IETF Logo Mail Archive

Re: [Sat] I-D Action: draft-ietf-satp-core-04.txt

Denis Avrilionis <denis@compell.io> Mon, 08 April 2024 13:45 UTC

Return-Path: <denis@compell.io>
X-Original-To: sat@ietfa.amsl.com
Delivered-To: sat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76EFC14F69B for <sat@ietfa.amsl.com>; Mon, 8 Apr 2024 06:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=compell.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4wnBZAIBGUG for <sat@ietfa.amsl.com>; Mon, 8 Apr 2024 06:45:17 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06368C14CEE4 for <sat@ietf.org>; Mon, 8 Apr 2024 06:45:16 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-516d09bd434so4557448e87.1 for <sat@ietf.org>; Mon, 08 Apr 2024 06:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=compell.io; s=google; t=1712583914; x=1713188714; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=+lfk03+lQDYtAKY2R/a0FUCdraXn7icpsXQdS3vSZ0s=; b=cqfFmqHfQTKKMNQL722MTb/MHB4sdkbocvHA0XYWhY4Gt7iMmWU6+HcUo9Gi2ZYJeV Zk98r6qZkcFvkbhIftwQiMd60wNR6CWIbR/Lmy5YOZFdKj95hm8Y9RZFoQRntCofp2mB NHQwXeW2uOf4vKWTBS5zmZTdfZU97BYTdUcCf+uqrw85sSk8EI0cpV13tiqZvnPyoaVg ceXqETQ1zU7b0TFRsww42u6Svq0koiTfl36ui2mjwhJ5sf6fAP3T7Rz6VStS9UGCMYT3 ZMyAOuRFvc3s2g16BC9k8SQlymM8aQRTTQ6VNGS6ROZZ2zztWY/X+mCyHpH6gQNYWTOm 1mow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712583914; x=1713188714; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+lfk03+lQDYtAKY2R/a0FUCdraXn7icpsXQdS3vSZ0s=; b=Y++lFQD3Tp2FC/ptD5FsiBa45P7ctwy3kX9KFGuy3qvaXGaP/PELYQQjRxu+g8pZUv oEItV0MQUjQSXa9hCfLyZL6c16+ECd4z7fx7RIUCXR9mQHDc59iPjH6RWL9qAdMTrlfV WcwBk64qT4VJZWD08kctZeYYDnBEtv9bpbTRdx0i6ST/5HqSp54SV5nza7jZLMsPlfuo oogSBpadST/88DBqVTpnA553Xn2ZEAOfykaSKSSG2Ga+17U7CYrqoTXngA2vmjYf9BkM Mnou1ei5mVBrV6lR1kZLfbNPAzyl1/37gcaskYYSwaRMiW9DlQ+KzKrMAG/lXf6dncpo YTfw==
X-Gm-Message-State: AOJu0YxVVP1FslDRmQ3X2AIME4GAwpPi+C2wCEJxjYyhXJONdwkUDtoe VLJTPHngyQ+NLMF2D4Z2aGvRSdh7+/gdXnnwx0Pr3tuzxNs+lMAtauZrn9gkuyM62YqavlaA5gt Rozs=
X-Google-Smtp-Source: AGHT+IF7OFzyXipn1UYBtp6wkCbiSBzVJzcpXNCv5m+ZrSk1xJKvLgEvHRAXNhE/hkFdrHnKf1yo6A==
X-Received: by 2002:ac2:4d8a:0:b0:513:e63c:cfe7 with SMTP id g10-20020ac24d8a000000b00513e63ccfe7mr5941671lfe.66.1712583914317; Mon, 08 Apr 2024 06:45:14 -0700 (PDT)
Received: from smtpclient.apple (ppp-2-84-96-177.home.otenet.gr. [2.84.96.177]) by smtp.gmail.com with ESMTPSA id ho9-20020a1709070e8900b00a51a7832a7asm4228911ejc.199.2024.04.08.06.45.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Apr 2024 06:45:14 -0700 (PDT)
From: Denis Avrilionis <denis@compell.io>
Message-Id: <DB9D66FB-34C3-4621-B63E-C728CE09A8D7@compell.io>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7F67D17E-6CD1-437B-AA07-F0611B6F460A"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.200.91.1.1\))
Date: Mon, 08 Apr 2024 16:45:02 +0300
In-Reply-To: <b1d77dc5d6d430413770bf0526b178b1@tecnico.ulisboa.pt>
Cc: sat@ietf.org
To: Rafael Belchior <rafael.belchior=40tecnico.ulisboa.pt@dmarc.ietf.org>, Martin Gfeller <mgf=40acm.org@dmarc.ietf.org>
References: <171232704897.42279.16762954778818130945@ietfa.amsl.com> <CAOYrHJMc+uz4YEVvPoe7mgicQwLhWc_L50iUa_vJ=A8TUWLdBw@mail.gmail.com> <b1d77dc5d6d430413770bf0526b178b1@tecnico.ulisboa.pt>
X-Mailer: Apple Mail (2.3774.200.91.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sat/4bHmqEKARbMToVJghFnijFbti3c>
Subject: Re: [Sat] I-D Action: draft-ietf-satp-core-04.txt
X-BeenThere: sat@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "The purpose of this mailing-list is to discuss the secure asset transfer \(SAT\) protocol and related aspects." <sat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sat>, <mailto:sat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sat/>
List-Post: <mailto:sat@ietf.org>
List-Help: <mailto:sat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sat>, <mailto:sat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 13:45:20 -0000

Dear Rafael, Martin,

See comments inline.


> On 8 Apr 2024, at 16:37, Rafael Belchior <rafael.belchior=40tecnico.ulisboa.pt@dmarc.ietf.org> wrote:
> 
> Dear Martin,
> 
> Thank you a lot for your useful and constructive feedback. I will try my best to address it. Note that, if you wish, you can directly contribute to the draft via a PR in the following repo: https://github.com/ietf-satp/draft-ietf-satp-core
> 
> I'll address the comments inline. To the ones I do not respond to, I agree:
> 
> A 2024-04-07 23:50, Martin Gfeller escreveu:
> 
>> Dear Martin, Thomas, and Rafael
>> 
>> The following notes refer to the Draft of SATP Core (https://datatracker.ietf.org/doc/html/draft-ietf-satp-core-04).
>> 
>> Again, my comments may show my limited understanding or my stumbling over certain wordings.
>>  
>> Kind regards, Martin
>> 
>> General
>> 
>>     Is there any reference to the architecture document, which is important to the
>>     understanding of this document?
>>  
>  
> You are right - we should refer to it as the theoretical foundation of the SATP core draft. I've added an issue: https://github.com/ietf-satp/draft-ietf-satp-core/issues/12
>  
>>  
>> 
>> 
>> 3. Terminology
>> 
>>     Client application: This is the application employed by a user to interact with a gateway.
>> 
>> 
>>         Do we need to say what we want to achieve with the application? Simply interacting 
>>        could mean anything. 
>>         As the introduction mentions only gateways, this is the first time "application" is used.
>>  
>  
> We should make it clearer that the client application implements the end-user business logic (that requires interoperability) and interacts with a gateway via API1.
>  
>> 
>>         
>>     Claim: An assertion made by an Entity [JWT].
>> 
>>         By referencing [JWT], do we prescribe that Claims are encoded as JWTs? 
>>         Either state more explicitly "encoded as JWT", or relax it, as "for example encoded 
>>         as JWT".
>  
> I do not have a strong opinion on this. By enforcing JWTs we are facilitating gateway implementations, as they now do not need to check for JWT (or other) support on Stage 0, but it is instead the canonical format for doing claims.
>  
>> 
>> 
>>     Claim Type:
>> 
>>         Stipulates that JWT above is just one option. Perhaps always have "X type" before "X";
>>          i.e., "claim type" before "claim"
>>         
>>     Network: 
>>         Might be worthwhile to define network.
>>  
>  
> Perhaps we could use ISO WG 307's definition?
>  
>> 
>>     
>>     
>> 4.2 SAT Model
>> 
>>     When do we speak about SAT and when about SATP?
>>     
>>         I think the model is for the protocol, so SATP Model, not SAT Model.
>>     
>>     local gateway
>>     
>>         "local" is understandable, but not actually defined. As the application is defined 
>>          to interact with a gateway, a gateway is always "local" from the perspective of
>>         the application.
>>         
>> 4.7.2 Message Type
>> 
>>     Inconsistent style - drop the  "This is the "
>>     
>> 4.7.3 Digital Asset Identifier
>> 
>>     unique identifier (UUIDv2) that uniquely identifies
>>     
>>         unique, more unique, most unique? :-)
>  
> :-)

I believe UUIDv2 is too restrictive. I would suggest we mention a more technology-neutral formulation, e.g. that digital asset identifiers should be globally unique and let the implementors decide how the digital asset identifiers could be defined

>    
>> 
>>     application of the beneficiary
>>     
>>         This is the first time the application in NW2 is mentioned in an active role - in 
>>         the document above this point, I understood that while the NW2 and GW2 are involved,
>>         the application of the beneficiary is not actively involved.
>>         
>> 4.7.4 Session ID: (delete the ":")
>> 
>>         Was the Context-Id introduced? Yes, but below. Somewhat circular. Same problem
>>         noted in Architecture document.

Same comment as above.  UUIDv2 should be one possible mechanism for global unique identification

>>     
>> 4.7.5 Transfer-Context ID
>> 
>>         Is the "Sequence Number" part of the Transfer-Context ID, or a possible implementation,
>>         or something additional?

I believe the sequence number is part of the Transfer-Context ID. Also same comment as above -  UUIDv2 should be one possible mechanism for global unique identification



>> 
>> 4.7.8.  Payload Hash
>> 
>>         Is the algo to be used intentionally left open?
>>  
>  
> I believe that was the rationale. We could support the ones that NIST recommends, in a practical implementation.
>  
>> 
>> 
>> 4.8  Negotiation of Security Protocols and Parameters
>> 
>>     transfer initiation stage (Stage-0)
>>     
>>         Isn't that Stage-1, according to 4.4?
>>         
>> 7-9: Stages
>> 
>>     Do we need to repeat the use of HTTP GET and POST - until the parenthetical remark 
>>     about the TLS nonce for each Stage?
>>     
>> 10.2
>> 
>>         The purpose The purpose
>>     
>>     Repeated.
>>     
>> 17.2 Informative References
>> 
>>     Wouldn't including references to the SATP Architecture and Use Cases documents be good?
>>    
> Cheers,
>  
> Rafael
>  
>>    
>>     
>> 
>> On Fri, Apr 5, 2024 at 10:24 AM <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> wrote:
>> Internet-Draft draft-ietf-satp-core-04.txt is now available. It is a work item
>> of the Secure Asset Transfer Protocol (SATP) WG of the IETF.
>> 
>>    Title:   Secure Asset Transfer Protocol (SATP) Core
>>    Authors: Martin Hargreaves
>>             Thomas Hardjono
>>             Rafael Belchior
>>    Name:    draft-ietf-satp-core-04.txt
>>    Pages:   39
>>    Dates:   2024-04-05
>> 
>> The IETF datatracker status page for this Internet-Draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-satp-core/
>> 
>>  
> 
> --
> -- Rafael Belchior
> 
> Ph.D. student in Computer Science and Engineering, Blockchain - Técnico Lisboa
> https://rafaelapb.github.io/
> https://www.linkedin.com/in/rafaelpbelchior/
> -- 
> sat mailing list
> sat@ietf.org
> https://www.ietf.org/mailman/listinfo/sat

v2.23.0 | Report a Bug | By Email