IETF Logo Mail Archive

Re: [saag] draft-farrell-decade-ni-09

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 15 July 2012 12:41 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF1CA21F8594 for <saag@ietfa.amsl.com>; Sun, 15 Jul 2012 05:41:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.887
X-Spam-Level:
X-Spam-Status: No, score=-102.887 tagged_above=-999 required=5 tests=[AWL=-0.288, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I99Pjkpw7sPj for <saag@ietfa.amsl.com>; Sun, 15 Jul 2012 05:41:38 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 9407121F8587 for <saag@ietf.org>; Sun, 15 Jul 2012 05:41:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 5B59C1714E5; Sun, 15 Jul 2012 13:42:17 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1342356135; bh=x/GDJiapCD8NKK q9+Z/ZRVNIg8Rdt8Sg8tNPLAATXAM=; b=LCy131qI3v6zQBI4bRUacrWTa+rEDV +6KCYIcfOL0pJpKJAbDXFlgMy6ihZQF/1BcsKR5Qdcu+UvxGz6doLJhSKdz5Sgbj PvaB2zCxdsUK32TzboeXod1Ng/tJ6BWKBBrWK0iF5PzuLU4qYWBa3QDz3m+OrxTO b3HwpYRszrkMISpCWEBD1TFNrx5kY4yvzzB+IjEQ1QzHV5ESMNFBf60EYNiJ5XAZ Ro/ROzq4YKYHRdxt8EzrBQKlD+pNCisE87klvgA0+nXxq7Daghuj4dVvuQfUdWDh zsmkQnqdo5QDaVVru0xPQkDMt5SY0muPcc4Aem22WgMXXOyHryoC7+Cg==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 6C+YeSz6kukC; Sun, 15 Jul 2012 13:42:15 +0100 (IST)
Received: from [10.87.48.11] (unknown [86.42.23.214]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 6D8BF1714E4; Sun, 15 Jul 2012 13:42:15 +0100 (IST)
Message-ID: <5002BAA6.9030106@cs.tcd.ie>
Date: Sun, 15 Jul 2012 13:42:14 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <36712B13-7409-484B-8A86-85AE8A5CB23A@gmx.net>
In-Reply-To: <36712B13-7409-484B-8A86-85AE8A5CB23A@gmx.net>
X-Enigmail-Version: 1.4.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: saag@ietf.org
Subject: Re: [saag] draft-farrell-decade-ni-09
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jul 2012 12:41:40 -0000

Hi Hannes,

That seems like a bunch of non-actionable comments so
I don't know what response you were after.

My guess is you were expecting to read some other
document, and were surprised when you saw the actual
content here. But I'm not sure that's a problem that's
fixable, nor ought be fixed via changes to this draft.

On 07/15/2012 11:03 AM, Hannes Tschofenig wrote:
> Hi all, 
> 
> I don't really know what the right place is to discuss this document. 

It was discussed on apps-discuss before IETF LC, starting from
around the Paris IETF. During IETF LC it was discussed a lot
(well, I think a lot:-) on ietf@ietf.org and IETF LC ended
last week. The document's on next week's telechat so if you
have specific concerns you might want to communicate them to
an AD as well.

> Hence, I trying the saag mailing list.

If you look at the apps-disucss or ietf@ietf.org archives
you'll maybe get some useful background that covers some of
this.

> I read through the document and my impression is that it tries to accomplish a little bit too too much. 
> 
> As a high level comment you cannot make an assumption about what information is hashed. Another specification is needed to explain the semantic and these other documents exist. For example, I had asked on the TLS mailing list whether we should use this document to convey fingerprints of raw public keys (which come in form of a SubjectPublicKeyInfo in our case). 

I have no idea what you mean. This draft can tell you how to
format hash outputs but can't specify inputs if its to be
useful. Part of the reason for the draft was that other
protocols that can specify the inputs and the use of the
outputs, were all doing it trivially differently, which
seems like a bad plan. (The document says that.)

> This has an impact on the security consideration section, the hash algorithm registry, and various statements made in the document. 
> 
> For example, the statement that "... the hash SHOULD be calculated over the public key in an X.509 SubjectPublicKeyInfo structure..." isn't really useful when the document aims to provide hashes of all sorts of objects and some might not even be X.509 certificates at all. 

I disagree. For the case of public keys, we do know that that
format is useful in more than one case. MUST would be too
much since generally other specs define hash inputs. Hence
SHOULD. I think its correct as-is.

> The encoding of the URI also seems a bit strange. It seems that you have started with the Web use case and then though "Cool. This could be useful in other protocols as well.". But the problem is that other protocols have their own encoding. For example, in the TLS out-of-band validation mechanism there is no internationalization issue nor a need to do a base64 encoding. The binary encoding falls into that category as well.  

So use it or don't use it, but saying its "a bit strange" is... "a bit
strange."  If you want the binary format, then use that rather than
the ni format. That's all fine.

> The .well-known seems to me pretty unrelated to this specification and may have sneaked into the document as part of the Web use case. 

I don't know how to handle a "sneaked in" comment. I think its
a fine thing. (PHB's idea as it happens.)

> The security consideration is a collection of random thoughts. 

Again, that's not a comment I know how to process.

> I have difficulty understanding what is being said there. There are in general two problems to come up with a meaningful text. The first problem is related to the generic nature of your document: it makes a difference what you hash. To pick the TLS oob validation document again there we have a hash of the public key. In other cases you are talking about hashing some file or other objects. Then, the second problem is that you do not know what is done with the hash as part of the overall protocol interaction of the application that is using your URI scheme. So, in the TLS oob validation draft the hash of the public key is associated with the public key cached from an earlier exchange and is also linked to the private key that is then used in the TLS handshake. In other applications the hash just be used to point to some state information that is retrieved. 

The consequences of using these formats are IMO properly the
concern of other documents.

> In a nutshell, there is room to simplify the document. 

In a nutshell, I guess you were expecting something else.
Am I right? If so, then perhaps your comments are more about
that surprise rather than the content of the draft perhaps?

S.

> 
> Ciao
> Hannes
> 
> PS: I am not sure what you are trying to accomplish with the Content Type Query String. 

See the discussion on ietf@ietf.org where a whole bunch
of folks wanted that.


> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email