Re: [regext] Alexey Melnikov's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)

"Alexey Melnikov" <aamelnikov@fastmail.fm> Tue, 28 January 2020 15:22 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71D34120907; Tue, 28 Jan 2020 07:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=C+fy+/uV; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=cDjnrSAs
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EsSlZEhfoPD; Tue, 28 Jan 2020 07:22:13 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05527120910; Tue, 28 Jan 2020 07:22:04 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 217A14A9; Tue, 28 Jan 2020 10:22:02 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute7.internal (MEProxy); Tue, 28 Jan 2020 10:22:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm2; bh=c4jIMamuY38UI9Q355Ad+kaM8eB5RrD vZ3DDbkP3Wi8=; b=C+fy+/uV9CA2mNQFXh9enXRYIr6U9i4YkSsDMvgeJPHkTOm iYQ+LBctIqjw/7XK80wsEcel1AFdqkG4FrMVfwtOL2K4unhOhK6fexWArE2OtZl+ nR+tVFO6kLCtUdkTHF1ZY/XJlTiHi/1egzzpX4XdTzVbUdy7x11t3ZHBz7OBc1Zj IDkjXdB7P3ViV+oNNrXneqxAB4lCJzRw5sopOgzfy064wjTE4XlqS1W/YRE++dHt 3cGWplYXaFTDJ1/pOot3TH7BT3Eo9pPZ0/BKlF0r6p2xJkJ7Ml+qUn946fspQ42L DzEq8A1jD8FhWJiqcqDZgR9Jci4Q4+xmXbyErNg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=c4jIMa muY38UI9Q355Ad+kaM8eB5RrDvZ3DDbkP3Wi8=; b=cDjnrSAspyaAAERKn8WZ4p I5lodJInh1Qi0PnwwJbPMxj2Dko32otl6BgAynNkZHE0/LwixJl/VqjfbUuXMoRG dPLtSH/wFpjNx0AnZeLp1HChg2+DPPaQZwM5uwAw0Maftx9L33Lsw/edV0k6Yu/C j5pJuhLWl85BhQiTeOBuT0wk9firzUf+1m7ZLzhFKAH/RdVY1uHc+9myWsy/mwe+ boojRKx+YXCFkheC25yZbN4Kjqt5SDU9aODnt0MV3rD61yq0j3UEhSA0lv0dEx8B C+or1+b57/mfuJ7/P0KAPDrHfvJ54eGr4NSQNEIqPbm76sQkBp228oefR7DMHBXw ==
X-ME-Sender: <xms:mVEwXuxDNTq-JE_noMzLCfR6qswine5rRxIXmiHuHqE0bpZDwBse5g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrfeeggdejtdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsegrtderreerreejnecuhfhrohhmpedftehlvgig vgihucfovghlnhhikhhovhdfuceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfh hmqeenucffohhmrghinhepvhgvrhhishhighhnihhntgdrtghomhdpihgrnhgrrdhorhhg necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggrmh gvlhhnihhkohhvsehfrghsthhmrghilhdrfhhm
X-ME-Proxy: <xmx:mVEwXgRrRsJhHv3E15ZLsd9RjY_6r7TiPO-1ISd4neEbKtqte9i5Sg> <xmx:mVEwXrKRka8eJ644TDB9Q6ZRYEdR6HwSXaL3Day4Gt-v0prUailazw> <xmx:mVEwXnUFa_jc9aoW4ZqfOOk126qyaLn0NKlbLVMY8zVjW1dfMFvhQA> <xmx:mVEwXp_bkWVL4yAsqxZ8ZHiDwVZ0kisk4MJ2-RgOGjKU97MKcb7rug>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 014F0C200A4; Tue, 28 Jan 2020 10:22:00 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-781-gfc16016-fmstable-20200127v1
Mime-Version: 1.0
Message-Id: <b299f708-5124-420e-9883-c8d991094831@www.fastmail.com>
In-Reply-To: <3A7016A7-409D-477C-A13C-1948184A36D9@verisign.com>
References: <157977713547.22794.12692666659052458667.idtracker@ietfa.amsl.com> <A5D19CB8-BEB8-4675-9C6E-43CE6C914464@verisign.com> <c669382f-90f0-4f55-88b1-ba7c1b3a5566@www.fastmail.com> <3A7016A7-409D-477C-A13C-1948184A36D9@verisign.com>
Date: Tue, 28 Jan 2020 15:21:31 +0000
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: "Gould, James" <jgould=40verisign.com@dmarc.ietf.org>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-regext-login-security@ietf.org" <draft-ietf-regext-login-security@ietf.org>, Joseph Yee <jyee@afilias.info>, "regext@ietf.org" <regext@ietf.org>, "regext-chairs@ietf.org" <regext-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="94736a2c116f4a6f9339d09bc75c0e95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/hPh9hXYmCS0LMVWVhYN5PUk_-uc>
Subject: Re: [regext] Alexey Melnikov's Discuss on draft-ietf-regext-login-security-07: (with DISCUSS and COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 15:22:18 -0000

Hi James,

(Top post)

Your changes look good to me.

Best Regards,
Alexey

On Mon, Jan 27, 2020, at 4:40 PM, Gould, James wrote:
> Alexey,

> 

> My responses are embedded below.

> 

> --

> 

> JG

> 

> 

> 

> James Gould

> Distinguished Engineer

> jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

> 

> 703-948-3271

> 12061 Bluemont Way

> Reston, VA 20190

> 

> Verisign.com <http://verisigninc.com/>

> 

>  On 1/27/20, 9:02 AM, "Alexey Melnikov" <aamelnikov@fastmail.fm> wrote:

> 

>  Hi James,

> 

>  On Thu, Jan 23, 2020, at 9:29 PM, Gould, James wrote:

>  > Alexey,

> 

>  [snip]

> 

>  > 

>  > Thank you for this document. I have several small comments similar

>  > to what was

>  > raised by Roman and Ben:

>  > 

>  > 1) In 4.1:

>  > 

>  > <loginSec:userAgent>: OPTIONAL client user agent that identifies the

>  > client application software, technology, and operating system

>  > used by the server to identify functional or security

>  > constraints, current security issues, and potential future

>  > functional or security issues for the client. The

>  > <loginSec:userAgent> element MUST contain at least one of the

>  > following child elements:

>  > 

>  > <loginSec:app>: OPTIONAL name of the client application software

>  > with version if available, such as the name of the client SDK

>  > "EPP SDK 1.0.0".

>  > <loginSec:tech>: OPTIONAL technology used for the client

>  > software with version if available, such as "Java 11.0.2".

>  > <loginSec:os>: OPTIONAL client operating system used with

>  > version if available, such as "x86_64 Mac OS X 10.11.6".

>  > 

>  > Is there a registry of allowed values or at least some instructions how to

>  > construct these values? There are probably several existing IETF registries

>  > that can be reused.

>  >

>  > JG - I'm not aware of any registries that exist that describes how to

>  > construct these values. I believe to address Roman's, Ben's and your

>  > feedback, I will provide an example of how to construct these values.

> 

>  I am not insisting that you should use these, but some examples:

> 

>  https://www.iana.org/assignments/operating-system-names/operating-system-names.xhtml#operating-system-names-1

> 

>  and probably more interesting:

> 

>  https://www.iana.org/assignments/iodef2/iodef2.xhtml#softwarereference-dtype

> 

>  The latter points to NIST's Common Platform Enumeration and ISO 19770 software identification (SWID).

> 

> JG - I believe inclusion of the example ABNF for constructing the <loginSec:userAgent> child element values will provide the needed clarification. It looks like you feel the same way based on your response to Roman's thread. I'll address the usage of the information.

> 

> 

>  > 

>  > If these values are not supposed to be used by servers for anything

>  > other than

>  > logging (i.e. if they can't be used to work around bugs), then the

>  > document

>  > needs to say that.

>  >

>  > JG - The servers can leverage this information for more than logging;

>  > although logging is the most common use case. The most useful element

>  > for identification is the <loginSec:app>, where if there is a known

>  > client application such as an EPP SDK, the server can key off of the

>  > EPP SDK version to proactively identify potential security issues to

>  > report back to the client. The server may already know the client

>  > application patterns or can identify the client application patterns

>  > using the logs to create rules for specific clients applications. The

>  > additional <loginSec:tech> and <loginSec:os> elements are useful to

>  > identify future security policy issues, such as deprecating or removing

>  > TLS cipher suites or TLS protocols. The short answer to your question

>  > is that the server can utilize the elements for logging and for driving

>  > security event rules, but this is beyond the scope of the extension

>  > specification. 

> 

>  I think saying something along these lines would be helpful.

> 

> JG - To address this, I can update the description of the <loginSec:userAgent> as:

> 

> OPTIONAL client user agent information that identifies the client application software, technology, and operating system used by the server to identify functional or security constraints, current security issues, and potential future functional or security issues for the client. *The server may use the information for real-time identification and client notification of security issues, such as keying off of the client application software for executing security rule checks. The server may capture the information to identify future security policy issues, such as deprecating or removing TLS cipher suites or TLS protocols.* The <loginSec:userAgent> element MUST contain at least one of the following child elements:

> 

> 

>  Best Regards,

>  Alexey

>