[SCITT] Re: draft-ietf-scitt-scrapi-09 ietf last call Secdir review
Jonathan Geater <jonathan@bowball-tech.com> Mon, 27 April 2026 19:31 UTC
Return-Path: <jonathan@bowball-tech.com>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 05064E4270AD; Mon, 27 Apr 2026 12:31:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777318280; bh=j9UFXAUTZQglE8zW4ILchXWApMNKqIJIGOe6OP1y0G8=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=LU2Bap3BUqrYQnto0DNUNwicJ6J75jMqsRWOpbFOxWt3m4ys8VGh8RqacWYJJZz69 jwO7QLsityddUZbHsyEcMWOAnyv6ZgjQ1wn9HS5uCxo3Quz0D6nEcJpyaq7Drqqkeo jPglGtu3aX7xPDvf09hQRGUsv6TUs9beFprB2b28=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUE0aWGhAjSL; Mon, 27 Apr 2026 12:31:19 -0700 (PDT)
Received: from CWXP265CU008.outbound.protection.outlook.com (mail-ukwestazon11020072.outbound.protection.outlook.com [52.101.195.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 62580E4270A5; Mon, 27 Apr 2026 12:31:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=yBA0ecfmj6mHb8SySNgvPVFt/brm1miJzvbYxKcmGEC04MhpAt+bZ+8agfQ1310lIhTYF35DFEDmfWrFryDG5VmzPN8+EBR+VYpGZ8hGHs4hn5dfQYMEw66IMjzpknRjVYnIUsEuPez4XiSdAneqLrbgX4CuTdJ0zopwWamYP9lS1eSVDo9CnUKhfR+yh0on4HUsw2UGxiUPlafvmr02May3zwSoLSlRn89UyI+9/YDZ0IW+nmzQ5jqsZcopvuMDZGkjoHGktYqF00m0drrh5Gs3a0hR8hUk3PgQ8ReH+TA1l5WGMapETy0QvVMtZnpYpwP0ZEcbEPNQLBJ/ytnKgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Fy8qdQULrKFIlxd59xxxbGiQU0ch26JFqR+ARFRtipM=; b=u5YdmtAphYaZcUbXzKUmukWiYYzTM9msNCXbKTZPJki/7qUvvGePQ6cvqHkH6OkIViBRFpuPrdy0obRs3FEXnymOylwc+CEri/lSER0DMxvCzqvAX8eoSpsOePVFi0p3Y9b5cmTfVGpy6/tDbgJFfeYu5nxL8tihxrc8CtwUVXpn0Q+I2TqqFfJKR95xm9ansAIBAcEWM/ObwCxmP0LWRc5eMRYPmdiO+Uo4Xf9KIvbOUndtd9AIS76pgQpNXiGN/ANOqMuI8Ba7HaBO7f+rpxtNJfD81VVHeR9k2vxqV7WP3KHg0tKqYWWLOXQ2tK/9UfJ7auLnxo3G+CzjRfjAaQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bowball-tech.com; dmarc=pass action=none header.from=bowball-tech.com; dkim=pass header.d=bowball-tech.com; arc=none
Received: from CWXP265MB3766.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:102::5) by CWLP265MB6451.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1e1::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.26; Mon, 27 Apr 2026 19:31:10 +0000
Received: from CWXP265MB3766.GBRP265.PROD.OUTLOOK.COM ([fe80::f328:a8a6:82fe:e749]) by CWXP265MB3766.GBRP265.PROD.OUTLOOK.COM ([fe80::f328:a8a6:82fe:e749%6]) with mapi id 15.20.9846.025; Mon, 27 Apr 2026 19:31:10 +0000
From: Jonathan Geater <jonathan@bowball-tech.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: draft-ietf-scitt-scrapi-09 ietf last call Secdir review
Thread-Index: AQHc0nt0tsMXS6YeQEqL9snTEZqiWrXy5Hjr
Date: Mon, 27 Apr 2026 19:31:10 +0000
Message-ID: <CWXP265MB376647B1FEA44EF64023D709E2362@CWXP265MB3766.GBRP265.PROD.OUTLOOK.COM>
References: <177687805348.1107611.967120694874511206@dt-datatracker-b45949c58-5szpr>
In-Reply-To: <177687805348.1107611.967120694874511206@dt-datatracker-b45949c58-5szpr>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=bowball-tech.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CWXP265MB3766:EE_|CWLP265MB6451:EE_
x-ms-office365-filtering-correlation-id: f0600ce6-15ff-4426-9618-08dea493892f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|7055299006|56012099003|18002099003|22082099003|38070700021|8096899003;
x-microsoft-antispam-message-info: rsBkQslW/b+RKg2KEsAI0LA+gV/9DD78QP6h5ixeIP3LpbI377TRe/aYr3ASBlAKB62Jz0m+LnDh/scGZWeCAv0nKTi+2DpVuTtUHicx+kGRboj/wV8U7EQC4CO8oIfwBDfweEvIRkeUuQiW16EJzhiK1+JxrtYawy10Ggdd6AiVuMGTD+yNkqCjS3CS9Sljwp2KChlehRCedJmuZzOf4nTGrOGUVQQgbRLWdx7MJCnJfL1CGT6JgDIymlexZqt6OurYGVCLPrnY+tJateiSbZ/C4wr5WqQ6GY37hHrP8ysid+VZtvbdgSC9tSfrqTVu+IkBjISwRTMc/viSc/+jiERmNgsccIqFwTPopIuZvB3jZ3WDQr18NK/ud4GQNfOhTYR9WoXbXnp1NI/NCkPqKTnGpfu1OwAKDQJ+pL0EJbNF19u5WhTysjGkEThErOJ1rhvEHA4uunMQxQBVJzFd8e+x1+UOHuyJ3O/dhSTz8CF+toznSybI7h+vCJh+lGvJ8aGGAQkwRO/F51urpOCi6BO6cY/jTOrj5TIJFiuNeGLWH+DGD4PXuq7dEHDrjet7Fok9yNnCjg19q1yCfntKQVMnV3ImMqAFZ80k4hnuOxm5wfyvVGjbDB1Nlyx9ljFWdUfC8s/Ql3VuhnZuhgnk79M49CvSyw4cSkiu5hUqklc982Vp8F0DcbyjUaxiyBHfDKg+5jbIWOUKrvJkNPwNU3NUC2IYjGy10JWqW07SvXCce6HbfbHK4TZZnLJRADVFumExjZXJrX0JMOs/nh9CZFr8zN6P4Nv2ToGsJS9HtfhElRCtqhIDpHg8rgObmKoZ
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CWXP265MB3766.GBRP265.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(7055299006)(56012099003)(18002099003)(22082099003)(38070700021)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tVBjW0jIseVeG1YQZ8PhueQe575Iwn3Zd0OdU3CMy3zei8CO1/IgB6fPyfkUBcIG2kjOkz0XUZHIKBjlAdEhtQktxLGOGcFfy30KmMcPNlO5xROHpQxgn3Q76kfsqX7mbJSaNvZTDTsX7VT/aPbFjubc2liYjWd0nzf8e29f0++RTDESXSW5fro6nPM9vD7BRq9KTdac4xTh/I60DAso9kYZVdWGVKTwP3UJRzRc7kguKvmbEBz/d4OsQFywknOW7GT0SdwMMl/x8BjvTTB56yGdf1vMAWkjPHrvmpU2cb8SdB7T47uuTLvzH4BvaPumibiIzvWduvJbdkwecWiJTaiIUoK06vW2a8u1OCI2voEH63YSiLqWBjVq70zIzxMX2ELe63JbzkxeYfYm3MbgAz5gJPFrkj1OyDsbwBejsUAwNh4KplEIg29kQ3p1h2lejAq05Kpnrriyv6Qu6cUt7gfsfpyUUHFxJv2MGGYTk9xbZlYh9qMmddJ5EPyfFdFaixJZrAZavwPPFbmrNrj1G9NR+MsaeSmCW2MM3V1ABlRnhk93fKAJT12Hz6gy9z7+xclIkwTlVv6VK2WdRmrpa6S6TgxqzrhaRBXDh1QGsoUsV9cBDDn/cp8IHcpBZeK7ysmYA5PMenAxjfJgcBkLQt00rV9+KjOv89FSonmFaipcOZPdBRDMxexusE+U0/Ek8+K2eNl0babE9RGfLUZZ72BDN8PV7/u+lC9zkriLA586mtXMxCXisglh+/mVByiE72G1Vj2cVy3ckZ/JPPEuTiBxW4U4LEkfwQ8pO3s99UBhut73/Z5NiC0PlIY+7sgV6PWNZ3rwWbXNkgRDue+BrnPi7ZT6nFRg9U/Nb+zcxIitCNkiDFsQGOae27zaifgmYyvPCd/9q4xXlmCJWAfXGXupyXRZL5sqbkVhDSC4XpIbwt2hCZwnyfxXWXLtwe6usUORIA/OnTXn33zgQLAAI3t4IJRDVlF8z0f5Hkzansu6fCqWwy16IG8maB4/FtkJDl6LwVy4fpyNWutKzOtk9fkm3pRlKPqe+i9SeieE5b1+QJ/jUqWhpg6/O7mTnLLNUqSLI1EXAh8fqQF6oonNqUVJSL9C0qPNCKbsyq4d01k4icwZpok8wRsMbmTuYMG6pIz9S/AuzZe40LC9/okmdWAqGg7srxUu2GMGZ/9JLkiAa2KHCNalb+mr3EPFy/adstJuFVBGnOWi4z7+cmbx0R80KTo9LYB8NpHI4jBk6E5hjhvjCRWPgpkJE1XJmtcmgQpr85xWINXbMz+F4q6NF6VHQZr0KQeZKTAlKyqPerzaTwmibJujCxKs6Yoejrzi7uKYpTu8ESON9q+4Jbem9pDHhKJSLymCSd39xBEzJbKclmicPtvJjzvN73RqewKmLsU40KYaAluyRg2nzQinjxkIU8ljJ4Rd8pRoBneo3QYwc8/XMyaYOhKlG2xAqS7R3TDuWemNXR7tV6kBcFsOcoaRPKmgwsAbvTUfiFPJ9libqQEH5zeg5fg/wNHTVRU3oFFVwDjPwkT9UHGruUq5QanghakaN0bKkIMdgfyCD1w8/8AcFL9umum95kcWftwJw+jmkgowc8Dwt3HGS6Z7CrxsrkEaZ9dyieMz055nVYJu5pZ+CWF91TkemtPLBOPflETz2h5b5dsUYJiryIztbNh4olWlCBET3ei/ROX6px22OtfK1L5MGhx9emshcs3gxaUtRuUn4GvUviICnyQHInUmgzZIR0aENUtZhfZdLj0=
Content-Type: multipart/alternative; boundary="_000_CWXP265MB376647B1FEA44EF64023D709E2362CWXP265MB3766GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: bowball-tech.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB3766.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f0600ce6-15ff-4426-9618-08dea493892f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2026 19:31:10.1398 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 69463108-f90b-4f66-b36b-5d0f70e45cd6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HCcY/eS6Xh5Z0BvEejcdZ4Vn9aoZ/Lcl9RZunCq/wNgRKU6f3s8UK9tcLRaJjJFk7VznDrOO1BzcX/pr7mZ8vpbac89sZyKLqdUnrofs6bE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP265MB6451
Message-ID-Hash: RPC4LXVSY6MDT5X5E4C44AHEO4PIOTU6
X-Message-ID-Hash: RPC4LXVSY6MDT5X5E4C44AHEO4PIOTU6
X-MailFrom: jonathan@bowball-tech.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-scitt-scrapi.all@ietf.org" <draft-ietf-scitt-scrapi.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "scitt@ietf.org" <scitt@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [SCITT] Re: draft-ietf-scitt-scrapi-09 ietf last call Secdir review
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/vCvGZTYmYE9PXx3DCKcjYfBr5tE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>
Hi Alexey, Thank you for your careful review of the document. However I think this nit is already addressed. You say: “It only follows if the client maintains state about Signed Statements it submitted.” And the draft on the line immediately below says: “However, this relies on clients actively checking for Receipts and does not prevent the disruption itself" Now, I appreciate there’s a subtle difference in these 2 things, especially if one considers outages at inconvenient times or clients that submit many asynchronous requests, but in all practical senses the warning is already these: you have to actively ensure you get a satisfactory result from then request you submitted. You can’t just fire and forget. I’m not sure whether the added detail of keeping the necessary state in order to make these active checks is necessary is it? If you have a suggestion for a qualitative improvement we’d look at adopting it, but I’m just not sure if there’s actually anything to add. Thanks, Jon Sent from Outlook for Mac On 22/04/2026, 18:14, "Alexey Melnikov via Datatracker" <noreply@ietf.org> wrote: Document: draft-ietf-scitt-scrapi Title: SCITT Reference APIs Reviewer: Alexey Melnikov Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I was the originally assigned SecDir reviewer who missed the deadline, so Valery Smyslov provided a good SecDir review. I read -09 and also checked changes between -08 and -09 which addressed most of Valery's comments. I think the latest version has improved on Security Considerations. I have only a small thing on the latest version. Section on the Denial of Service attacks (4.4.1.1) has now the following text: The impact of DoS attacks can be detected by a client checking that the Transparency Service has registered any submitted Signed Statement and returned a Receipt. I agree so far. Since verification of Receipts does not require the involvement of the Transparency Service, If you mean that clients can verify digital signatures on Receipts, I agree. a DoS attack cannot cause the silent loss of a registration. I am not entirely sure this follows. It only follows if the client maintains state about Signed Statements it submitted. Is it worth clarifying? However, this relies on clients actively checking for Receipts and does not prevent the disruption itself.
- [SCITT] draft-ietf-scitt-scrapi-09 ietf last call… Alexey Melnikov via Datatracker
- [SCITT] Re: draft-ietf-scitt-scrapi-09 ietf last … Jonathan Geater
- [SCITT] Re: draft-ietf-scitt-scrapi-09 ietf last … Alexey Melnikov