Re: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)
Ben Campbell <ben@nostrum.com> Sun, 11 March 2018 05:50 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04253126C22; Sat, 10 Mar 2018 21:50:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYCjpEX-3raH; Sat, 10 Mar 2018 21:50:00 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5CF6126B6E; Sat, 10 Mar 2018 21:49:59 -0800 (PST)
Received: from [10.0.1.94] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w2B5nwSJ019831 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 10 Mar 2018 23:49:58 -0600 (CST) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.94]
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Ben Campbell <ben@nostrum.com>
X-Mailer: iPad Mail (15D100)
In-Reply-To: <DM5PR0901MB23755EB4BED4577A50AAE755ABDC0@DM5PR0901MB2375.namprd09.prod.outlook.com>
Date: Sat, 10 Mar 2018 23:49:57 -0600
Cc: "draft-ietf-sacm-nea-swima-patnc@ietf.org" <draft-ietf-sacm-nea-swima-patnc@ietf.org>, "sacm-chairs@ietf.org" <sacm-chairs@ietf.org>, The IESG <iesg@ietf.org>, Karen O'Donoghue <odonoghue@isoc.org>, "sacm@ietf.org" <sacm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AEE72A56-77D4-4F70-80D1-656B943D4F81@nostrum.com>
References: <151926897179.21101.1205735756502467820.idtracker@ietfa.amsl.com> <DM5PR0901MB2375564B76246A1DA5FCE4A7ABC30@DM5PR0901MB2375.namprd09.prod.outlook.com> <080CB857-150E-450C-B685-8A10FA0D3984@nostrum.com> <DM5PR0901MB23759238C98C5F9E82AB5D7CABD90@DM5PR0901MB2375.namprd09.prod.outlook.com> <4D1185F9-AE0F-4CDB-AEE9-2FD7248977AE@nostrum.com> <DM5PR0901MB23755EB4BED4577A50AAE755ABDC0@DM5PR0901MB2375.namprd09.prod.outlook.com>
To: "Schmidt, Charles M." <cmschmidt@mitre.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/q5ccfHvbw-amQSDflRHQcF5V3rw>
Subject: Re: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-patnc-02: (with DISCUSS and COMMENT)
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2018 05:50:04 -0000
Hi Charles, That sounds like a perfectly good plan. Thanks! Ben. > On Mar 10, 2018, at 10:27 PM, Schmidt, Charles M. <cmschmidt@mitre.org> wrote: > > Hi Ben, > > Thank you for the clarification. I'm following you now. > > I agree that I misused "end-to-end" in the description of this requirement. "Confidentiality" would be a better section name. I'm sure the RFC editor will have some additional fixes for me to do, and I'll make the switch in the next draft. > > Thanks, > Charles > >> -----Original Message----- >> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Ben Campbell >> Sent: Friday, March 09, 2018 4:22 PM >> To: Schmidt, Charles M. <cmschmidt@mitre.org> >> Cc: draft-ietf-sacm-nea-swima-patnc@ietf.org; sacm-chairs@ietf.org; The >> IESG <iesg@ietf.org>; Karen O'Donoghue <odonoghue@isoc.org>; >> sacm@ietf.org >> Subject: Re: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima- >> patnc-02: (with DISCUSS and COMMENT) >> >> Thanks for the response. I still have a point of confusion, inline. Also, keep in >> mind that I have cleared my DISCUSS; this is a non-blocking comment and >> you are welcome to handle it however you please. >> >> Ben. >> >>> On Mar 5, 2018, at 7:11 PM, Schmidt, Charles M. <cmschmidt@mitre.org> >> wrote: >>> >>> Hi Ben, >>> >>> Thank you for the follow-up. I made some additional modifications (-04 >> draft) that I hope address your remaining comments. >>> >>> Regarding your nit, I moved the Relationship to Other Specifications before >> the Security Considerations. The last sections are now the three you note. >>> >>> Regarding your comment on 2.4: >>> >>>>>> §2.4: This seems to assume there is never a need to hide information >>>> from >>>>>> intermediaries. Is that the intent? (Or maybe there aren't any >>>>>> intermediaries?) >>>>> >>>>> This is not the intent. NEA has multiple parts and the intent is to clarify >> that >>>> the SWIMA part isn't the part dealing with data confidentiality. The >> portion >>>> that handles confidentiality is the PT layer of the NEA architecture. (PT-TLS >>>> and PT-EAP) All I'm trying to do is emphasize that, if confidentiality is an >> issue, >>>> make sure your NEA architecture is set up to support that. >>>> >>>> I think what is confusing me is the “title” of the non-requirement is “End >> to >>>> End confidentiality”. I admit to not knowing the sacm work well enought >> to >>>> know what the “ends” are, but am I correct to assume that PT-TLS, like >> most >>>> uses of TLS, is hop-by-hop? Does the data every cross more than one >> hop? Is >>>> the answer the dame for PT-EAP? >>> >>> Re-reading this section, I agree that the section was confusing. I renamed >> the section to "Non-SWIMA Requirements" (and renamed the preceding >> section to "SWIMA Requirements"). Hopefully this clarifies that the >> specification is not talking about what is and is not required, but simply >> which requirements need to be addressed by SWIMA and which >> requirements need to be addressed by other standards. >>> >>> I also changed the text as follows: >>> >>> There are certain capabilities that users of the SWIMA specification >>> might require but which are beyond the scope of SWIMA itself and need >>> to be addressed by other standards. This list is not exhaustive. >>> >>> End to End Confidentiality: The SWIMA specification does not define >>> a mechanism for confidentiality, nor is confidentiality >>> automatically provided by using the PA-TNC interface. In the NEA >>> architecture, confidentiality is generally provided by the >>> underlying transport protocols, such as the PT Binding to TLS >>> [RFC6876] or PT-EAP Posture Transport for Tunneled EAP Methods >>> [RFC7171] - see Section 7 for more information on related >>> standards. The information conveyed by SWIMA is often sensitive >>> in nature for both security (Section 8) and privacy (Section 9) >>> reasons. Those who implement SWIMA need to ensure that >>> appropriate NEA transport mechanisms are employed to meet >>> confidentiality requirements. >>> >>> Hopefully that makes things clearer. To more directly answer your >> question, PT-TLS is just TLS with some minor added constraints to fit with the >> NEA architecture. Likewise, PT-EAP is basically just EAP. SWIMA should be >> agnostic as to whether or not there are hops in the transmission and >> delegate all responsibility for maintaining confidentiality across any hops to >> the PT protocol in question. Does this help? >> >> I’m still a bit confused; let me try to come at it from another angle: >> >> The paragraph is labeled “End-to-End Confidentiality”. The text delegates >> this to transport protocol, and gives PT-TLS and PT-EAP as examples. In the >> specific case of TLS: TLS does not normally offer “end-to-end” confidentiality, >> rather it’s hop-by-hop. If there are intermediaries, TLS does not prevent >> them from seeing the data. Now, there are exceptions (e.g. HTTPS proxies). >> And of course, if there are no intermediaries, then hop-by-hop becomes a >> trivial case of end-to-end. >> >> So I guess what I am asking is why TLS is listed as an example transport in a >> paragraph about end-to-end confidentiality? Perhaps the paragraph is just >> about confidentiality in general? Or there are other aspects of the >> architecture that make TLS effectively end-to-end? >> >> >> >>> >>> Thanks again for the clarifications. Hopefully the new draft (-04) will >> address those remaining concerns. >>> >>> Charles >>> >>>> -----Original Message----- >>>> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Ben Campbell >>>> Sent: Thursday, March 01, 2018 9:19 PM >>>> To: Schmidt, Charles M. <cmschmidt@mitre.org> >>>> Cc: sacm-chairs@ietf.org; Karen O'Donoghue <odonoghue@isoc.org>; The >>>> IESG <iesg@ietf.org>; sacm@ietf.org; draft-ietf-sacm-nea-swima- >>>> patnc@ietf.org >>>> Subject: Re: [sacm] Ben Campbell's Discuss on draft-ietf-sacm-nea-swima- >>>> patnc-02: (with DISCUSS and COMMENT) >>>> >>>> >>>> >>>>> On Feb 24, 2018, at 1:01 AM, Schmidt, Charles M. >> <cmschmidt@mitre.org> >>>> wrote: >>>>> >>>>> Hello, >>>>> >>>>> Thanks a bunch for your feedback. In general I agree with your >> comments >>>> and made changes to address them. Some quick clarifications: >>>>> >>>>>> §2.4: This seems to assume there is never a need to hide information >>>> from >>>>>> intermediaries. Is that the intent? (Or maybe there aren't any >>>>>> intermediaries?) >>>>> >>>>> This is not the intent. NEA has multiple parts and the intent is to clarify >> that >>>> the SWIMA part isn't the part dealing with data confidentiality. The >> portion >>>> that handles confidentiality is the PT layer of the NEA architecture. (PT-TLS >>>> and PT-EAP) All I'm trying to do is emphasize that, if confidentiality is an >> issue, >>>> make sure your NEA architecture is set up to support that. >>>> >>>> I think what is confusing me is the “title” of the non-requirement is “End >> to >>>> End confidentiality”. I admit to not knowing the sacm work well enought >> to >>>> know what the “ends” are, but am I correct to assume that PT-TLS, like >> most >>>> uses of TLS, is hop-by-hop? Does the data every cross more than one >> hop? Is >>>> the answer the dame for PT-EAP? >>>> >>>> >>>> >>>>> >>>>>> §3.4.3, >>>>>> -- first paragraph: What is the expected scope of uniqueness for record >>>>>> identifiers? -- In the sentence "The Record Identifier SHOULD remain >>>>>> unchanged >>>>>> if that record is modified.", why is the SHOULD not a MUST? What >> would >>>>>> happen >>>>>> if the identifier did change? >>>>> >>>>> It is SHOULD rather than MUST because, under some tracking conditions >> it >>>> might not be possible to distinguish between a record being modified and >> a >>>> record being deleted and a new record being created. Will add clarifying >> text >>>> to this effect. If the system thinks that a modification is actually a >>>> delete/create action, it would be treated as such with a new record >> identifier >>>> being assigned to the "created" record. >>>>> >>>> >>>> Okay; I think the mentioned clarifying text would help. >>>> >>>> >>>>>> §7.1: " Some tools might not be designed to update records in the >>>> Software >>>>>> Inventory Evidence Collection in real time,..." Wasn't there a normative >>>>>> requirement that they be capable of this? >>>>> >>>>> A subtle difference: The SWIMA-PC MUST detect changes to the Software >>>> Inventory Evidence Collection in near real time, but the data sources >> might >>>> not update the Software Inventory Evidence Collection in real time. I >>>> reworded to clarify the difference between the SWIMA-PC reading the >>>> Evidence Collection and the tool updating the Evidence Collection. >>>> >>>> Okay. >>>> >>>>> >>>>>> §9: Nit: is there are reasons to violate the convention that IANA, >> security, >>>>>> and privacy considerations are the last substantive sections in in the >> body >>>> of >>>>>> an RFC? >>>>> >>>>> I'm happy to reorder these - a quick random sample of RFCs seems to >>>> provide a number of different orderings. I just followed the PA-TNC spec, >>>> since I had that open most. Just let me know what the expected order is. >>>> >>>> Typically they are the last three “substantive” sections in the main body of >> an >>>> RFC, not counting any appendices or “acknowledgements” type sections. I >>>> don’t think we are consistent in the order among those three. >>>> >>>> Thanks! >>>> >>>> Ben. >>>> >>>>> >>>>> Thanks a bunch, >>>>> Charles >>>>> >>>>>> -----Original Message----- >>>>>> From: Ben Campbell [mailto:ben@nostrum.com] >>>>>> Sent: Wednesday, February 21, 2018 9:10 PM >>>>>> To: The IESG <iesg@ietf.org> >>>>>> Cc: draft-ietf-sacm-nea-swima-patnc@ietf.org; sacm@ietf.org; Karen >>>>>> O'Donoghue <odonoghue@isoc.org>; sacm-chairs@ietf.org; >>>>>> odonoghue@isoc.org; sacm@ietf.org >>>>>> Subject: Ben Campbell's Discuss on draft-ietf-sacm-nea-swima-patnc- >> 02: >>>>>> (with DISCUSS and COMMENT) >>>>>> >>>>>> Ben Campbell has entered the following ballot position for >>>>>> draft-ietf-sacm-nea-swima-patnc-02: Discuss >>>>>> >>>>>> When responding, please keep the subject line intact and reply to all >>>>>> email addresses included in the To and CC lines. (Feel free to cut this >>>>>> introductory paragraph, however.) >>>>>> >>>>>> >>>>>> Please refer to https://www.ietf.org/iesg/statement/discuss- >> criteria.html >>>>>> for more information about IESG DISCUSS and COMMENT positions. >>>>>> >>>>>> >>>>>> The document, along with other ballot positions, can be found here: >>>>>> https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swima-patnc/ >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------------- >>>>>> DISCUSS: >>>>>> ---------------------------------------------------------------------- >>>>>> >>>>>> (This is related to one of Ekr's comments, but I don't think it's quite the >>>>>> same.) >>>>>> >>>>>> In the first paragraph of §7.2, the conclusions seem to be based on the >>>>>> following sentence: >>>>>> >>>>>> "This is generally not considered to be problematic, as >>>>>> those with access to the endpoint can usually learn of everything >>>>>> disclosed by that endpoint’s records simply by inspecting other parts >>>>>> of the endpoint." >>>>>> >>>>>> This doesn’t seem like a reasonable assumption. Multiuser endpoints >> may >>>>>> well >>>>>> have access controls that prevent a given user from seeing all software >>>>>> packages installed on the system. This leads to the conclusion that the >>>>>> records >>>>>> on the endpoint are not sensitive. I do not think this document should >>>> draw >>>>>> that conclusion. Even if this were provably true for all existing systems, >>>> such >>>>>> an assumption could be problematic for future systems. >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------------- >>>>>> COMMENT: >>>>>> ---------------------------------------------------------------------- >>>>>> >>>>>> Substantive Comments: >>>>>> >>>>>> §2.4: This seems to assume there is never a need to hide information >>>> from >>>>>> intermediaries. Is that the intent? (Or maybe there aren't any >>>>>> intermediaries?) >>>>>> >>>>>> §3.4.3, >>>>>> -- first paragraph: What is the expected scope of uniqueness for record >>>>>> identifiers? -- In the sentence "The Record Identifier SHOULD remain >>>>>> unchanged >>>>>> if that record is modified.", why is the SHOULD not a MUST? What >> would >>>>>> happen >>>>>> if the identifier did change? >>>>>> >>>>>> §3.4.4: >>>>>> >>>>>> -- "However, if that directory is shared by other software products, the >>>>>> "location" SHOULD be the location of the primary executable >>>>>> associated with the software product." >>>>>> I'm confused by the the condition, since sharing a directory with other >>>>>> products doesn't seem to introduce the ambiguity that the rest of the >>>>>> sentence >>>>>> assumes. Perhaps this was meant to be about situations where a >>>> software >>>>>> package >>>>>> is installed across multiple directories? >>>>>> >>>>>> -- "Even a probable location for a software product is preferable to >> using a >>>>>> zero-length locator." This could use elaboration; do you expect the >>>> collector >>>>>> to guess? >>>>>> >>>>>> §7.1: " Some tools might not be designed to update records in the >>>> Software >>>>>> Inventory Evidence Collection in real time,..." Wasn't there a normative >>>>>> requirement that they be capable of this? >>>>>> >>>>>> §8, >>>>>> -- 2nd paragraph: It’s worth mentioning that in some contexts this sort >> of >>>>>> information could expose the user to severe personal risk, including the >>>> risk >>>>>> of death. -- Last paragraph: "For this reason, privacy safeguards might >> be >>>>>> necessary for collected inventory information." Can this be stated more >>>>>> strongly than "might be necessary"? >>>>>> >>>>>> Editorial Comments and Nits: >>>>>> >>>>>> §3.8.5, first paragraph: "As noted in Section 3.6 SWIMA-PCs MUST ..." >>>>>> Please reserve 2119 keywords for the authoritative statement of a >>>>>> requirement; >>>>>> that is, please do not use them to refer to requirements defined >>>> elsewhere. >>>>>> (Note that this pattern occurs multiple times in the draft.) >>>>>> >>>>>> §9: Nit: is there are reasons to violate the convention that IANA, >> security, >>>>>> and privacy considerations are the last substantive sections in in the >> body >>>> of >>>>>> an RFC? >>>>>> >>>>>> >>>>> >>> >
- [sacm] Ben Campbell's Discuss on draft-ietf-sacm-… Ben Campbell
- Re: [sacm] Ben Campbell's Discuss on draft-ietf-s… Schmidt, Charles M.
- Re: [sacm] Ben Campbell's Discuss on draft-ietf-s… Ben Campbell
- Re: [sacm] Ben Campbell's Discuss on draft-ietf-s… Schmidt, Charles M.
- Re: [sacm] Ben Campbell's Discuss on draft-ietf-s… Kathleen Moriarty
- Re: [sacm] Ben Campbell's Discuss on draft-ietf-s… Ben Campbell
- Re: [sacm] Ben Campbell's Discuss on draft-ietf-s… Schmidt, Charles M.
- Re: [sacm] Ben Campbell's Discuss on draft-ietf-s… Ben Campbell