Re: [scim] Comments for draft-ietf-scim-cursor-pagination-04
Paul L <paul.lanzi@gmail.com> Mon, 15 April 2024 15:52 UTC
Return-Path: <paul.lanzi@gmail.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0691EC14F69E; Mon, 15 Apr 2024 08:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vW9fD1JZ3oSU; Mon, 15 Apr 2024 08:52:27 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2467CC14F6B3; Mon, 15 Apr 2024 08:52:27 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id 5614622812f47-3c7165170eeso146895b6e.1; Mon, 15 Apr 2024 08:52:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713196346; x=1713801146; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=B89aMZF7qY6i5mzxMA+NowYQacYVtOZlvMbwL/OR2VM=; b=cuHh+akqHrlcO2Wg2MHdTreBZHmgAJDzSYtgT5uJczFmnzBQV/pwjqwSCdiYMyGZzb pN6Y4o7LxIrLe+uzmgDtP/UE1Tu1gQqG8ecXFi04O5ndQZHjLKiBrqUKk8Wi/AkcEu1G CZ45tkTLrQF24EXQAb86VUsRLEgvo0P5ZG6Tez3ZctR8gkAFqF/1bXM/SZPtMOSvtfp8 yD1Spb0sGhjv5/rdiYWo74z6JRDB0qNsVb+kvMQUVgqUF+n9HW5d6JcnbeQFyyOq9k4i GViBFq7y2wDFMrHFYLaO22j5b8esyyCWA0MLMEZ5PN0Xz9KAAw9nr3NHOccWxN0D3Oq0 5iKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713196346; x=1713801146; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=B89aMZF7qY6i5mzxMA+NowYQacYVtOZlvMbwL/OR2VM=; b=tIjEbYi9es05r58gKCkXUD/pmFiU2G0ekKny9G4Huukmph7Ml6/4doq8HqWZwrEN02 4bU/pA4iW03TcHrpwU2B2qJVOPBc8ZIRL2o+fEj1tCoKLqhOvpr7o4g/5Zx4T+PUZFyO 6kw9WzIzgZlK+1SoUt8Jk3dJxMFminHQD2zRdmDgxVVJoctrSTzTZeBahfliQGy4gS7c 8K9fz8R5GxmXb3o+V0zo6HGJ7QdhqJwXN9pi0voseMt/tGWFx1oeep7Px6DAOINbvWdx fHszjPngKAZIvsG20Kr27E0ouaF/6cTCs49Ybtj/ynyLam+7JWL+2OE21PR+THGihhGE cs6Q==
X-Forwarded-Encrypted: i=1; AJvYcCXVWBpPE68PpfCyEvQc4VnvhC+YKz7bTD4bDofM6qoSkId//6c6k3x/2cgl3R2leUM8KsCyi1oq2VVvoFMOfe4Zddkb4zHzsaCXFfxRic0ryO7JcUnbNzGj59BoVN0oadIdmA==
X-Gm-Message-State: AOJu0Yxpkai8y2RyO13sRjP7t74eZCuRLf0woMxLmMrfG4zLcopyHRdp fN4lfNOWD1hq9Ll2wosQPId4SL/vAmg9J8B8UKEaX3SHKmDmvElDtath2PahXMGMALvr6Q/S5D2 PvBYOiC+wz2pOtbL3O59HP+VhlME=
X-Google-Smtp-Source: AGHT+IFQfmT7WQYkQildqoLWOOtYsYD4p5dMd8SkYVp1Wxp5l9b9LPs+8f1jS5plOGUsHe1VykEUlEJN7FNYJ2zbfCg=
X-Received: by 2002:a05:6870:d108:b0:21e:df09:fbb6 with SMTP id e8-20020a056870d10800b0021edf09fbb6mr13132901oac.41.1713196346243; Mon, 15 Apr 2024 08:52:26 -0700 (PDT)
MIME-Version: 1.0
References: <PH7PR11MB760786FC5AB9527E0F1D6925D62A2@PH7PR11MB7607.namprd11.prod.outlook.com>
In-Reply-To: <PH7PR11MB760786FC5AB9527E0F1D6925D62A2@PH7PR11MB7607.namprd11.prod.outlook.com>
From: Paul L <paul.lanzi@gmail.com>
Date: Mon, 15 Apr 2024 08:52:14 -0700
Message-ID: <CAFVcPhAWyvr6q8+K8fJ0ewq-RdjZ1Cz4+nvWDOxmSsf2Axth+Q@mail.gmail.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: SCIM WG <scim@ietf.org>, "draft-ietf-scim-cursor-pagination.authors@ietf.org" <draft-ietf-scim-cursor-pagination.authors@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a606330616249bcb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/6lKKzyIS4geMXXOSiE8ygs7Zc0c>
Subject: Re: [scim] Comments for draft-ietf-scim-cursor-pagination-04
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2024 15:53:48 -0000
Hi Nancy -- I authored the Security Considerations section of the draft so will be happy to address those questions: * Section 5: it would be good to mention that this draft is under the same > Security and privacy considerations of those described in RFC 7644. Sure, Anjali has added this in her most recent PR: https://github.com/ietf-scim-wg/draft-ietf-scim-cursor-pagination/pull/12/commits Which we worked on approving this morning. * Section 5.1 is a nice overview, however guidance to this document’s > affects > Should be described. That is….I am not sure this document has in scope to > Provide guarantees of the authenticity nor the entitlements of the > entities > Acting as either clients or Service Providers. My suggestion is to either > remove > This or provide a note that implementers but provide guards against source > Depletion or DOS attacks. Sure, Danny, Anjali and I had several good discussions about this. Ultimately we decided to defer to this guidance from the IETF Wiki on Sec Dir <https://wiki.ietf.org/group/sec/typicalSECareaissues>: *"This document introduces no new security considerations [on top of the base protocol spec]" is rarely true. They may not be substantially different from existing ones or significant given the broader context, but that doesn't mean we can skip discussing them.* Thus our preference is to keep section 5.1 present and intact as-is. We feel that the considerations we wrote up in section 5 *are* those that are most relevant to the new (cursor based pagination) functionality introduced in this draft; we did not try to address the broader security considerations of 7644 as those do definitely belong in 7644. If there are any If there is other IETF guidance we should be looking at, let us know and we can incorporate that into the draft. If there are specific considerations we listed that you feel aren't relevant to cursor-based pagination, let us know which those are and we can reconsider those. > Section 5.2/5.3: why should this be different than what is > called/described in RFC 7644? As above, the SECDIR guidance seems to point towards encouraging discussions about the additive considerations over and above the base spec. In this case, a well-meaning but not-security-aware implmentor might choose to support cursor-based pagination by, for instance, making a static copy of a data result set and letting the requestor page through it. This would, then, not reflect changes in the requestor's permissions -- thus we noted that authorization checks MUST be continuously applied. We do feel that this and the other considerations in 5.1/5.2 are valuable elements for implementors to be made aware of and are considerations that go beyond those in the base spec's section 7 <https://datatracker.ietf.org/doc/html/rfc7644#section-7> -- but again, let us know if there are specific considerations we listed that you don't feel are specific to cursor-based pagination. Thanks, --Paul On Tue, Mar 12, 2024 at 5:31 PM Nancy Cam-Winget (ncamwing) <ncamwing= 40cisco.com@dmarc.ietf.org> wrote: > Hi! > > > > I’ve read version -04 of the Cursor Pagination draft and have the > following feedback: > > > > *General comments* > > * I do not see any of the “should” as “SHOULD” though in some of the > reading > > Perhaps there are instances in which they are perhaps requirements and > should be capitalized. > > Simli > > * Section 2.4 “…method as-is will not impact”, this statement implies > that > > any implementation that adds cursor-based pagination support not impact > > existing clients but that is based on implementation, my recommendation > > is to make the “will” to a “should”. > > > > * Section 4: in trying to be complete with the descriptions, > > It would be good to include descriptions of: what happens if the > pagination > > configuration omits the one of the two values e.g. “cursor” or “index”, > should > > That result in an error? And obviously (but better to make explicit) that > it > > Is a misconfiguration to have both be false. Lastly, the absence of this > > Configuration setting means only index is supported. > > What does it mean for both to be supported? How could a client use > > Both index and cursor pagination? Is it, that the cursor is “reset” from > cursor > > By the use of startIndex (for example?) or is the intent that a client > only use > > One or the other? > > > > * Section 5: it would be good to mention that this draft is under the same > > Security and privacy considerations of those described in RFC 7644. > > > > * Section 5.1 is a nice overview, however guidance to this document’s > affects > > Should be described. That is….I am not sure this document has in scope to > > Provide guarantees of the authenticity nor the entitlements of the > entities > > Acting as either clients or Service Providers. My suggestion is to either > remove > > This or provide a note that implementers but provide guards against source > > Depletion or DOS attacks. > > > > Section 5.2/5.3: why should this be different than what is > called/described in RFC 7644? > > > > *Editorial Nits* > > * Section 2.1 “…other error condition” should read “….other error > conditions” > > > > Let me know if you have any questions on the above. Otherwise, I would > like to see > > Another revision as well as feedback from Barry, Roni and Julien to ensure > their comments > > Are also addressed. > > > > Thanks, Nancy > > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim >
- [scim] Comments for draft-ietf-scim-cursor-pagina… Nancy Cam-Winget (ncamwing)
- Re: [scim] Comments for draft-ietf-scim-cursor-pa… Paul L