Re: [secdir] [mile] Secdir review: draft-ietf-mile-5070-bis-22
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 02 June 2016 13:52 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D2F12D71A; Thu, 2 Jun 2016 06:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.955
X-Spam-Level:
X-Spam-Status: No, score=-1.955 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVrZBda9oCwH; Thu, 2 Jun 2016 06:52:36 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AF6412D715; Thu, 2 Jun 2016 06:52:36 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id B048E21DE2; Thu, 2 Jun 2016 09:52:35 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Thu, 02 Jun 2016 09:52:35 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=etAD5Tsv5k8TI5b v/RIm/U4iVso=; b=MHI2K1w8wrmoP5Yn3DbFACtZUsrO8Pxo57W+a9ab1C2WTGE ZcJZ7W9KkKNh7Tb1F7dxL+DJsXBzy4VtiRjnWn9Os3W5Qc2EgzQKCz1qh1LLf6v1 8LYI65roHziJtZAyOjY0j491GMhlKw2OpvOtu/Lbq+KPNDrbitRuQVcPU4ow=
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 80866A849C; Thu, 2 Jun 2016 09:52:35 -0400 (EDT)
Message-Id: <1464875555.1299466.625917257.2D46286E@webmail.messagingengine.com>
X-Sasl-Enc: 7qUNGmqSRcSxoXEq1M/eoyNLma8g9tA556RxoHYy+tAm 1464875555
From: Alexey Melnikov <alexey.melnikov@isode.com>
To: "Roman D. Danyliw" <rdd@cert.org>, Robert Sparks <rjsparks@nostrum.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-38f217ef
Date: Thu, 02 Jun 2016 14:52:35 +0100
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD9750115@marathon>
References: <15b7d5f0-63e9-15b9-b7d5-47a6be10c760@nostrum.com> <359EC4B99E040048A7131E0F4E113AFCD974F81A@marathon> <574FF391.6000806@isode.com> <359EC4B99E040048A7131E0F4E113AFCD9750115@marathon>
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/W7koxbiVgNuKEqeiQvTjV7jQzBU>
Cc: mile@ietf.org, draft-ietf-mile-rfc5070-bis.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] [mile] Secdir review: draft-ietf-mile-5070-bis-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 13:52:38 -0000
Hi, On Thu, Jun 2, 2016, at 01:49 PM, Roman D. Danyliw wrote: > Hi Alexey! > > > -----Original Message----- > > From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] > > Sent: Thursday, June 02, 2016 4:51 AM > > To: Roman D. Danyliw <rdd@cert.org>; Robert Sparks > > <rjsparks@nostrum.com> > > Cc: mile@ietf.org; draft-ietf-mile-rfc5070-bis.all@ietf.org; iesg@ietf.org; > > secdir@ietf.org > > Subject: Re: [mile] Secdir review: draft-ietf-mile-5070-bis-22 > > > > Hi Roman, > > > > On 02/06/2016 06:03, Roman D. Danyliw wrote: > > > Hello Robert! > > > > > > Thanks again for this review. Comments are inline ... > > > > > >> -----Original Message----- > > >> From: Robert Sparks [mailto:rjsparks@nostrum.com] > > >> Sent: Monday, May 30, 2016 2:44 PM > > >> To: secdir@ietf.org; iesg@ietf.org; > > >> draft-ietf-mile-rfc5070-bis.all@ietf.org > > >> Subject: Secdir review: draft-ietf-mile-5070-bis-22 > > [snip] > > > > Consideration #3 > > > ============== > > > > > > As Robert suggests, minimally, there needs to be a discussion in the > > security considerations on how these new enum values will securely be > > added to the schema/parser. However, the question remains, what > > guidance do we provide about how often the IANA registry should be > > checked. > > > > > > ---[ begin Section 4.3]--- > > > Furthermore, the > > > enumerated values present in this document are a static list that > > > will be incomplete over time as select attributes can be extended by > > > a corresponding IANA registry per Section 10.2. Therefore, the > > > schema to validate a given document MUST be dynamically generated > > > from these registry values. > > > ---[ end Section 4.3 ]--- > > > > > > ** Should we modify the last sentence as follows: > > > > > > "Therefore, the schema to validate a given document MUST be periodically > > regenerated from these registry values. It is RECOMMENDED that this > > SHOULD NOT occur more frequently than xxx" > > > > > > Kathleen/Alexey/or any reader of this note: do you have a pointer to the > > prior discussion on dynamically generating a schema from an IANA registry > > referenced by Robert so that "xxx" can be populated? > > I have no idea about reasonable "xxx" values. This was never done before. > > (When it was suggested before IESG persuaded authors to change their > > documents.) > > Understood. Thanks for channeling the historical wisdom. > > > While talking to www.iana.org directly from devices/programs is tempting, it > > might be better if vendors periodically download new values from IANA and > > then devices/programs talk to vendor's websites (or use vendor's update > > mechanisms). > > What about language like the following in Section 4.3: > > ---[ begin Section 4.3]--- > > -- Therefore, the schema to validate a given document MUST > -- be dynamically generated from these registry values. > ++ Therefore, IODEF implementations MUST periodically update > ++ their schema and MAY need to update their parsing algorithms > ++ to incorporate newly registered values added > ++ to the IANA registries specified in Section xx. I think this is an improvement. But also see Kathleen's reply. > ---[ end Section 4.3 ]--- > > In addition, add text to the security considerations that this updating > needs to be done securely. Right.
- Re: [secdir] [mile] Secdir review: draft-ietf-mil… Roman D. Danyliw
- Re: [secdir] [mile] Secdir review: draft-ietf-mil… Roman D. Danyliw
- Re: [secdir] Secdir review: draft-ietf-mile-5070-… Roman D. Danyliw
- [secdir] Secdir review: draft-ietf-mile-5070-bis-… Robert Sparks
- Re: [secdir] Secdir review: draft-ietf-mile-rfc50… Robert Sparks
- Re: [secdir] Secdir review: draft-ietf-mile-rfc50… kathleen.moriarty.ietf
- Re: [secdir] Secdir review: draft-ietf-mile-5070-… Roman D. Danyliw
- Re: [secdir] [mile] Secdir review: draft-ietf-mil… Alexey Melnikov
- Re: [secdir] [mile] Secdir review: draft-ietf-mil… Roman D. Danyliw
- Re: [secdir] [mile] Secdir review: draft-ietf-mil… kathleen.moriarty.ietf
- Re: [secdir] [mile] Secdir review: draft-ietf-mil… Alexey Melnikov