IETF Logo Mail Archive

Re: [regext] Document Shepherd Write Up of Login-Security

"Gould, James" <jgould@verisign.com> Wed, 25 September 2019 21:16 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5379C120072 for <regext@ietfa.amsl.com>; Wed, 25 Sep 2019 14:16:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZTWlGi61OfL for <regext@ietfa.amsl.com>; Wed, 25 Sep 2019 14:16:41 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31B1D120026 for <regext@ietf.org>; Wed, 25 Sep 2019 14:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=60626; q=dns/txt; s=VRSN; t=1569446201; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=NSlgDzKpbfKowRGlkh+t77lMuOHeLDY1ozUqzY4GKyY=; b=VtgrMO81fWs/Wyt+fhBOpUyINyVusrSfLiAHTF24bk8gtv7awLQXBxOI g18KOZw0/+YFMTDJ4fQtfb9hPtpK4Engs9CU3JUs5UG7N8Aly4Xyh404V QtAjW7cWgpxGRvonKFNpQef62n8D4WZVTrzE7JEO7LM7DCzLhcKByfD3b CrhmpmyXW5IU5eExEeaByGHnBMe70M8Sh/fnLMcqvp6RlIwd274lbuGsr 0MEsFG2lMb0dNJGoDNo8r/R7NRh021e9ITEvZkii2C6Hm0TOrp6QYQql4 OHOpe3RnSoOU0UXfVl4EkfPkpwK68hPB42qqPgOx8Q38Dp4J25abqeKPr g==;
X-IronPort-AV: E=Sophos;i="5.64,549,1559520000"; d="png'150?scan'150,208,217,150";a="11170516"
IronPort-PHdr: 9a23:86M7XhdLKj3/ry2zgjsaLZiFlGMj4u6mDksu8pMizoh2WeGdxcWyZh7h7PlgxGXEQZ/co6odzbaP6Oa7AydZvMbJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanbr5+MRu7oR/fu8UIjoduN6Y8xxjUqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU063/chNBug61HoRKhvx1/zJDSYIGJL/p1Y6fRccoHSWZdQspdUipMCZ6+YYQSFeoMJeZWoZfgqVsSoxWwBgesC+HhxT9JmnD50rY30/49HQHDxgEsA8gDvXbSod7oNKkSS+e1zKzQwDnNbv1W3ir96IzVfRw5vPqCWah/cc/Pxkk0GQ/Ok1KdqY7qPzOSy+QNt3WU4vF+Ve2xkW4nqhpxojmgxscqkIXGmoUVylXd+Ch/3Y07K9q4SEthbt6lFptdrz+aOJVsQsMjWGFouSk6yrsHuZ69YCcG0ogoxxnaa/CfcoiH/A7jVOiLLTd/nnJld7SyjAux/0i40uDwS9W43ExXoidHnNTArG0B2hzd58SdRfZw+l+t1SuT2wzJ9+1JI1w4mbDGJ5MuwbM8jIcfvEfbEi/4hkr7j7Oae0Ah9+ey6OnqZq7pq5qSOoNqlw7zM6Ejlde7DOk5MAUDWmaW9Oq+2bL++0DyXa9EgecskqbDtZDXPcEbpqmkDABLyosj8BO/Dyu+0NQfgHkHMEpJeBKZgIjtPFHDOO31A+unjVixkDhl3//IMbz9DpnTNHTDjqvufbFn605E0gY8181Q64hKCrEbO/LzXFX9u8DfDh88KwC0wuDnB8th1o4GRG6DHrWVPL7QvFKG/O4jPumBaYEPtDvyL/Up//vugmU4mV8Zc6mpx5wXaHWgE/RkLEWZZmfsgtMcHmoRoAoxUvbqiFyZUT5SaHayWbgw6S08CIKjFYvDXJyigKSd3CenGZ1bfmJGC1CSHnj2bIiLQfkMaCOWIs9giDMETqKtS44n1RGgsw/w06BnIfbM+i0EqZLj08B45/fNmhE96zN1ANid3nqMT25qgmMISSU63KdloUxymR+/1v1ahOdVDdwb1v5EGlM4JJPR5+V0CtTzUxmHf9GHTwD1bM+hBGR7YdUsx9NKK2R0Hti5xFiX3SWtHrsZv6KGHp0v863amXP2IpAumD79yKA9ggx+EYN0Pmq8i/s6rlCLCg==
X-IPAS-Result: A2EHAACw14td/zGZrQpiAxkBAQEBAQEBAQEBAQEMAQEBAQEBgVUCAQEBAQELAYEbgW+BLwqEGI5egkCDCmOVNYE/FyUJAQEBAQEBAQEBAwEDASUKAQEChD0CF4M3NgcOAgwBAQEEAQEBAQEFAwEBAQKGFgyCOikBYS8JATIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFAggHNBkHNRIBARgBAQEBAwUBHQIIAUsQAgEIDgMDAQIGAQEBDgEJAQYDAgICBRAPDBQJCAIEDgQBDoMUAYIZry9zgTKENwETQUCEbRCBNAGMI4FBPoERJx+BTn4+gmECAwGBRy0JARUICQECgkEyggQiBI9WhSokbYgWhRCCYYZ4AweCIoVvAYEVhRSDFm6FCII2cosBiwKMbIhNdZECAgQCBAUCFYFZC4F/cBVlAYINATMJRxAUgVoXg0+FFIU/cwkDASWLeA0egQSBIwEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Wed, 25 Sep 2019 17:16:37 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1779.002; Wed, 25 Sep 2019 17:16:37 -0400
From: "Gould, James" <jgould@verisign.com>
To: Joseph Yee <jyee@afilias.info>
CC: regext <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Document Shepherd Write Up of Login-Security
Thread-Index: AQHVc+BGZaSIGbMarU+vhm7zGdiB5Kc85UgA
Date: Wed, 25 Sep 2019 21:16:36 +0000
Message-ID: <8E847B5A-7C0C-4F75-B37B-1238FA56714A@verisign.com>
References: <CAF1dMVH5W_dA_0jJaK9OceSGcwek6y-GnaGRyFqnQdWbtoAGAQ@mail.gmail.com> <80680E0B-2ECB-47E1-B248-ED236F100A47@verisign.com> <CAF1dMVEQjNh6kCyZ4G8aqK89aBpzxEafgOu0xrGHrgWpqeZ4Vw@mail.gmail.com>
In-Reply-To: <CAF1dMVEQjNh6kCyZ4G8aqK89aBpzxEafgOu0xrGHrgWpqeZ4Vw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.e.190909
x-originating-ip: [10.170.148.18]
Content-Type: multipart/related; boundary="_005_8E847B5A7C0C4F75B37B1238FA56714Averisigncom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/oU5fAXHQFqa7SH3r-T27O1o226c>
Subject: Re: [regext] Document Shepherd Write Up of Login-Security
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2019 21:16:44 -0000

Joseph,

See my feedback below.

--

JG

[cid:image001.png@01D255E2.EB933A30]

James Gould
Distinguished Engineer
jgould@Verisign.com<applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com<http://verisigninc.com/>

From: Joseph Yee <jyee@afilias.info>
Date: Wednesday, September 25, 2019 at 4:31 PM
To: James Gould <jgould@verisign.com>
Cc: regext <regext@ietf.org>
Subject: [EXTERNAL] Re: [regext] Document Shepherd Write Up of Login-Security

Hi Jim and all,

comments inline

On Tue, Sep 24, 2019 at 5:01 PM Gould, James <jgould@verisign.com<mailto:jgould@verisign.com>> wrote:
Joseph,

Thank you for performing the document shepherd review and creating the writeup.  You brought up 2 points in your comments, that I provide thoughts on below:


1.       Section 3.1 - the paragraph that specifies when “name” must be mandatory.  The text needs more work to be precise. The current text only specifies “name” is required when “type”==“custom”, where “name” is mandatory too when “type”==“stat”.

a.       When the “type” is “stat”, then the use of the “name” is mandatory to define the “stat” sub-type, per the definition of the “stat” type and the definition of the “name” attribute.  I include both below for reference:

                                                              i.      "stat":  Provides a login security statistical warning that MUST set the "name" attribute to the name of the statistic.

1.       How about updating this description to highlight that the “name” is used to define the statistic sub-type, such as “Provides a login security statistical warning that MUST set the "name" attribute to the name of the statistic sub-type.”?  When using the “stat” type, the use of the sub-type is required by using the “name” attribute.

                                                            ii.      "name":  Used to define a sub-type when the "type" attribute is not "custom" or the full type name when the "type" attribute is "custom".

1.       This description is accurate for the “stat” type, since the “name” attribute is used to define the sub-type.

I have a bit of hard time reading your comment due to the numbering. As long as the the description "name" paragraph in some way specifies that both "stat" and "custom" MUST define "name" it will be fine IMHO.


JG – The “stat” and “custom” types already define that the “name” attribute is required, so why would the “name” attribute need to include the reverse statement?  The change that I proposed was to ensure that the definition of the “stat” type used the appropriate language by referring to the use of the “name” attribute to define the statistic sub-type.  The definition of the “stat” type would read “Provides a login security statistical warning that MUST set the "name" attribute to the name of the statistic sub-type.”  The “name” attribute defines either the sub-type or the full type name when the type is “custom”.  The requirement for the inclusion of the “name” attribute is defined by the type.


1.

2.       In Section 4.1, <loginSec:userAgent> specifies that one of the child element must be included if the request contained <loginSec:userAgent>.  In the Formal Syntax section, the XML does not enforce it.  If the XML syntax uses what XML Schema offers, then editors should check on <choice> element.

a.       I’m unaware of a clean method to enforce having at least one of the sub-elements (app, tech, and os) via the XML schema, since there can be one to three of the elements that is not well suited for the use of a <choice>.  We need to ensure that there are no duplicates and maintaining the order would be preferred.  Do you or anyone else have a proposal that can be used?  My recommendation is to keep the XML schema as is and to have the server validate the existence of at least one sub-element after the XML parser, per the language of the specification.

The original schema can maintain order, but can't maintain the presence.

The following could work (in XML schema, <choice> can contain <sequence>, not just <element>, I haven't build any code to confirm it):

***
<choice>
  <sequence>
    <element name="app" />
    <element name="tech" minOccurs="0"  />
    <element name="os" minOccurs="0" />
  </sequence>
  <sequence>
    <element name="tech" />
    <element name="os" minOccurs="0" />
  <sequence>
  <element name="os" />
</choice>
***

JG – Yes, your proposal should work fine with the inclusion of the type=”token” for each of the elements and fixing the last <sequence> with </sequence>, as in:

  <complexType name="userAgentType">
            <choice>
              <sequence>
                        <element name="app" type="token" />
                        <element name="tech" type="token" minOccurs="0"  />
                        <element name="os" type="token" minOccurs="0" />
              </sequence>
              <sequence>
                        <element name="tech" type="token" />
                        <element name="os" type="token" minOccurs="0" />
              </sequence>
              <element name="os" type="token"/>
            </choice>
  </complexType>

I can modify the XML schema in the draft to include this.

Best,
Joseph



1.

a.
Thanks,

--

JG

[cid:image001.png@01D255E2.EB933A30]

James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com<http://verisigninc.com/>

From: regext <regext-bounces@ietf.org<mailto:regext-bounces@ietf.org>> on behalf of Joseph Yee <jyee@afilias.info<mailto:jyee@afilias.info>>
Date: Tuesday, September 24, 2019 at 3:09 PM
To: regext <regext@ietf.org<mailto:regext@ietf.org>>
Subject: [EXTERNAL] [regext] Document Shepherd Write Up of Login-Security

All,

I had uploaded the document shepherd write up of login-security and available at the link below for your reference:

https://datatracker.ietf.org/doc/draft-ietf-regext-login-security/shepherdwriteup/

Best,
Joseph

v2.23.0 | Report a Bug | By Email