Re: [regext] Stephen Farrell's Discuss on draft-ietf-eppext-tmch-smd-04: (with DISCUSS and COMMENT)
Gustavo Lozano <gustavo.lozano@icann.org> Thu, 10 March 2016 12:58 UTC
Return-Path: <gustavo.lozano@icann.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56CBA12D723; Thu, 10 Mar 2016 04:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WuDIcvTGQU3u; Thu, 10 Mar 2016 04:58:15 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC99112D720; Thu, 10 Mar 2016 04:58:15 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 10 Mar 2016 04:58:13 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1130.005; Thu, 10 Mar 2016 04:58:13 -0800
From: Gustavo Lozano <gustavo.lozano@icann.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>, Barry Leiba <barryleiba@computer.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-eppext-tmch-smd-04: (with DISCUSS and COMMENT)
Thread-Index: AQHResyBqoa9b3ZR8EKcjbsTQyyTYA==
Date: Thu, 10 Mar 2016 12:58:13 +0000
Message-ID: <D3071EA8.FA15E%gustavo.lozano@icann.org>
References: <20160215191046.25962.24626.idtracker@ietfa.amsl.com> <D2EB39F0.F50BD%gustavo.lozano@icann.org> <56D9B557.3020001@cs.tcd.ie> <D300AC67.F8C28%gustavo.lozano@icann.org> <56DDA4EC.7040402@cs.tcd.ie> <D30603D6.F9DBD%gustavo.lozano@icann.org> <56E093BB.1060906@cs.tcd.ie>
In-Reply-To: <56E093BB.1060906@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3540459484_6285831"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/regext/t7Um_TpAGxL2Wzf0LCznZgS85B0>
Cc: "draft-ietf-eppext-tmch-smd@ietf.org" <draft-ietf-eppext-tmch-smd@ietf.org>, "nkong@cnnic.cn" <nkong@cnnic.cn>, "eppext@ietf.org" <eppext@ietf.org>, "eppext-chairs@ietf.org" <eppext-chairs@ietf.org>
Subject: Re: [regext] Stephen Farrell's Discuss on draft-ietf-eppext-tmch-smd-04: (with DISCUSS and COMMENT)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 12:58:18 -0000
Thank you again Stephen, I just published version 06 with your suggestions. Colleagues, I think that this version solves all the concerns and incorporates the suggestions received from the community, IESG, etc. Regards, Gustavo On 3/9/16, 21:20, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: > > >On 09/03/16 18:02, Gustavo Lozano wrote: >> Thank you Stephan, I appreciate your input, >> >> I modified the following paragraph in the introduction section based on >> your suggestion, and added the tmch-func-spec I-D to the informative >> section. Do you think that the aforementioned changes solve your >>concerns? >> >> It's worth mentioning that I have not published a newer version of the >> I-D, because I want to know your thoughts first. >> >> - - start - - >> The detailed policy regarding the public key infrastructure (PKI), >> authorized validators, and other requirements must be defined based on >>the >> local policy of the entities using this specification. In the case of >> gTLDs, the detailed policy regarding the use of this specification is >> defined in the Rights Protection Mechanism Requirements document (see >> [ICANN-TMCH]), and the PKI is defined in >>[I-D.ietf-eppext-tmch-func-spec]. >> - - end - > >That's good but needs a little more I think, maybe like: > >"The detailed policy regarding the public key infrastructure (PKI), >authorized validators, and other requirements must be defined based on >the local policy of the entities using this specification. In the case >of gTLDs, the detailed policy regarding the use of this specification is >defined in the Rights Protection Mechanism Requirements document (see >[ICANN-TMCH]), and the PKI is defined in >[I-D.ietf-eppext-tmch-func-spec]. Implementations will need to implement >such a PKI (or an >equivalent) in order for the signatures defined in this document to >have any useful semantics." > >I think you also need to say something similar in the security >considerations section where you currently only point to ICANN-TMCH. >You could do that by pointing back to the above text maybe. > >Cheers, >S. > >> >> Regards, >> Gustavo >> >> On 3/7/16, 15:57, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: >> >>> >>> Hiya, >>> >>> On 05/03/16 16:54, Gustavo Lozano wrote: >>>> Thank you Stephen, >>>> >>>> Comments inline. >>>> >>>> Regards, >>>> Gustavo >>>> >>>> On 3/4/16, 10:18, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: >>>> >>>>> >>>>> Hi Gustavo, >>>>> >>>>> Sorry for the slow response... >>>>> >>>>> On 18/02/16 17:20, Gustavo Lozano wrote: >>>>>> Thank you for your review Stephen, >>>>>> >>>>>> Regarding the DISCUSS portion of your email: >>>>>> >>>>>> Short story: in the case of the gTLD space, the information >>>>>>regarding >>>>>> the >>>>>> PKI used for validating SMDs is defined here: >>>>>> https://tools.ietf.org/html/draft-ietf-eppext-tmch-func-spec-00 >>>>>> (sections: >>>>>> 4.1, 5.1.1.3, 5.1.2.3, 5.2.1, 5.2.2, 5.2.3.1, 5.2.3.2, 5.2.4, 5.2.5, >>>>>> 6.2, >>>>>> 6.4). >>>>> >>>>> Sorry, but that is too short a story for me to grok it:-) >>>>> >>>>>> >>>>>> Long story: >>>>>>https://tools.ietf.org/html/draft-ietf-eppext-tmch-smd-04 >>>>>> (SMD >>>>>> draft) was conceived as a draft defining a mapping of the common >>>>>> elements >>>>>> found in trademark data. The design goal is that the SMD draft >>>>>> specification could be used by any entity (e.g. ccTLDs, gTLDs, >>>>>> trademark >>>>>> validators <-> distribution channel) for mapping the tradermak data. >>>>>> The >>>>>> organizations using the digitally signed portion of the spec will >>>>>>need >>>>>> to >>>>>> define a PKI and the policy for that particular use-case scenario. >>>>> >>>>> Right. The issue is what information about that PKI is needed in this >>>>> draft. Without any, all we end up knowing is that the signature bits >>>>> are ok, but nothing about their meaning. Now that could be a valid >>>>> approach to take, but you'd need to say so and why say what else is >>>>> needed to make an implementation of this usable. >>>> >>>> draft-ietf-eppext-tmch-smd-04 defines the format of the XML blob. In >>>> other >>>> words, it should be enough to syntactically validate the XML blob >>>>(with >>>> or >>>> without digital signatures). The definition of the PKI is an exercise >>>> for >>>> a party that wants to use this format, and digitally sign the XML >>>>blob. >>>> In >>>> the case of the ICANN-TMCH, the PKI is defined in >>>> draft-ietf-eppext-tmch-func-spec-00. >>>> >>>> >>>> I think that this is explained in the introduction, but the text may >>>> need >>>> to be tweaked? >>> >>> Yes. Both the abstract and intro say that this document defines a thing >>> called a "digitally signed mark" - some people would consider that to >>> define such a thing, you do need to say how it relates to a PKI, or, in >>> this case, to say that that is defined elsewhere and point at an >>>example >>> of such an elsewhere. >>> >>>> >>>>> >>>>> I'm also puzzled that the func-spec draft you mention above, in >>>>> section 5.1.1.3, points to a specific root cert (presumably operated >>>>>by >>>>> icann?). >>>> >>>> Correct, the root cert mentioned in section 5.1.1.3 of >>>> draft-ietf-eppext-tmch-func-spec is used for validating the SMDs >>>> generated >>>> by the ICANN-TMCH. >>>> >>>>> Presumably that means that the func-spec is specific to >>>>> what ICANN did and plan to do in future with gTLDs and the func-spec >>>>> is not meant to be something generic that can be used by e.g. ccTLDs? >>>> >>>> Correct, draft-ietf-eppext-tmch-func-spec is specific to what ICANN >>>>did >>>> for the new gTLD program. An SMD generated by the ICANN-TMCH basically >>>> says: a validator using ICANN policies, validated that X is the holder >>>> of >>>> the mark Y. A ccTLD may want to use the same policies, and use the >>>>root >>>> cert provided by ICANN for validating the SMDs generated by the >>>> ICANN-TMCH. A ccTLD may want to use different policies, use the format >>>> defined in draft-ietf-eppext-tmch-smd-04, and if interested in using >>>> digital signatures, define its own PKI. >>> >>> I think you need that information or an equivalent in this document. >>> The func-spec reference can be informative and not normative if you >>>need >>> to have this document as an RFC before the func-spec. (In that case >>> you'd need to say something like "a PKI for using this with new gTLDs >>> will also be defined by the EPPEXT WG in [func-spec]".) But I think >>> it'd be better if this RFC and the func-spec one popped out together. >>> >>>>>> In the >>>>>> case of new gTLDs, the [ICANN-TMCH] >>>>>> >>>>>> >>>>>> >>>>>>(<http://newgtlds.icann.org/en/about/trademark-clearinghouse/rpm-requ >>>>>>ir >>>>>> em >>>>>> en >>>>>> ts-30sep13-en.pdf>) is the document (included by reference in the >>>>>>new >>>>>> gTLD >>>>>> contracts) defining the policy / technical requirements. The >>>>>>document >>>>>> [ICANN-TMCH] links to >>>>>> https://tools.ietf.org/html/draft-ietf-eppext-tmch-func-spec-00 >>>>> >>>>> I didn't see any mention of that I-D in [ICANN-TMCH] - are we looking >>>>> at the right things? >>>> >>>> The draft is mentioned as draft-lozano-tmch-func-spec (see section >>>> 2.4.1). >>>> The draft was renamed as draft-ietf-eppext-tmch-func-spec when the >>>> EPPEXT >>>> WG accepted it as a WG document. >>> >>> As I suggested above, I think you need to refer to func-spec from this >>> draft. Doing so via the ICANN doc, via an expired I-D seems like a bad >>> idea when you can do it directly. >>> >>> Cheers, >>> S. >>> >>>> >>>> >>>>> >>>>>> where the >>>>>> technical requirements are specified. For example, a ccTLD may use >>>>>> this >>>>>> spec with different policy / technical requirements, therefore >>>>>> [ICANN-TMCH] / draft-ietf-eppext-tmch-func-spec-00 is just how it >>>>>>was >>>>>> done >>>>>> in the gTLD space. I included [ICANN-TMCH] to provide the context >>>>>>for >>>>>> the >>>>>> creation of this spec, an as an example of how it was done for new >>>>>> gTLDs. >>>>> >>>>> Right. The question is what information (about the PKI) is needed for >>>>> this to be usable in general. >>>>> >>>>> Cheers, >>>>> S. >>>>> >>>>>> >>>>>> Regarding the COMMENT portion of your email: >>>>>> >>>>>> - Please see the secdir review [1] which raises a number of >>>>>> significant points (including the DISCUSS above) and which >>>>>> hasn't as far as I've seen gotten a response (apologies if I >>>>>> missed that). >>>>>> >>>>>> [1] >>>>>> https://www.ietf.org/mail-archive/web/secdir/current/msg06248.html >>>>>> >>>>>> Gustavo - I think that I resolved all the issues raised in [1] in >>>>>> version >>>>>> 04 of the draft. >>>>>> >>>>>> - "precudle" nice:-) >>>>>> >>>>>> >>>>>> Gustavo - I will fix this :). >>>>>> >>>>>> Regards, >>>>>> >>>>>> Gustavo >>>>>> >>>>>> On 2/15/16, 11:10, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> >>>>>> wrote: >>>>>> >>>>>>> Stephen Farrell has entered the following ballot position for >>>>>>> draft-ietf-eppext-tmch-smd-04: Discuss >>>>>>> >>>>>>> When responding, please keep the subject line intact and reply to >>>>>>>all >>>>>>> email addresses included in the To and CC lines. (Feel free to cut >>>>>>> this >>>>>>> introductory paragraph, however.) >>>>>>> >>>>>>> >>>>>>> Please refer to >>>>>>> https://www.ietf.org/iesg/statement/discuss-criteria.html >>>>>>> for more information about IESG DISCUSS and COMMENT positions. >>>>>>> >>>>>>> >>>>>>> The document, along with other ballot positions, can be found here: >>>>>>> https://datatracker.ietf.org/doc/draft-ietf-eppext-tmch-smd/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>-------------------------------------------------------------------- >>>>>>>-- >>>>>>> DISCUSS: >>>>>>> >>>>>>> >>>>>>>-------------------------------------------------------------------- >>>>>>>-- >>>>>>> >>>>>>> >>>>>>> Section 7 points to [ICANN-TMCH] for signature validation policy >>>>>>> (I think, not quite sure). I did a quick scan (so I might have >>>>>>> missed it) of that document and did not find any mention of >>>>>>> security or signature validation, so what is an implementer >>>>>>> supposed to do, over and above just checking the cryptographic >>>>>>> correctness of the XMLDSIG? Note1: I'm not asking that all of >>>>>>> the details of how to construct a PKI for this functionality be >>>>>>> documented here, somewhere else is fine, but it doesn't seem to >>>>>>> be in [ICANN-TMCH] that I can see, so I don't know what I'd have >>>>>>> to implement, that'd get interop. Note2: I'm also not asking for >>>>>>> a US-DoD-scale super-huge PKI or RPKI to be specified here, >>>>>>> something simpler should work. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>-------------------------------------------------------------------- >>>>>>>-- >>>>>>> COMMENT: >>>>>>> >>>>>>> >>>>>>>-------------------------------------------------------------------- >>>>>>>-- >>>>>>> >>>>>>> >>>>>>> - Please see the secdir review [1] which raises a number of >>>>>>> significant points (including the DISCUSS above) and which >>>>>>> hasn't as far as I've seen gotten a response (apologies if I >>>>>>> missed that). >>>>>>> >>>>>>> [1] >>>>>>> https://www.ietf.org/mail-archive/web/secdir/current/msg06248.html >>>>>>> >>>>>>> - "precudle" nice:-) >>>>>>> >>>>>>> >
- Re: [regext] Stephen Farrell's Discuss on draft-i… Gustavo Lozano