Re: [rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)

Adam Roach <adam@nostrum.com> Tue, 26 March 2019 13:14 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB336120004; Tue, 26 Mar 2019 06:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Level:
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46oS_bqmTBVa; Tue, 26 Mar 2019 06:14:45 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8576D120003; Tue, 26 Mar 2019 06:14:45 -0700 (PDT)
Received: from dhcp-8111.meeting.ietf.org (dhcp-8111.meeting.ietf.org [31.133.129.17]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x2QDEZQw043853 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 26 Mar 2019 08:14:38 -0500 (CDT) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1553606081; bh=B7RF2hOmg/vP3OOvtfAJA78kVI3vpyypVz0yBfDH4IU=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=pwPZs+232Ev4FqYxlWnornojjK/pt11CL5eQSUODxPtzDSIdLfruP+gJkc1C6k0KS Nk0sYN542lI9yNIkGIr6w7vT5FIZ4l3SUffDKrL3L/TEdYs95mhnAcF9togwQdGxsK 9mELKnWy02BL0O+9RLE0oTF+TtdIm2zzhBJrrsjE=
To: Sean Turner <sean@sn3rd.com>, Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, rtcweb-chairs@ietf.org, RTCWeb IETF <rtcweb@ietf.org>, draft-ietf-rtcweb-security-arch@ietf.org
References: <155177956812.24656.14146723462005957233.idtracker@ietfa.amsl.com> <2c600fc6-ca2c-2cd5-f677-6edcd0a6f3b7@nostrum.com> <C0B8E09A-0D4E-4AE7-8074-79FB674713C6@sn3rd.com> <E9ABEC6A-832C-42F5-A7FC-65AC0E79DA10@sn3rd.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <00ab1027-848d-2535-d1cf-4c3c84079e66@nostrum.com>
Date: Tue, 26 Mar 2019 14:14:34 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.5.2
MIME-Version: 1.0
In-Reply-To: <E9ABEC6A-832C-42F5-A7FC-65AC0E79DA10@sn3rd.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/WbSR_rLwM6w77-ckMz1xEFpfoSw>
Subject: Re: [rtcweb] Alexey Melnikov's Discuss on draft-ietf-rtcweb-security-arch-18: (with DISCUSS)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 13:14:47 -0000

Thanks, Sean.

I have already given Sean this guidance, but for the benefit of others: 
at this point, I am imposing a moratorium on adding any new normative 
dependencies from Cluster 238 documents to any works in progress, 
regardless of their level of maturity.

In this case: if RFC 5785bis completes prior to publication of 
rtcweb-security-arch, the RFC editor will (as a matter of practice) ask 
the authors whether they want to update the reference. If it does not, 
we do not want to block publication of the rest of the cluster on it.

/a

On 3/26/19 11:28, Sean Turner wrote:
>
>> On Mar 7, 2019, at 02:31, Sean Turner <sean@sn3rd.com>; wrote:
>>
>>
>>
>>> On Mar 7, 2019, at 04:37, Adam Roach <adam@nostrum.com>; wrote:
>>>
>>> On 3/5/19 3:52 AM, Alexey Melnikov wrote:
>>>> My apologies for filing a procedural DISCUSS on this, but I am looking at:
>>>>
>>>> 7.5.  Determining the IdP URI
>>>>
>>>>    3.  The path, starting with "/.well-known/idp-proxy/" and appended
>>>>        with the IdP protocol.  Note that the separator characters '/'
>>>>        (%2F) and '\' (%5C) MUST NOT be permitted in the protocol field,
>>>>        lest an attacker be able to direct requests outside of the
>>>>        controlled "/.well-known/" prefix.  Query and fragment values MAY
>>>>        be used by including '?' or '#' characters.
>>>>
>>>> "idp-proxy" is not registered in the IANA's
>>>> <https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml>
>>>> registry and this document doesn't register it either. If I missed where this
>>>> is registered, please point me to the right document. If I haven't, please
>>>> register it in this document.
>>>>
>>> Good catch! Thanks.
>>>
>>> /a
>> I submitted a PR:
>> https://github.com/rtcweb-wg/security-arch/pull/86/files
>> And fired off a message to the expert list.
> The response from the DE:
>
> From: Mark Nottingham <mnot@mnot.net>;
> Date: Thu, 14 Mar 2019 14:53:35 +1100
> Cc: wellknown-uri-review@ietf.org,
>   draft-ietf-rtcweb-security-arch.all@ietf.org
> To: Sean Turner <sean@sn3rd.com>;
>
> Looks fine to me, although it'd be better to refer to 5785bis.
>
>> On 7 Mar 2019, at 12:30 pm, Sean Turner <sean@sn3rd.com>; wrote:
>>
>> Hi! We=E2=80=99re looking to register idp-proxy.  It=E2=80=99s used =
> in:
>> https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch/
>> We forgot to register it (Alexey caught it) and I submitted the
>> following PR to add it:
>> https://github.com/rtcweb-wg/security-arch/pull/86/files
>> Let us know what you think.
>>
>> spt
>> _______________________________________________
>> wellknown-uri-review mailing list
>> wellknown-uri-review@ietf.org
>> https://www.ietf.org/mailman/listinfo/wellknown-uri-review