[secdir] Re: [Last-Call] Secdir last call review of draft-ietf-asdf-sdf-18
"Smith, Ned" <ned.smith@intel.com> Tue, 28 May 2024 20:10 UTC
Return-Path: <ned.smith@intel.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B38FAC14F6E3; Tue, 28 May 2024 13:10:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMANobYmSo7b; Tue, 28 May 2024 13:10:17 -0700 (PDT)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 133C2C14CF1F; Tue, 28 May 2024 13:10:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1716927018; x=1748463018; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=baPhTMkkiSjel8+uiZflTYfV6AF0CnjlxiE70/4DSjQ=; b=JXQGlSwZmW2EqsVBX9wnInNSlVymCMelizUR0jUYfUdC1msnWerwvBo2 SqI4564gZJE5RZytny1s425g3O4JYWT4K9xOjyTfOPakIJ+GarQt8ukR/ dKjNlrynwds41/mGKTA3ZDReQcXeBclC6jsrv4Bjig9dosrYm7c9//tgN 2th48xFebE6O8mG1m1/Zeb7G9um5K2b4a2IfqTXNk8BLdOjkX2PMgXgYE 4Qh9NDw76CTMDMd31t5JwyPobHrofkA68Ut6BNdF3U7owN3AwN4l09xHb 2TfgQfLBcpCiv9WX0MZJcF3vnjQx1W3Ak8H/rbVtD0Ut42ijClEIXVCpX g==;
X-CSE-ConnectionGUID: SyG/rU0hR86i6VB7YPqYoQ==
X-CSE-MsgGUID: 5ghGtIf8Q52dVFDpMrUYBg==
X-IronPort-AV: E=McAfee;i="6600,9927,11085"; a="13148879"
X-IronPort-AV: E=Sophos;i="6.08,196,1712646000"; d="scan'208,217";a="13148879"
Received: from orviesa007.jf.intel.com ([10.64.159.147]) by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 May 2024 13:10:17 -0700
X-CSE-ConnectionGUID: ZZmIjYQfT+uR3M8NkJzk4Q==
X-CSE-MsgGUID: lGC9m5hjQN+Wop2z8BIBaA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.08,196,1712646000"; d="scan'208,217";a="35797130"
Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by orviesa007.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 28 May 2024 13:10:17 -0700
Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Tue, 28 May 2024 13:10:15 -0700
Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Tue, 28 May 2024 13:10:15 -0700
Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39 via Frontend Transport; Tue, 28 May 2024 13:10:15 -0700
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.168) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Tue, 28 May 2024 13:10:15 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mYVu4SU9MEFHPjCo3xuHfLkNK0fpnu5n/bfCayXqEaQgIlFvOznvrzo5Vk/0PNBr1qyYfmhj9umPlB5RL/4+m0Tw2IHCo/btXpb9xx4PS6akdH7EHr0C9vRDLxiOYTBMz5uNPT+N72GAa/IpYa2W5hLtzmc/JeDTDByigVJajXuYVVBXY90o8/uRG+pFWQ7wjCMjWLPkTpB/CtRx6/smIl4wIwEMR1ANwyQX4IHfWvxyUU0NdzETxjHetBc90iZYj3mhr7Qnor0cXB3h3BViB8gARIKENJ2hydslaY7wAU9DFPNqcg8sTOgwWXp881fSJqIBaU0HTTejns9gmhJqbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZZrV7FwBsTMLy30bqXEbZ0dx7a8Gmiagp7KhLfSKVxw=; b=nU9gOQZUnungx8nniOhKOLnQQ9AYXccbRsfM7XcR/h2gKRQ0ZZZYqJiv2yYIgDjppRxtkr5eXnyT0pkrLxeVfguAZ10o6AjX7y9ox+xH2SmQfe/OdoV6eOxfqyG8QaynFkzZBNhEHVW13GDkDZvNwpJyGrqx1fCMUffycTV2AHuxS0qI4fHtFvhHAMxaU1PQrPun64B4knErMpg1CJD/ySjss8oN+KLsrACG6RNrEHrkXF8u40gdLrYOsS0qzkPDcNNVCQKyR2Pl2FmSxmfujnXBM6ocDXhJfAAhvHAnQDImAf5PxvyB6Sk33ocFnklqZVROmbUa5tIcInr3VKXruw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by CYYPR11MB8388.namprd11.prod.outlook.com (2603:10b6:930:c2::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7611.30; Tue, 28 May 2024 20:10:13 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::9bf0:5425:d055:42b7]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::9bf0:5425:d055:42b7%4]) with mapi id 15.20.7611.030; Tue, 28 May 2024 20:10:13 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Carsten Bormann <cabo@tzi.org>
Thread-Topic: [secdir] [Last-Call] Secdir last call review of draft-ietf-asdf-sdf-18
Thread-Index: AQHasTda4m3WoDSfjUKk9BXt0HLStLGtE1yM
Date: Tue, 28 May 2024 20:10:12 +0000
Message-ID: <CO1PR11MB51692C3D107C2AB0187AF20FE5F12@CO1PR11MB5169.namprd11.prod.outlook.com>
References: <171687277928.58506.15548370459995846366@ietfa.amsl.com> <FAFF4355-359E-4436-BAE5-9CFB206ED70C@tzi.org> <CO1PR11MB5169BDBCDC98FFB6A501E71EE5F12@CO1PR11MB5169.namprd11.prod.outlook.com> <2BD9168C-498D-4EA3-89F8-FFEBE061B106@tzi.org>
In-Reply-To: <2BD9168C-498D-4EA3-89F8-FFEBE061B106@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|CYYPR11MB8388:EE_
x-ms-office365-filtering-correlation-id: d229fa97-7cf8-4389-f193-08dc7f522ee1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|376005|366007|1800799015|38070700009;
x-microsoft-antispam-message-info: aKTo73yFz1V/1KAxsusgovX8l0cpHUvglxE3itNqBw/p7cPm14s7KF2wbclIuTTgzDJ2FDmrtFgxoRx69ReF3E+fLsylvSbumCgWwUZViawGhPwGnst9nSmvG670jtsE6EUowiBkDfjmVJnY63OfQDQlxJGNTuDpV2yPqtjMf/wBq/WI+kGGOAHChUtI8bJ6WprNQ3Wg4PPA2xaz7dM3bOPL6XvK6fg8d6dCQRKLgoMf+g6WPSxoQQvMBusRzYLaFjdm8KndF2/Zj10gz4+LEbCTZTPeAFosY794ybMee3HoT8vEamqVNo095d7UVhhuWWJkRXjL50OtyZJ6cGT3rN4GUu9J872kG276vhmAizHg0Wt/+8wGihS/3hgDJIYt9eESGVtxgtq+lirwJ1U+jBQvTCStT7n/7YNQ2CUu9IdAm3cQn0gXImtLQj74jGeTisLD3p7ZzWgLT/JVkU44pIlQYMIg4fnfxtzDep9XrPK5PgE7bueLWvMK1e1oKDvvjzxBBLmGOK3B2yJwGtjy003IO+eVAdkpQcPQLCe0XFD5YV9HBplV0hmRuT1Jw+09t8qjVfLv48LCGu+FyVkgeYpi8fVVlF7BMTgdb7hUCUjCrAJmuD5PjCbY3/Bm2Q4VmpsIL12rlg6T+tnEp0ZoVEmGX831R+y2BaOt5f0lGvgDZIgs5/Pr9QOhcni27pnVIJrZmrDvsLauhXSajuHbrSu4dfYn5qbKiBJ5QJTh9K1JFPJdPZn1SJZRPHXT/5Z9uPFvg3mVH2pxiRWtzQhC83i0HIhzL2YQ6OOP2GAh0BaIB7QIXCVpESKOaAgUDD6EGk8Xtj38AlbVFEPe7x+itdRTk2srU4XWavZU24wuDDi/guBPIO0Cz0dghBgaj8QkZ9Zj7F99jUpmvSFA/eYiWsJAVq0Moa4cm6Yo9EeESjleX5OnWfRO2QYU/I7bbWfBLEIiRXnlXhPULtwSBweVjKFgfr21WDZiYVLNaIg7ullYqVMk5hpHMMrugUhgx4GEFv+CBvsKCd3i7x5lNCnTDxIhhd7LyADI/I26YWTqct5k0yVV2E1QYq2uc3Mcp6RDpWWHWgruioLJoc9R1WuUDPSroiAIqNyl6WrxT3Sq50QYiIlrovlEVD0dZSwfHFAoG0w/yK5JBGWoTO0ZWDe3zYva6LLyqgD0X2vE66I0wIQXRoIMr8vX87OXz82lv+yohsyVMwTIqI3hK0Sw2svAFxO8bsdEsLk/0xxQ8qER0dWWfhwkiZfs6Dx18fCU4wVoxD/qWc4RxhF04xrtCRemYw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB5169.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(366007)(1800799015)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: j+EKF78Vt8M80K6hN4nko8Nk6clKWw6IwXZGGsrn/m7HmOB+Z2yKNMHyML/SYukrnEUdfUI6sVFzzB1HRjBUD8vSg/fM1a0SdOQ95HpdNzMAjB/VuvGk2ImLuTM4CXZu1kmSPrM9tqZ0XIsue+J0BQ1z8gA81P+ThbhqBYTgFypVKIqML7ngBB0XkwrJwdPBVcyu/GNq+/2P7W+pYINEjf9n75/f1FSOhjEYb7O2IvHHhHpEiWI0RH7AxTshf7FCWjUPWd8kutCTPN3jsikZBCZoJZflVycFn5K6h2uCyx+YAA75tN45uYOiCNaQ4qu/+im2MNLXb6KxlKjReCbrX5dFx6NPwHCUB4atGCkpmkvXdcp2EQg9JEb0ROlFsCvUXggWSGowZ4lUfC3L2uqmkbVvBUuJx3dne6jb26z1qBYwJ5pZD9HhIUakTsUDJ06sx/lAP1MtMJrhyuUwUhjwG8lJPjA5+UvJmLkUjRK6JCu9V4MEEXy1pJ9tCt6MA6IWuOrKl8W7y19lONhbeTh54Gfu/NDL9eJkm165MGUphDASN3wFCn3qrDu3sDHexMhU6GJ57FKXWS3MSo3UN35xdg4+bVTJv9pGZXTLb33zlrPesf8QSJZImUgFh8+Mvlf9hjYMxL8ncDoM0rSkDtQFswFDstNcVRPxJsA476MCuZBcJnE5rtN3zS1zlIro9oRNjz3iS03mfeWgkHZ4cscDwFG/Hon25aadmDYzfscK08fF9HPyWWxm0p2D/kWQTkufvZ1GUvzZcoIZLO9kvYcujoAxVIX+ZXMJT32klVv+e/nhzSi3TfttmFpnAPgf8ip3ZR2TDrYbSdxlKAVNBD426iooNeLLQMI634z7zkl/wQclvQJIH6r7u4+JqhwgVhiPp144+IRHcRgspbXTE5gUi9P6RGpkzWaMWcYTaB5xSdeXCpgCgg5F4fhuG7dE0TvHtRFRRzvJgRnjk5if3l63TXqVAjEfJA0KRi5Hsje63+81T1aSloxW/YtV8/f3oCLRBaH8RCucVnwTb+EDDH2MchPJx3DYexjLxJnBLoR+0po4PRRPzDE4pyCls4FzRLMFoR2HDu1YAflV30LBQ8dSGccUurk0rqEb8565anTSh9+jIc6ZB65bhjtRKzb/twPbF2Im4pap1o55T58W4JcnxhM/2KDI8/oGGqzuDa3YSg4/BXl3le6CHDJbEaBLvMmhO90BWT8xs87Agx4f+B8v2Ibq/xGopLISgbF37MBzqxsj7K/9AFkfnP+HDjJwRC/DcDJHuNaGCROHUkRbpqHuaRe8MCpUEnAvOpUZefIm0LtV0RkQdrJ4FvTllCsfNg0Wm5XlY7d0fMIK6bvy5LVQiCFXMaQvYMNt46gKokdmZxU65c/DMndorMnbWNwkK+jnQGOqP5zD/MlnOMlLO4k6BkE/Yqsa8OrCcpKyvRAjfYawgUa2YHTBmreHBkc4ERamyQ+1h/46TrVkzmJLSMuguS3icWVHzZ5XjEVEPXVcFq/yHXe9u+xdMZqvKbAQ7fdqYpje+r473hjjfiUrXgN5LoiZava9+brxxm+8QZNmcOrmFeUD4Wln3DO4WuloE/+BAXfNgaI7sIiw+ejmWjG8kA==
Content-Type: multipart/alternative; boundary="_000_CO1PR11MB51692C3D107C2AB0187AF20FE5F12CO1PR11MB5169namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d229fa97-7cf8-4389-f193-08dc7f522ee1
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2024 20:10:12.9777 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0sYWsfEMAkrk1OnkzujSL7UGTGD9f6rOa3Rr53qIqHWz9JuTwt3Erely1BMzYVWZb75lhofmaZyScMh4suYNXA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR11MB8388
X-OriginatorOrg: intel.com
Message-ID-Hash: XV5ATUAZTCOPFXG6ULKUYFVGBWEYKOIJ
X-Message-ID-Hash: XV5ATUAZTCOPFXG6ULKUYFVGBWEYKOIJ
X-MailFrom: ned.smith@intel.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "secdir@ietf.org" <secdir@ietf.org>, "asdf@ietf.org" <asdf@ietf.org>, "draft-ietf-asdf-sdf.all@ietf.org" <draft-ietf-asdf-sdf.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: [Last-Call] Secdir last call review of draft-ietf-asdf-sdf-18
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OFdCKFF0g-Aa2GB2BVSAjGNh5zg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
>(Unfortunately, RFC 4949 *uses* provenance once, but does not *define* it, maybe for similar reasons as here.) Would be nice if it did. > The term provenance is not exactly defined in Section 8 because it really doesn’t have to be: +1 From: Carsten Bormann <cabo@tzi.org> Date: Tuesday, May 28, 2024 at 12:43 To: Smith, Ned <ned.smith@intel.com> Cc: Magnus Nyström <magnusn@gmail.com>, secdir@ietf.org <secdir@ietf.org>, asdf@ietf.org <asdf@ietf.org>, draft-ietf-asdf-sdf.all@ietf.org <draft-ietf-asdf-sdf.all@ietf.org>, last-call@ietf.org <last-call@ietf.org> Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-asdf-sdf-18 Hi Ned, thanks for providing the citation and the thoughts about using this term. For a current example of how the term is used in the IETF, please see [0]. [0]: https://www.ietf.org/archive/id/draft-lopez-opsawg-yang-provenance-02.html (Unfortunately, RFC 4949 *uses* provenance once, but does not *define* it, maybe for similar reasons as here.) Authentication and integrity protection are methods (or can be abstracted into objectives) that can be used to ascertain provenance. The term provenance is not exactly defined in Section 8 because it really doesn’t have to be: The text in question is about security considerations, not about defining a protocol for achieving or communicating provenance (which would be out of scope for this interchange format definition). What the user of a information/interaction model really cares about is its provenance (and applicability), not how that is reliably communicated by way of authentication, integrity protection, endorsement, appraisal, policy etc. When I said that provenance is a stronger word, I meant that this is really the objective that we desire to support by addressing those specific objectives. I thought that mentioning that provenance implies authentication and integrity protection [1] would be enough to address the fact that these objectives/mechanisms are not otherwise mentioned in the security considerations. [1]: https://github.com/ietf-wg-asdf/SDF/pull/157/files Grüße, Carsten > On 28. May 2024, at 20:25, Smith, Ned <ned.smith@intel.com> wrote: > > The draft uses provenance without defining it. There is a definition in NIST SP800-53r5: > “The chronology of the origin, development, ownership, location, and changes to a system or system component and associated data”. > It isn’t clear if the I-D authors intended this definition or something else. If this is the intended definition, then the NIST definition doesn’t specifically say “authentication”, “integrity”, or (attestation) “appraisal”. But if the authors intended these properties, they could have used those words directly rather than “provenance”. If they intended the NIST definition of provenance, they could site the NIST document. > -Ned
- [secdir] Secdir last call review of draft-ietf-as… Magnus Nyström via Datatracker
- [secdir] Re: [Last-Call] Secdir last call review … Carsten Bormann
- [secdir] Re: [Last-Call] Secdir last call review … Magnus Nyström
- [secdir] Re: [Last-Call] Secdir last call review … lgl island-resort.com
- [secdir] Re: [Last-Call] Secdir last call review … Smith, Ned
- [secdir] Re: [Last-Call] Secdir last call review … Carsten Bormann
- [secdir] Re: [Last-Call] Secdir last call review … Smith, Ned
- [secdir] Re: [Last-Call] Secdir last call review … Michael Richardson
- [secdir] Re: [Last-Call] Re: Secdir last call rev… tom petch