Re: [secdir] secdir review of draft-ietf-regext-rdap-object-tag-04

"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 02 August 2018 12:28 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22A2F130F1B; Thu, 2 Aug 2018 05:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlv-lMh29e1f; Thu, 2 Aug 2018 05:28:18 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E416130F25; Thu, 2 Aug 2018 05:28:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1929; q=dns/txt; s=VRSN; t=1533212899; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=xhEZ6Gogg47xR1Se3ssmq0ldVSMkzo0FAG1PqCimEq4=; b=S4nMQihE7CuQkkAtlm992i1l3r0XFcrucaJCwcY1io9BQ8OheD/aGz92 0nGmAna1YJNQXimda0L08SrQkA3oVbLoAhFRThBNHTxW/6LjsgIPiTOys 1IAPWlgxyEQcb7seOUAzAxUNW8N23EIOPrD+DZEKh3RG/O1ZDTlOFwJ6X YduD9HmIvqETNQp9zffCoDAOdcOtd/7plNttIQWbhTH5uMDt777QmcPoq I9My89M/Avf4Tq9xfWGPkCQLB3Lp6W9TsuUdAjYelveyWObfd/BRt+/vm K6mfp1Yq6Dd1uwXlxintoD723xWVzfQIMiUWCFPfTaoBoaZQT25+2S49N A==;
X-IronPort-AV: E=Sophos;i="5.51,435,1526342400"; d="scan'208";a="5061916"
IronPort-PHdr: =?us-ascii?q?9a23=3A9qv4fhNbHkeHZAMbNs0l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0K/76oMbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfO?= =?us-ascii?q?pWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnM?= =?us-ascii?q?VhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykC?= =?us-ascii?q?oJNyA3/nzLisJ+j6xbrhCupx1jzIDbb46YL+Z+frrffd8GWWZNQthdWipcCY28?= =?us-ascii?q?dYsPCO8BMP5Wo4f/oFsOqR++CheqBOz01DBHmnz20bUn2Oo8DQ7G2xAgH84AvH?= =?us-ascii?q?/Jq9j1L6cSUeexzKnM0zrDaehZ1inh54jLaR0hv++DXahxccrKyEkvGAXFgk+M?= =?us-ascii?q?poziOjOYz+IAuHWY4ep4Te+jlnIrpxtsrjWtyMogkJTFi4Ibx1ze+ih0xJ45Kc?= =?us-ascii?q?CkREJhfNKpEodcuzuHO4Z5Qc4uWXxktSUixr0Ip5G2fzQGxZEiyhPdd/OLb5KH?= =?us-ascii?q?7xf+WOmNPTh1gXJod6+hiBa89EWtzvDzWdSq31tMsyFLiMPDtmoX2BzW8sWHT/?= =?us-ascii?q?x98Vq/1juXzADT7/1EIVgzlarGN54t2r4wmYQXsUTEBiL7hVn4greLekok4uam?= =?us-ascii?q?5OXobqn4qpOGKY97lgb+Mr42msClG+s3LxICX3aB+eSn0r3v51H2QLJPjvEuk6?= =?us-ascii?q?nZto7VJdgDq6KkHwNZyJsv5hSxAju8zdgVnXcKIEhKdR+Dl4TpPkvBIPH8Dfex?= =?us-ascii?q?mVSslzJryujdPr3hBZXNKnzDn6nnfblm9UFT1AkzwMtB551KELEBIenzWk7+tN?= =?us-ascii?q?zeFBM2Lwu0w+P/BNVnyoweQX6PArOeMK7KrV+I4uIuI/SXaY8QuTb9N+Ip6ODz?= =?us-ascii?q?gn8kgVUdZ7Wm3YMLaHCkGfRrO0SZbmT3gtcOCmoKvxQxTPDkiFGYVj5TfXmyVb?= =?us-ascii?q?om5j4nEIKmEZvDRoe1jbyawii0AoBZZmFcCl2XEHfnaZmEW/kWZCKVOM9hnSQO?= =?us-ascii?q?VaK9RI85yRGuqAj6xqJ6IerO4CIYu47j2MF05+LNiREy+yV4D96D3GGCUW51kX?= =?us-ascii?q?8ISyYs3K9iu0N90k6P0a9jjPxaC9Nc++9JXh4mNZHGwOx2Ecr9WgbFftqSSVap?= =?us-ascii?q?XMmmAT8rQtI22d8ObBU1J9L3xF/f2zu3K7oUi/qGCIF7uOqIw3zgOu54ymqA2a?= =?us-ascii?q?U82R1uCIROOHaprq9y6waVAJTG3A/Rw6enbqs03SPR+iGE12XY+AkSHxV9WqnE?= =?us-ascii?q?R1gea1fY69Pj6QyIB+u1BL8rMxFpyMOeJO1NcNK/yR0MC/v5MdrCJmO8h2n1Hx?= =?us-ascii?q?uHy6OQKZDmcn1Y2y/fBUMY1hwa8jCPMQwWByq9rSTZFjMhXxq7b1nl//U7qX6n?= =?us-ascii?q?QAouwg6Hf1Ekzba84lsSj/6RQO9WwrsL/i4lrx11EUqzmdXMBIzTiRBmefAWQd?= =?us-ascii?q?Q55FpB32/StEg1BZenM7wozgoFcwNzu07o3Rh8Ca1enNIrt3Ilykx5LqfOgwAJ?= =?us-ascii?q?TC+RwZ2lYu6fEWL15h36M6M=3D?=
X-IPAS-Result: =?us-ascii?q?A2GyAwDK92Jb/zGZrQpbDg4BAQEEAQEKAQGFWAqaSoMukiy?= =?us-ascii?q?BeguEbAKDJTYWAQIBAQEBAQECAQECgRGCNSKCYQEBAQEDOksEAgEIEQQBAR8QM?= =?us-ascii?q?h0IAgQBEgi3dIpYiR+BQj6BEoMShGiFbAKaJgMGAokDhjWOHJIiAgQCBAUCFIF?= =?us-ascii?q?IA4IBcIM5kBk6b41vgRsBAQ?=
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 2 Aug 2018 08:28:16 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1466.003; Thu, 2 Aug 2018 08:28:16 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "'tlyu@mit.edu'" <tlyu@mit.edu>, "'iesg@ietf.org'" <iesg@ietf.org>, "'secdir@ietf.org'" <secdir@ietf.org>, "'draft-ietf-regext-rdap-object-tag.all@ietf.org'" <draft-ietf-regext-rdap-object-tag.all@ietf.org>
Thread-Topic: [EXTERNAL] secdir review of draft-ietf-regext-rdap-object-tag-04
Thread-Index: AQHUKiNgOcZsa6t9lkakT4eS2Sgvw6SsY7FQ
Date: Thu, 2 Aug 2018 12:28:16 +0000
Message-ID: <ab45054aed8d411d809fb9bf58a4a0f8@verisign.com>
References: <ldvk1p9wckt.fsf@ubuntu-1gb-nyc1-01.localdomain>
In-Reply-To: <ldvk1p9wckt.fsf@ubuntu-1gb-nyc1-01.localdomain>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YgQEaYy8SbP2fAjr3N-Zid5tR9c>
Subject: Re: [secdir] secdir review of draft-ietf-regext-rdap-object-tag-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 12:28:28 -0000

> -----Original Message-----
> From: Taylor Yu <tlyu@mit.edu>
> Sent: Thursday, August 02, 2018 1:41 AM
> To: iesg@ietf.org; secdir@ietf.org; draft-ietf-regext-rdap-object-
> tag.all@ietf.org
> Subject: [EXTERNAL] secdir review of draft-ietf-regext-rdap-object-tag-04
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments
> just like any other last call comments.
>
> The summary of the review is Ready with nits.
>
> I agree with Ben Kaduk's comment:
>
> > Section 7
> >
> > Perhaps note that it is using IANA as a well-known central trusted
> > authority in order to provide the property of allowing users to get
> > RDAP data from an authoritative source?
> >
> >    [...] The method has the same security
> >    properties as the RDAP protocols themselves.  The transport used to
> >    access the IANA registries can be more secure by using TLS [RFC5246],
> >    which IANA supports.
> >
> > Well, I don't know that "the same as" is quite right, especially given
> > the following sentence.  The composed chain of "talk to iana, talk to
> > referred RDAP server" depends both on the security of the connection
> > to the RDAP server and that of the connection to IANA; it seems
> > prudent to note that if TLS is used for the RDAP connection, TLS
> > should also be used when talking to IANA, or even that TLS should always
> be used when talking to IANA.
>
> There is also the issue of trust anchors when using TLS.  The normative
> references also do not mention this issue, so maybe it is out of scope to
> deal with it here.

Thanks for the review, Taylor. I have new text provided by Ben enqueued for replacement.

Scott