IETF Logo Mail Archive

Re: [secdir] SECDIR review of draft-mahesh-etsi-urn-03

Chris Lonvick <lonvick.ietf@gmail.com> Fri, 27 July 2018 20:08 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B33C130DF5; Fri, 27 Jul 2018 13:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5OmjHuhWhgg8; Fri, 27 Jul 2018 13:08:29 -0700 (PDT)
Received: from mail-yw0-x243.google.com (mail-yw0-x243.google.com [IPv6:2607:f8b0:4002:c05::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 839F9130DD1; Fri, 27 Jul 2018 13:08:29 -0700 (PDT)
Received: by mail-yw0-x243.google.com with SMTP id r3-v6so2305031ywc.5; Fri, 27 Jul 2018 13:08:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=zEidKHiD3+AOhvHPnOPhjTKodHucx018M16DkgP1BlA=; b=u6kwajy5YYulUJ6wJ+ULy7SlcMZvn0ym/n/q3r9/eDy+xCfauLf4ijfTn5PktbsiY+ fN62PsfBqu7F4DXQ8F+IZGiuncgATeQAoyR+FlH6nBaB3EGXqcTIadS0aCC61UDcXrL3 mUYtlEpUHy7BG9E9SklAgPJcHsCBIIcIV4ctJ3wOkbcJsO9nnGo+F3nNfcHad9ebQv+S H+/h/tgT01k2XM/mePWPFBBX64KWi1Sv2IpPdHv6WqYyAK41EN57fTV3pijgfTDGxj0m Uo6YrV5lpWxIq//nMp9aVWXneAUPAIAINgyCxzdpVG1sXkKrMOvrae4m7MozYLkc8PTO u/dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=zEidKHiD3+AOhvHPnOPhjTKodHucx018M16DkgP1BlA=; b=Mdfj9uFH+zMTzI9jmxTJ4oLVppAftndVOSoVYUyI3jWBxZZtVpKibzzd2GOM77U/73 UPEQoVa/EkjPxKrYnIQzgW4Z7ZmOqK6+f8LjgcBemdhmRNfEJSNAsg45iXcDoxFA3Vf9 WdVFdfv2eHcBWl8vCc22m35kup3eWnatcScF/6guSn3oeNLpnVFKeWR0Ny5zFpwJ4Y4v 5ZGGcvdwEX+qGR2qKxhepq8raaklL5CU7aY6wEm57FXZ7Ffy44HJ/iF91PaPV18HHXQF 8IhepAu2GmfbCF3QTPLv0xWfKLulHxJBxNxR3n8jvQ7hCSKpQI5CycrjuggVTdYKr11v Jb4A==
X-Gm-Message-State: AOUpUlHLEGbap6COuLtpSPxhsa3VN2nWRDWsqhF4dDm8Rp5Xz7ygh6q3 kvi5wHwp5e5589FR6CCTjcG3V5Np
X-Google-Smtp-Source: AAOMgpduvGS4j6XKtxG034rBHKAiC4p1ekkbT4vk2U6OZC3vS163+10JLmIMbkJ9KtBTgS5RdaiazQ==
X-Received: by 2002:a0d:c5c7:: with SMTP id h190-v6mr4244958ywd.421.1532722108567; Fri, 27 Jul 2018 13:08:28 -0700 (PDT)
Received: from Chriss-Air.attlocal.net ([2600:1700:12b0:adf0:d163:50a4:667c:87fa]) by smtp.googlemail.com with ESMTPSA id x69-v6sm3117108ywx.105.2018.07.27.13.08.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 13:08:28 -0700 (PDT)
To: Mahesh Jethanandani <mjethanandani@gmail.com>
References: <5B567AA3.1010902@gmail.com> <52B57BE1-B92E-42C2-8F7F-815A7658A903@gmail.com>
Cc: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-mahesh-etsi-urn.all@ietf.org
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <5B5B7BBC.6080208@gmail.com>
Date: Fri, 27 Jul 2018 15:08:28 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <52B57BE1-B92E-42C2-8F7F-815A7658A903@gmail.com>
Content-Type: multipart/alternative; boundary="------------020006030909040503090702"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1evjPPJB98jAaQSwBu-R0D0A83Y>
Subject: Re: [secdir] SECDIR review of draft-mahesh-etsi-urn-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 20:08:32 -0000

Hi Mahesh,

Thanks for setting me straight. The edits you propose look good to me.

Best regards,
Chris

On 7/24/18 4:37 PM, Mahesh Jethanandani wrote:
> Hi Chris,
>
>> On Jul 23, 2018, at 6:02 PM, Chris Lonvick <lonvick.ietf@gmail.com 
>> <mailto:lonvick.ietf@gmail.com>> wrote:
>>
>> Hi,
>>
>> I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the 
>> IESG. These comments were written primarily for the benefit of the 
>> security area directors. Document editors and WG chairs should treat 
>> these comments just like any other last call comments.
>>
>> The summary of the review is Ready with Issues.
>>
>> I am not that familiar with creating and maintaining URNs so please 
>> set me straight and move on if I'm off base here.
>>
>> Section 2, "URN Specification for ETSI" contains the following:
>>
>> "ETSI will manage resource classes using the "etsi" NID and will be 
>> the authority for managing resources and associated subsequent 
>> strings. ETSI will guarantee the uniqueness of the strings 
>> themselves, or it may permit secondary responsibility for certain 
>> defined resources."
>>
>> But then says:
>>
>> "ETSI may allow for use of experimental type values for testing 
>> purposes only. Note that using experimental types may create 
>> collision as multiple users may use the same values for different 
>> resources and specific strings."
>>
>> It looks like RFC 8141 gives guidance that experimental use of URN 
>> namespaces is to be done using RFC 6963 (URNs for "Examples".) RFC 
>> 8184 does not address establishing or using namespaces under the 
>> subsequent strings for experimental use, but I could see that the 
>> registered owner of the namespace could make a designation for that 
>> purpose. That being said, I think that the two statements above are 
>> in conflict in the document and should be clarified.
>
> Not necessarily.
>
> RFC6963 says that there are three types of namespaces, formal, 
> informal and experimental. What this draft is requesting for is the 
> formal namespace. The RFC also says that experimental namespaces are 
> by definition unregistered. That there is no issuing authority for 
> experimental URNs. The owner of the NID therefore is not required to 
> keep track of experimental namespaces.
>
>>
>> Perhaps it would be better to reconstruct the second paragraph to say 
>> something like:
>>
>> "ETSI may allow for use of experimental type values for testing 
>> purposes only. Some experimentation may be controlled by ETSI within 
>> a subsequent string to ensure that there will be no namespace 
>> collisions among participants. Other experimentation may be 
>> controlled within a secondary namespace that may allow collisions, 
>> but this experimental use will be constrained. All other 
>> experimentation must follow the guidance set forth in RFC 6963.”
>
> How about this?
>
> OLD:
>
> ETSI may allow for use of experimental type values for testing 
> purposes only. Note that using experimental types may create collision 
> as multiple users may use the same values for different resources and 
> specific strings.
>
> NEW:
>
> ETSI may allow for use of experimental type values for testing 
> purposes only. Note that using experimental types may create collision 
> as multiple users may use the same values for different resources and 
> specific strings. All experimentation must follow the guidance set 
> forth in RFC 6963.
>
>>
>> Just as a nit, the Security Considerations section should be revised 
>> as it seems to be a bit unclear.
>> Current:
>>     There are no additional security considerations other than those
>>     described above, and are normally associated with the use and
>>     resolution of URNs in general, which are described in Function
>>     Requirements for URN [RFC1737 <https://tools.ietf.org/html/rfc1737>], Uniform Resource Names (URNs)
>>     [RFC8141 <https://tools.ietf.org/html/rfc8141>].
>>
>> Suggested:
>>     There are no additional security considerations other than those
>>     described above, and_those_  normally associated with the use and
>>     resolution of URNs in general._These a__re generally_  described in Function_al_
>>     Requirements for_Uniform Resource Names_  [RFC1737 <https://tools.ietf.org/html/rfc1737>],_and_  Uniform Resource Names (URNs)
>>     [RFC8141 <https://tools.ietf.org/html/rfc8141>].
> Ok.
> Thanks.
>> Best regards, Chris 
> Mahesh Jethanandani
> mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>

v2.23.0 | Report a Bug | By Email