Re: [secdir] Secdir last call review of draft-ietf-regext-epp-eai-12
"Gould, James" <jgould@verisign.com> Tue, 26 July 2022 16:59 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B88CC14CF03; Tue, 26 Jul 2022 09:59:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cs_p6gTq6KbA; Tue, 26 Jul 2022 09:58:55 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D70CC16ECB6; Tue, 26 Jul 2022 09:58:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=6364; q=dns/txt; s=VRSN; t=1658854737; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=1W6ezUhVoVxu3xVB+ynDigYjqLHBmEfu1OTAfizRaiU=; b=V2djY+PNOnv9khRUItBSurCFGA3ujQ1GvNvlLEieq4j7vbp/Xra4wXrt p2dWMkgFj/iZ+OmMuyXuSn7i5GsO/LLGxDMNKPtyAWpSdFt9FB4tWRtwc l8lUMqYgX8WqVUeF2ZTlMk8kUhMVyIzudSCIW/nlxXZoCSoxaIrVIDH6J jlvrX7HjOy0NL9lcJA53Jonvf9f4jkuiga6lfRe4PvUF0OiuAfE3WeMQU oT90uYp8pDtWKOGSAShTVvnsqpsrRgnpULHx5iSejoJzmyojPxWxD9oaE b4BPrm8m4AaUZjhzhxaOjZnVyYlOCvhk91to7vSPJjdLXy7vId7NpFHfH g==;
IronPort-Data: A9a23:XmlWnq4s+92UNIUXQe0HgwxRtC3GchMFZxGqfqrLsTDasY5as4F+v mUYWGyOPvaIa2b2L9h0b4Wz80NQ6peGzN9hGlFury42Eysa+MHIO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7UwML1bFILas1hpZHGeIcw98z0M48wIFqtQw24LhXFnT4 YqaT/D3YzdJ5RYlagr41Ire8HuDjNyq0N/PlgVjDRzjlAa2e0g9VPrzF4noR5fLatA88tqBe gr25OrRElXxpE5xV4z/wt4XRWVRKlLaFVDmZnN+BfD+0kAazsA4+v5T2PE0MS+7h9gV9jzYJ RokWZGYEG8U0qPwdOs1VhN/DD9BG4d/3OX4cSCgodWhl1/0Si65qxluJBle0Yww0NxRWF5o2 MxAcXYTZReZn6S/zPSlUPJqwM8kKaEHPqtG4jc5kmqfVKt9B8yTK0nJzYYwMDMYhM9JAPLST 9QUczt0bRvGJRZIPz/7Dbpnwrv32SWvLlW0rnqRuo4a20zP8jdf3eTrOcrtcf63S+tsyxPwS mXuuj6R7gshHNiYzySE+XHqh+LTkwv0XYsTEPuz8fsCqEaezWASEjUXWEe15/6jhSaWV8hWJ VBR+ycyo+0o+UOmXsW4UgWg5XONv1gVX954EuAm5keK0KW8ywKQHXRBRTdFbPQnudM4Azsw2 Tehhd7mCCxzmLyYVXzb8a2bxQ5eIgAfN2lbeikJXVNcpsL9usc2jwmKRNElGrSz15vrAyr2h TuNqUDSmokusCLC7I3jlXivvt5mjsGhotIdjukPYl+Y0w==
IronPort-HdrOrdr: A9a23:ioTPgKjIVZ5hKUc/OY10DRAUdXBQXgcji2hC6mlwRA09TyX+rb HKoB17726XtN9/YhEdcLy7VpVoIkmyyXcd2+B4AV7IZniEhILHFuBfxLqn7THmFzb36+JRkY xxGpITNPTASXx3l9zz7gX9MdoxqePszImYwcPT1W1kQw0vUbxn9AsRMGumO1d7XxZLHqA0E5 eg5s5KzgDKRUgq
X-IronPort-AV: E=Sophos;i="5.93,194,1654560000"; d="scan'208";a="16477485"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.28; Tue, 26 Jul 2022 12:58:49 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2375.028; Tue, 26 Jul 2022 12:58:49 -0400
From: "Gould, James" <jgould@verisign.com>
To: "lonvick.ietf@gmail.com" <lonvick.ietf@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-regext-epp-eai.all@ietf.org" <draft-ietf-regext-epp-eai.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: Re: Secdir last call review of draft-ietf-regext-epp-eai-12
Thread-Index: AQHYfzsxEbZCQlxp4EGIp08L8psB0a2RI3wA
Date: Tue, 26 Jul 2022 16:58:49 +0000
Message-ID: <CDE1349F-BE23-4484-B5D9-724DC793E958@verisign.com>
References: <91052E99-9C78-4D96-83E7-F9B47D3B3182@verisign.com>
In-Reply-To: <91052E99-9C78-4D96-83E7-F9B47D3B3182@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.62.22061100
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <25D5CFDEBD5283429BE2405BD85FA309@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/LJu1I22VFNrFegzPp8nRclG67hE>
Subject: Re: [secdir] Secdir last call review of draft-ietf-regext-epp-eai-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 16:59:00 -0000
Chris, Based on the feedback that you provided, we did add the proposed language below to the security considerations section of draft-ietf-regext-epp-eai-13: When the EAI functional extension is negotiated by both the client and the server, the client and server obligations defined in Section 5.3.1 MUST be satisfied. If the obligations are not satisfied by either the client or server, the EAI address may be mishandled in processing or storage and be unusable. If this addresses your feedback, can you clear the SECDIR "Has Issues" status, or let us know what else needs to be addressed? Thanks, -- JG James Gould Fellow Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 6/13/22, 11:35 AM, "Gould, James" <jgould@verisign.com> wrote: Chris, Thank you for the review, feedback, and recommended text. You mention an interesting use case of a client or server that signals the support EAI, but that can't meet the obligations defined in section 5.3.1 "EAI Functional Extension Negotiated". The negotiation is handled when the EPP session is established via the list of services provided by the server in the greeting and the client in the login command. In EPP there is no functional capability to not accept the service URI at the time of EPP session establishment based on determining compliance with a service / extension obligation. For EAI, the negotiated services will imply the normative language in section 5.3.2 "EAI Functional Extension Negotiated" for the server and the client, respectively. We could add the following to the security considerations section to cover the risk of negotiating EAI support without fully complying with the obligations defined in section 5.3.1: When the EAI functional extension is negotiated by both the client and the server, the client and server obligations defined in Section 5.3.1 MUST be satisfied. If the obligations are not satisfied by either the client or server, the EAI address may be mishandled in processing or storage and be unusable. Any thoughts on the language is appreciated. Thanks, -- JG James Gould Fellow Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://secure-web.cisco.com/175AUUsbJVaoxOezz1lqoGtSJG2fku7o0Lg9ShgFtnC4wowW2VYMrmIqsxvdw93PUXc2zhu3Qf0z8or4QFqBqV1mTbQMn9lQnbIOAVMsXaB1uY4hTJABd3GehICkvskowKXshb5UzeTUstLXIGspyEsa0X6-Tx3uhSauMW2UVMuMhcZSFxqATxnzJeBBNJ7EXOc99PT8z9_eFVgLD81xEbKtqiBqwX6PeIRQUx8qZCVCNK9JzfpLNjQjii2fyx5TI/http%3A%2F%2Fverisigninc.com%2F> On 6/12/22, 8:48 PM, "Chris Lonvick via Datatracker" <noreply@ietf.org> wrote: Reviewer: Chris Lonvick Review result: Has Issues Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is that it has issues. The document is well written and the Security Considerations seems appropriate. However, there is insufficient guidance given regarding when the EAI functional extension is negotiated, but when the server cannot satisfy the required obligations. The specification says that when the client and server negotiate the EAI functional specification that, "implies the possibility to process the EAI address". The draft needs to specify what happens if the client and server negotiate the EAI functional extension, but when the server cannot fulfill its obligations to provide the required information, or when the client cannot process the received information. This may be easily fixed by saying in the specification that the server will only accept the negotiation if it can (MUST) provide the required information specified in section 5.3.1 and that the client can (MUST) accept and act upon that received information. The specification should also go on to say what MUST happen if those conditions are not met. Best regards, Chris
- [secdir] Secdir last call review of draft-ietf-re… Chris Lonvick via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Gould, James
- Re: [secdir] Secdir last call review of draft-iet… Gould, James
- Re: [secdir] Secdir last call review of draft-iet… Gould, James