IETF Logo Mail Archive

[Rum] Roman Danyliw's Discuss on draft-ietf-rum-rue-09: (with DISCUSS and COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 15 December 2021 22:07 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: rum@ietf.org
Delivered-To: rum@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F11FC3A083D; Wed, 15 Dec 2021 14:07:37 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-rum-rue@ietf.org, rum-chairs@ietf.org, rum@ietf.org, pkyzivat@alum.mit.edu, pkyzivat@alum.mit.edu
X-Test-IDTracker: no
X-IETF-IDTracker: 7.41.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <163960605716.22037.6925953082119136922@ietfa.amsl.com>
Date: Wed, 15 Dec 2021 14:07:37 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/pDlZpiAPlj6UN2UlejCrtKCb9j8>
Subject: [Rum] Roman Danyliw's Discuss on draft-ietf-rum-rue-09: (with DISCUSS and COMMENT)
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2021 22:07:38 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-rum-rue-09: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-rum-rue/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

** Is there a reason that credential re-use is being suggested as a fall back. 
It seems risky to reuse the credentials across services.  This fall-back also
appears to contradict the guidance in Section 5.1. which says “This
username/password combination SHOULD NOT be the same as that used for other
purposes, such as retrieving the RUE configuration”.  See:

-- Section 7.1.  Per access to the CardDAV server, “[i]f no matching
credentials are configured, the RUE MUST use the SIP credentials from the
configuration.”

-- Section 9.2.2.  sip-password says “If it was never supplied, the password
used to authenticate to the configuration service is used for SIP, STUN and
TURN.”

-- Section 9.2.2.  carddav field says that “If username or password are not
supplied, the main account credentials are used. “

** Is there a reason that a minimum transport requirements of using HTTPS is
not defined for accessing the SIP-supporting elements of this architecture.

-- Section 7.1.  Access to the CardDAV service?  Does the guidance in Section
7.2 (The RUE stores/retrieves the contact list (address book) by issuing an
HTTPS POST or GET request.) imply that?

-- Section 9.  Using the overall API? Does the guidance in Section 9.2 (A RUE
device may retrieve a provider configuration the using a simple HTTPs web
service) imply that?

-- Section 9.2.1.  For the URI configuration options noted in this section
(e.g., the uri in signup)?

** Section 11.  There are more than 10 20 normative SIP protocol references in
this document.  Which of their security considerations apply?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you to Russ Mundy for the SECDIR review.

** Section 2.  Thanks for defining all of this terminology up front.  As many
of these are components in the architecture, I would have benefit from a
diagram early in the document showing how these components integrate. **
Section 5.1.  The paragraph starting with “The registrar MAY authenticate using
SIP digest authentication …”, should likely say that the technique for
provisioning the credentials is out of scope for this profile.

** Section 8.  Typo. s/mechansism/mechanism/

** Section 9.1
IANA has established a registry that contains
   a two letter country code and an entry point string.

Recommend adding a forward reference to Section 10.1.

** Section 9.1.
   For example,
   if the entryPoint is "example.com", the provider list would be
   obtained from https://example.com/rum/V1/Providers.

This example doesn’t match the syntax of Section 9.3.  “V1” here and “v1” in
Section 9.3.

** Section 9.2.  It would be helpful in this narrative text for the input
values names to match the actual field names used in the API in Section 9.3. 
Specifically, “API Key” is “apiKey”, and “instance identifier” is “instanceId”

** Section 9.2.1.  Per the language value in the signup configuration option,
please provide a reference to the IAN language subtag registry
(https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry).

** Section 9.2.2.  sendLocationWithRegistation is listed as a stand-alone field
here, but in Section 9.3, it is shown to be part of the carddav object.  Which
is correct?

** Section 9.2.3.  Figure 4.  This example is not conformance to the previously
described syntax.  All of the values of the “uri” fields should be a URI, but
all of them are missing a scheme.

** Section 9.3.  [OpenAPI] needs to be a normative reference as its syntax is
needed to understand this section.

v2.23.0 | Report a Bug | By Email