IETF Logo Mail Archive

Re: [sacm] Warren Kumari's Yes on draft-ietf-sacm-requirements-16: (with COMMENT)

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Sun, 25 June 2017 23:45 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E035712714F; Sun, 25 Jun 2017 16:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBBlTcdW_AlP; Sun, 25 Jun 2017 16:45:38 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 765FE126D85; Sun, 25 Jun 2017 16:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8438; q=dns/txt; s=iport; t=1498434338; x=1499643938; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=yeUFtUe7n1NwwnwuDqahOZ6arrcLiEo4uysVH2meRtI=; b=PbOaylE2ZElxrfP6cYOFwOZwCUecV+JJzS3NiMGxU4LnY8bjrVozlMuN I9uTp7xwzYaPlKXic2pd6gKqhRrezTY25+2CCTsniLg13DX2THac2TNoS ho5EWyXefpFjvwouaY9M1/lMyg8Jc89E21PFdwigA/vwzN5+o8z9TdNdU o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DyAADtSVBZ/51dJa1TAQkaAQEBAQIBAQEBCAEBAQGDKy1igQ0Hg2WKGZJSlQeCESyFeAIagm4/GAECAQEBAQEBAWsohRkGIwQNMwsHEAIBCBIIAiYCAgIwFQIOAgQBDQMCiiwQsU2BbDqLTwEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgQuCHIFig0srgW1YNIQ7BwEKAQgUgxMwgjEFiVOVFgKHMowzggmFSINuhlOVIAEfOH8LdBVJEgGEeR2BZkQyAYZyDheBDIENAQEB
X-IronPort-AV: E=Sophos;i="5.39,392,1493683200"; d="scan'208";a="440630462"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Jun 2017 23:45:37 +0000
Received: from XCH-RTP-014.cisco.com (xch-rtp-014.cisco.com [64.101.220.154]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v5PNjaah030232 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 25 Jun 2017 23:45:37 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-014.cisco.com (64.101.220.154) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 25 Jun 2017 19:45:36 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Sun, 25 Jun 2017 19:45:36 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-sacm-requirements@ietf.org" <draft-ietf-sacm-requirements@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>, "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Thread-Topic: Warren Kumari's Yes on draft-ietf-sacm-requirements-16: (with COMMENT)
Thread-Index: AQHS6qwHS/u65OrSIkitlLFNcki/xqI2EqKA
Date: Sun, 25 Jun 2017 23:45:36 +0000
Message-ID: <BF4A9E2A-3A46-49EC-8AEA-1A31AF9D381B@cisco.com>
References: <149806277017.15559.6264125955174335967.idtracker@ietfa.amsl.com>
In-Reply-To: <149806277017.15559.6264125955174335967.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.253.68]
Content-Type: text/plain; charset="utf-8"
Content-ID: <BC01A96EC0494B43BA0937EE91534F33@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/51YiifgwVX9mJJdEKjLlsh7asLk>
Subject: Re: [sacm] Warren Kumari's Yes on draft-ietf-sacm-requirements-16: (with COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jun 2017 23:45:41 -0000

Thanks for the review and comments.  Please see further comments below:

On 6/21/17, 9:32 AM, "Warren Kumari" <warren@kumari.net> wrote:

    Warren Kumari has entered the following ballot position for
    draft-ietf-sacm-requirements-16: Yes
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-sacm-requirements/
    
    
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    I spent a while trying to figure out how to ballot on this - I personally see
    value in requirements, use-cases and similar (informational) documents - they
    help newcomers to the technology understand how and why it is shaped as it is.
    This document is also (kind of) mentioned in the charter ("A document or
    documents describing the SACM Architecture. This will include protocol
    requirements and their associated use cases as well as a description ..." , and
    so I've decided on Yes
    
    However, there are still some comments / nits which should be addressed,
    including:
    
    Abstract:
    "The requirements and scope are based on the agreed upon use cases." -- what
    use cases / agreed upon by whom? (Missing ref).
[NCW] The use cases are now in RFC 7632 and its reference has been added.
    
    1. Introduction
    "Today’s environment of rapidly-evolving security threats highlights the need
    to automate the sharing of security information (such as posture information)
    while protecting user information as well as the systems that store, process,
    and transmit this information." - "... user information as well as the systems"
    -> "user information and the systems" ? Not sure if this is better....
[NCW] Yes, it helps and I’ve made the change in the next revision.
    
    2.  Requirements
    I got somewhat lost in "A SACM transport protocol is one that runs on top of L3
    protocols such as TCP/IP or L4 protocols such as HTTP, carries operations
    (requests / responses), and moves data." - perhaps "A SACM transport protocol
    is one that runs on top of L3 protocols (such as TCP/IP) or L4 protocols (such
    as HTTP), carries operations (requests / responses), and moves data."
[NCW] I’ve change L3 and L4 to be “transport layer” and “Internet layer” as suggested by Carsten.
    
    3: "With the information model defining assets and attributes to facilitate the
    guidance, collection, and assessment of posture, these are some of the tasks
    that should be considered:" - the "With" and "these" feel unrelated. I'm not
    really sure how they are supposed to tie together, so I cannot suggest text.
[NCW] I’ve changed “these are some of the tasks that should be considered” to read
“tasks that should be considered include”.  Hopefully it ties them as tasks to facilitate the 
workflow for “collection”, “guidance” etc…

    
    G-001
    "2.  The query language MUST allow for general inquiries, as well as expression
    of specific attributes or relationships between attributes to follow; the
    retrieval of specific information ..." -- I don't really understand the "to
    follow"; can it be struck?
[NCW] Yes, thanks for catching it….
    
    G-002
    "Interoperability: The data models, protocols, and transports  must be
    specified with enough details to ensure interoperability." -- I really don't
    understand the point of saying this - are you expecting that if you *didn't*
    say this that people would intentionally create models without enough detail?
    Is this just a "motherhood and apple pie" statement?
[NCW] Yes!  There were a couple of proposals that didn’t provide enough specificity
so the WG asked for this requirement to be included.
    
     G-006
    "Mechanisms for this protection are unspecified but should include industry
    best practices such as encrypted storage, encrypted transports, data checksums,
    etc. " -- the list of best practices seems harmful;  if you provide a list
    people will implicitly assume it is exhaustive, and industry best practices
    change over time. Also, what is a "data checksum"? I'm assuming you mean
    something "cryptographic checksums" or "secure hash" - a data checksum implies
    something like a simple CRC. I'd suggest just dropping the "such as..." list.
[NCW] Done.
    
    IM-004
    "Data Model Identification: The information model MUST provide a means to
    uniquely identify each data model uniquely." - you really really want this to
    be unique, don't you :-P
[NCW] LoL….2nd uniquely is removed
    
    5.2.  Privacy Considerations
    "In addition to identity and SACM capabilities information disclosure, the use
    of time stamps or other attributes that can be used as identifiers especially
    as they are coupled with an identity can be further used to determine a target
    endpoint or user’s behavioral patterns." -- this sentence could use some work.
    I agree with what it is trying to say, but it is long and confusing. Perhaps:
    "In addition to identity and SACM capabilities information disclosure, the use
    of time stamps (or other attributes that can be used as identifiers) could be
    further used to determine a target endpoint or user’s behavioral patterns." --
    I *think* that that maintains the meaning, but is clearer.
[NCW] Yes, thanks for the improvement.
    
    "Data confidentiality can provide some level of privacy but may fall short
    where unecessary data is still transmitted." - "unnecessary" (typo)
[NCW] Fixed.

v2.23.0 | Report a Bug | By Email