identify potential security issues to > report back to the client. The server may already know the client > application patterns or can identify the client application patterns > using the logs to create rules for specific clients applications. The > additional <loginSec:tech> and <loginSec:os> elements are useful to > identify future security policy issues, such as deprecating or removing > TLS cipher suites or TLS protocols. The short answer to your question > is that the server can utilize the elements for logging and for driving > security event rules, but this is beyond the scope of the extension > specification. I think saying something along these lines would be helpful. Best Regards, Alexey
- [regext] Alexey Melnikov's Discuss on draft-ietf-… Alexey Melnikov via Datatracker
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Hollenbeck, Scott
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [regext] Alexey Melnikov's Discuss on draft-i… Gould, James