IETF Logo Mail Archive

Re: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)

"Schmidt, Charles M." <cmschmidt@mitre.org> Tue, 06 March 2018 01:12 UTC

Return-Path: <cmschmidt@mitre.org>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2205E12E9D9; Mon, 5 Mar 2018 17:12:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nOQvpb8g_1tv; Mon, 5 Mar 2018 17:12:01 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id AB39412EA52; Mon, 5 Mar 2018 17:12:01 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id A5A716C0049; Mon, 5 Mar 2018 20:12:01 -0500 (EST)
Received: from imshyb01.MITRE.ORG (unknown [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 915EB6C0039; Mon, 5 Mar 2018 20:12:01 -0500 (EST)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 5 Mar 2018 20:12:00 -0500
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1263.5 via Frontend Transport; Mon, 5 Mar 2018 20:12:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=3g8SmICF4dKszhVbxkCst3K4i2aBG6Ktd6s7iLpnf0Y=; b=jhn18hIPSpa30Ukq5dOSwpwyNqmI57WLgZ4psmGkQ2RhHeWoKk2IcM8lsWeOXCkUQOPpI40fQmW/eDHFVfIBIFR6gJ73pABFZIQFf3e2Xqp+qtr6N3yMWMBHdL0PiDklniZO8ZRvujTHMkbuRVb9tMHOGGsnhNzBkfx7DUxi4CY=
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) by DM5PR0901MB2375.namprd09.prod.outlook.com (52.132.133.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Tue, 6 Mar 2018 01:11:59 +0000
Received: from DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1]) by DM5PR0901MB2375.namprd09.prod.outlook.com ([fe80::21b9:ccf6:187e:85e1%13]) with mapi id 15.20.0548.016; Tue, 6 Mar 2018 01:11:59 +0000
From: "Schmidt, Charles M." <cmschmidt@mitre.org>
To: Ben Campbell <ben@nostrum.com>
CC: "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>, The IESG <iesg@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>, "draft-ietf-sacm-nea-swima-patnc@ietf.org" <draft-ietf-sacm-nea-swima-patnc@ietf.org>
Thread-Topic: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)
Thread-Index: AQHTsdVhBrtttTsYykuKkDXdvise8aPCalqg
Date: Tue, 06 Mar 2018 01:11:59 +0000
Message-ID: <DM5PR0901MB23759238C98C5F9E82AB5D7CABD90@DM5PR0901MB2375.namprd09.prod.outlook.com>
References: <151926897179.21101.1205735756502467820.idtracker@ietfa.amsl.com> <DM5PR0901MB2375564B76246A1DA5FCE4A7ABC30@DM5PR0901MB2375.namprd09.prod.outlook.com> <080CB857-150E-450C-B685-8A10FA0D3984@nostrum.com>
In-Reply-To: <080CB857-150E-450C-B685-8A10FA0D3984@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cmschmidt@mitre.org;
x-originating-ip: [192.160.51.88]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR0901MB2375; 7:ondMlHXv6uUrEVnzw9SlQy6bPAUT4mfmphug/xF6u/9Padfpboe2PT+hF0aN3fuTOpMnq0Ju2HxWs1K3bRzjLcaCUGGQsTsHluII/evdse0uD+kEUNoHpEoR7UI9fQxKu9WY+aAg2WU8PQwfJlfRxU8HmqvV/FKoxJ1rJCFAf48INXOaWwmr3Ss4qRVA4W7DuK14p1Qr8EJJA0UtEnMVVqs14e5Iql6lAJxFXPorCLzRM6rD60ex0TkqSwdgxqVL
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 7c41a200-5bd6-465c-41cd-08d582ff42d9
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR0901MB2375;
x-ms-traffictypediagnostic: DM5PR0901MB2375:
x-microsoft-antispam-prvs: <DM5PR0901MB2375A82438AF93B10B547E54ABD90@DM5PR0901MB2375.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231220)(944501244)(52105095)(3002001)(6055026)(6041288)(20161123558120)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:DM5PR0901MB2375; BCL:0; PCL:0; RULEID:; SRVR:DM5PR0901MB2375;
x-forefront-prvs: 06036BD506
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(366004)(396003)(346002)(39380400002)(189003)(199004)(13464003)(59450400001)(105586002)(305945005)(81156014)(9686003)(6506007)(81166006)(6306002)(8666007)(66066001)(26005)(2906002)(53546011)(55016002)(8936002)(54906003)(4326008)(5250100002)(25786009)(8676002)(53936002)(316002)(74316002)(33656002)(6436002)(102836004)(6246003)(68736007)(106356001)(229853002)(345774005)(3280700002)(186003)(5660300001)(966005)(2900100001)(2950100002)(97736004)(3660700001)(76176011)(99286004)(6916009)(86362001)(478600001)(3846002)(6116002)(7736002)(7696005)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR0901MB2375; H:DM5PR0901MB2375.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: sj0qs1GkBE99IYbr7tr6CBB1HmZd+NOr1zvJYWtUUzlzrF31COZLYL3L0GZiSXsC6ZyJV3Ztowm+UnB20uzI2HIPbKGnJkNtCpsL53vhPSSTVA1I5uVY77lLKsktq5XJvbC4kNsDqf5dc12mqzKf+L4nMZPBOVL263EFRmGw7ILiFsVu+A2KTZHafo4SC6Od+q+c/cXYV79BxDXbXakYUw2JVvtk2slGTnIakqHkHB3Kt8WNyQhzmzuMXmWck/SQMbxVq5jaRz93EAyDckrD7ABgU+g7hsb3DlGyJeYLBf5ecYPt5GEi09EHVtP60Ary8+B0aXHLW5cTnlnQoahKZA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c41a200-5bd6-465c-41cd-08d582ff42d9
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2018 01:11:59.1817 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR0901MB2375
X-OriginatorOrg: mitre.org
X-MITRE: 8GQsMWxq66rxk57w
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/4W35RteU28ft7tCJlaVeI3IQSEE>
Subject: Re: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 01:12:18 -0000

Hi Ben,

Thank you for the follow-up. I made some additional modifications (-04 draft) that I hope address your remaining comments.

Regarding your nit, I moved the Relationship to Other Specifications before the Security Considerations. The last sections are now the three you note.

Regarding your comment on 2.4:

> >> §2.4: This seems to assume there is never a need to hide information
> from
> >> intermediaries. Is that the intent? (Or maybe there aren't any
> >> intermediaries?)
> >
> > This is not the intent. NEA has multiple parts and the intent is to clarify that
> the SWIMA part isn't the part dealing with data confidentiality. The portion
> that handles confidentiality is the PT layer of the NEA architecture. (PT-TLS
> and PT-EAP) All I'm trying to do is emphasize that, if confidentiality is an issue,
> make sure your NEA architecture is set up to support that.
> 
> I think what is confusing me is the “title” of the non-requirement is “End to
> End confidentiality”. I admit to not knowing the sacm work well enought to
> know what the “ends” are, but am I correct to assume that PT-TLS, like most
> uses of TLS, is hop-by-hop? Does the data every cross more than one hop? Is
> the answer the dame for PT-EAP?

Re-reading this section, I agree that the section was confusing. I renamed the section to "Non-SWIMA Requirements" (and renamed the preceding section to "SWIMA Requirements"). Hopefully this clarifies that the specification is not talking about what is and is not required, but simply which requirements need to be addressed by SWIMA and which requirements need to be addressed by other standards.

I also changed the text as follows:

   There are certain capabilities that users of the SWIMA specification
   might require but which are beyond the scope of SWIMA itself and need
   to be addressed by other standards.  This list is not exhaustive.

   End to End Confidentiality:  The SWIMA specification does not define
      a mechanism for confidentiality, nor is confidentiality
      automatically provided by using the PA-TNC interface.  In the NEA
      architecture, confidentiality is generally provided by the
      underlying transport protocols, such as the PT Binding to TLS
      [RFC6876] or PT-EAP Posture Transport for Tunneled EAP Methods
      [RFC7171] - see Section 7 for more information on related
      standards.  The information conveyed by SWIMA is often sensitive
      in nature for both security (Section 8) and privacy (Section 9)
      reasons.  Those who implement SWIMA need to ensure that
      appropriate NEA transport mechanisms are employed to meet
      confidentiality requirements.

Hopefully that makes things clearer. To more directly answer your question, PT-TLS is just TLS with some minor added constraints to fit with the NEA architecture. Likewise, PT-EAP is basically just EAP. SWIMA should be agnostic as to whether or not there are hops in the transmission and delegate all responsibility for maintaining confidentiality across any hops to the PT protocol in question. Does this help?

Thanks again for the clarifications. Hopefully the new draft (-04) will address those remaining concerns.

Charles

> -----Original Message-----
> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Ben Campbell
> Sent: Thursday, March 01, 2018 9:19 PM
> To: Schmidt, Charles M. <cmschmidt@mitre.org>
> Cc: sacm-chairs@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>; The
> IESG <iesg@ietf.org>; sacm@ietf.org; draft-ietf-sacm-nea-swima-
> patnc@ietf.org
> Subject: Re: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-
> patnc-02: (with DISCUSS and COMMENT)
> 
> 
> 
> > On Feb 24, 2018, at 1:01 AM, Schmidt, Charles M. <cmschmidt@mitre.org>
> wrote:
> >
> > Hello,
> >
> > Thanks a bunch for your feedback. In general I agree with your comments
> and made changes to address them. Some quick clarifications:
> >
> >> §2.4: This seems to assume there is never a need to hide information
> from
> >> intermediaries. Is that the intent? (Or maybe there aren't any
> >> intermediaries?)
> >
> > This is not the intent. NEA has multiple parts and the intent is to clarify that
> the SWIMA part isn't the part dealing with data confidentiality. The portion
> that handles confidentiality is the PT layer of the NEA architecture. (PT-TLS
> and PT-EAP) All I'm trying to do is emphasize that, if confidentiality is an issue,
> make sure your NEA architecture is set up to support that.
> 
> I think what is confusing me is the “title” of the non-requirement is “End to
> End confidentiality”. I admit to not knowing the sacm work well enought to
> know what the “ends” are, but am I correct to assume that PT-TLS, like most
> uses of TLS, is hop-by-hop? Does the data every cross more than one hop? Is
> the answer the dame for PT-EAP?
> 
> 
> 
> >
> >> §3.4.3,
> >> -- first paragraph: What is the expected scope of uniqueness for record
> >> identifiers? -- In the sentence "The Record Identifier SHOULD remain
> >> unchanged
> >> if that record is modified.", why is the SHOULD not a MUST? What would
> >> happen
> >> if the identifier did change?
> >
> > It is SHOULD rather than MUST because, under some tracking conditions it
> might not be possible to distinguish between a record being modified and a
> record being deleted and a new record being created. Will add clarifying text
> to this effect. If the system thinks that a modification is actually a
> delete/create action, it would be treated as such with a new record identifier
> being assigned to the "created" record.
> >
> 
> Okay; I think the mentioned clarifying text would help.
> 
> 
> >> §7.1: " Some tools might not be designed to update records in the
> Software
> >> Inventory Evidence Collection in real time,..." Wasn't there a normative
> >> requirement that they be capable of this?
> >
> > A subtle difference: The SWIMA-PC MUST detect changes to the Software
> Inventory Evidence Collection in near real time, but the data sources might
> not update the Software Inventory Evidence Collection in real time. I
> reworded to clarify the difference between the SWIMA-PC reading the
> Evidence Collection and the tool updating the Evidence Collection.
> 
> Okay.
> 
> >
> >> §9: Nit: is there are reasons to violate the convention that IANA, security,
> >> and privacy considerations are the last substantive sections in in the body
> of
> >> an RFC?
> >
> > I'm happy to reorder these - a quick random sample of RFCs seems to
> provide a number of different orderings. I just followed the PA-TNC spec,
> since I had that open most. Just let me know what the expected order is.
> 
> Typically they are the last three “substantive” sections in the main body of an
> RFC, not counting any appendices or “acknowledgements” type sections. I
> don’t think we are consistent in the order among those three.
> 
> Thanks!
> 
> Ben.
> 
> >
> > Thanks a bunch,
> > Charles
> >
> >> -----Original Message-----
> >> From: Ben Campbell [mailto:ben@nostrum.com]
> >> Sent: Wednesday, February 21, 2018 9:10 PM
> >> To: The IESG <iesg@ietf.org>
> >> Cc: draft-ietf-sacm-nea-swima-patnc@ietf.org; sacm@ietf.org; Karen
> >> O'Donoghue <odonoghue@isoc.org>; sacm-chairs@ietf.org;
> >> odonoghue@isoc.org; sacm@ietf.org
> >> Subject: Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-patnc-02:
> >> (with DISCUSS and COMMENT)
> >>
> >> Ben Campbell has entered the following ballot position for
> >> draft-ietf-sacm-nea-swima-patnc-02: Discuss
> >>
> >> When responding, please keep the subject line intact and reply to all
> >> email addresses included in the To and CC lines. (Feel free to cut this
> >> introductory paragraph, however.)
> >>
> >>
> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> >> for more information about IESG DISCUSS and COMMENT positions.
> >>
> >>
> >> The document, along with other ballot positions, can be found here:
> >> https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swima-patnc/
> >>
> >>
> >>
> >> ----------------------------------------------------------------------
> >> DISCUSS:
> >> ----------------------------------------------------------------------
> >>
> >> (This is related to one of Ekr's comments, but I don't think it's quite the
> >> same.)
> >>
> >> In the first paragraph of §7.2, the conclusions seem to be based on the
> >> following sentence:
> >>
> >> "This is generally not considered to be problematic, as
> >>   those with access to the endpoint can usually learn of everything
> >>   disclosed by that endpoint’s records simply by inspecting other parts
> >>   of the endpoint."
> >>
> >> This doesn’t seem like a reasonable assumption. Multiuser endpoints may
> >> well
> >> have access controls that prevent a given user from seeing all software
> >> packages installed on the system. This leads to the conclusion that the
> >> records
> >> on the endpoint are not sensitive. I do not think this document should
> draw
> >> that conclusion. Even if this were provably true for all existing systems,
> such
> >> an assumption could be problematic for future systems.
> >>
> >>
> >> ----------------------------------------------------------------------
> >> COMMENT:
> >> ----------------------------------------------------------------------
> >>
> >> Substantive Comments:
> >>
> >> §2.4: This seems to assume there is never a need to hide information
> from
> >> intermediaries. Is that the intent? (Or maybe there aren't any
> >> intermediaries?)
> >>
> >> §3.4.3,
> >> -- first paragraph: What is the expected scope of uniqueness for record
> >> identifiers? -- In the sentence "The Record Identifier SHOULD remain
> >> unchanged
> >> if that record is modified.", why is the SHOULD not a MUST? What would
> >> happen
> >> if the identifier did change?
> >>
> >> §3.4.4:
> >>
> >> -- "However, if that directory is shared by other software products, the
> >> "location" SHOULD be the location of the primary executable
> >>   associated with the software product."
> >> I'm confused by the the condition, since sharing a directory with other
> >> products doesn't seem to introduce the ambiguity that the rest of the
> >> sentence
> >> assumes. Perhaps this was meant to be about situations where a
> software
> >> package
> >> is installed across multiple directories?
> >>
> >> -- "Even a probable location for a software product is preferable to using a
> >> zero-length locator." This could use elaboration; do you expect the
> collector
> >> to guess?
> >>
> >> §7.1: " Some tools might not be designed to update records in the
> Software
> >> Inventory Evidence Collection in real time,..." Wasn't there a normative
> >> requirement that they be capable of this?
> >>
> >> §8,
> >> -- 2nd paragraph: It’s worth mentioning that in some contexts this sort of
> >> information could expose the user to severe personal risk, including the
> risk
> >> of death. -- Last paragraph: "For this reason, privacy safeguards might be
> >> necessary for collected inventory information." Can this be stated more
> >> strongly than "might be necessary"?
> >>
> >> Editorial Comments and Nits:
> >>
> >> §3.8.5, first paragraph: "As noted in Section 3.6 SWIMA-PCs MUST ..."
> >> Please reserve 2119 keywords for the authoritative statement of a
> >> requirement;
> >> that is, please do not use them to refer to requirements defined
> elsewhere.
> >> (Note that this pattern occurs multiple times in the draft.)
> >>
> >> §9: Nit: is there are reasons to violate the convention that IANA, security,
> >> and privacy considerations are the last substantive sections in in the body
> of
> >> an RFC?
> >>
> >>
> >

v2.23.0 | Report a Bug | By Email