Re: [secdir] secdir review of draft-ietf-regext-rdap-object-tag-04
"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 02 August 2018 12:28 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22A2F130F1B; Thu, 2 Aug 2018 05:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlv-lMh29e1f; Thu, 2 Aug 2018 05:28:18 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E416130F25; Thu, 2 Aug 2018 05:28:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1929; q=dns/txt; s=VRSN; t=1533212899; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=xhEZ6Gogg47xR1Se3ssmq0ldVSMkzo0FAG1PqCimEq4=; b=S4nMQihE7CuQkkAtlm992i1l3r0XFcrucaJCwcY1io9BQ8OheD/aGz92 0nGmAna1YJNQXimda0L08SrQkA3oVbLoAhFRThBNHTxW/6LjsgIPiTOys 1IAPWlgxyEQcb7seOUAzAxUNW8N23EIOPrD+DZEKh3RG/O1ZDTlOFwJ6X YduD9HmIvqETNQp9zffCoDAOdcOtd/7plNttIQWbhTH5uMDt777QmcPoq I9My89M/Avf4Tq9xfWGPkCQLB3Lp6W9TsuUdAjYelveyWObfd/BRt+/vm K6mfp1Yq6Dd1uwXlxintoD723xWVzfQIMiUWCFPfTaoBoaZQT25+2S49N A==;
X-IronPort-AV: E=Sophos;i="5.51,435,1526342400"; d="scan'208";a="5061916"
IronPort-PHdr: 9a23:9qv4fhNbHkeHZAMbNs0l6mtUPXoX/o7sNwtQ0KIMzox0K/76oMbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJNyA3/nzLisJ+j6xbrhCupx1jzIDbb46YL+Z+frrffd8GWWZNQthdWipcCY28dYsPCO8BMP5Wo4f/oFsOqR++CheqBOz01DBHmnz20bUn2Oo8DQ7G2xAgH84AvH/Jq9j1L6cSUeexzKnM0zrDaehZ1inh54jLaR0hv++DXahxccrKyEkvGAXFgk+MpoziOjOYz+IAuHWY4ep4Te+jlnIrpxtsrjWtyMogkJTFi4Ibx1ze+ih0xJ45KcCkREJhfNKpEodcuzuHO4Z5Qc4uWXxktSUixr0Ip5G2fzQGxZEiyhPdd/OLb5KH7xf+WOmNPTh1gXJod6+hiBa89EWtzvDzWdSq31tMsyFLiMPDtmoX2BzW8sWHT/x98Vq/1juXzADT7/1EIVgzlarGN54t2r4wmYQXsUTEBiL7hVn4greLekok4uam5OXobqn4qpOGKY97lgb+Mr42msClG+s3LxICX3aB+eSn0r3v51H2QLJPjvEuk6nZto7VJdgDq6KkHwNZyJsv5hSxAju8zdgVnXcKIEhKdR+Dl4TpPkvBIPH8DfexmVSslzJryujdPr3hBZXNKnzDn6nnfblm9UFT1AkzwMtB551KELEBIenzWk7+tNzeFBM2Lwu0w+P/BNVnyoweQX6PArOeMK7KrV+I4uIuI/SXaY8QuTb9N+Ip6ODzgn8kgVUdZ7Wm3YMLaHCkGfRrO0SZbmT3gtcOCmoKvxQxTPDkiFGYVj5TfXmyVbom5j4nEIKmEZvDRoe1jbyawii0AoBZZmFcCl2XEHfnaZmEW/kWZCKVOM9hnSQOVaK9RI85yRGuqAj6xqJ6IerO4CIYu47j2MF05+LNiREy+yV4D96D3GGCUW51kX8ISyYs3K9iu0N90k6P0a9jjPxaC9Nc++9JXh4mNZHGwOx2Ecr9WgbFftqSSVapXMmmAT8rQtI22d8ObBU1J9L3xF/f2zu3K7oUi/qGCIF7uOqIw3zgOu54ymqA2aU82R1uCIROOHaprq9y6waVAJTG3A/Rw6enbqs03SPR+iGE12XY+AkSHxV9WqnER1gea1fY69Pj6QyIB+u1BL8rMxFpyMOeJO1NcNK/yR0MC/v5MdrCJmO8h2n1HxuHy6OQKZDmcn1Y2y/fBUMY1hwa8jCPMQwWByq9rSTZFjMhXxq7b1nl//U7qX6nQAouwg6Hf1Ekzba84lsSj/6RQO9WwrsL/i4lrx11EUqzmdXMBIzTiRBmefAWQdQ55FpB32/StEg1BZenM7wozgoFcwNzu07o3Rh8Ca1enNIrt3Ilykx5LqfOgwAJTC+RwZ2lYu6fEWL15h36M6M=
X-IPAS-Result: A2GyAwDK92Jb/zGZrQpbDg4BAQEEAQEKAQGFWAqaSoMukiyBeguEbAKDJTYWAQIBAQEBAQECAQECgRGCNSKCYQEBAQEDOksEAgEIEQQBAR8QMh0IAgQBEgi3dIpYiR+BQj6BEoMShGiFbAKaJgMGAokDhjWOHJIiAgQCBAUCFIFIA4IBcIM5kBk6b41vgRsBAQ
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 2 Aug 2018 08:28:16 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1466.003; Thu, 2 Aug 2018 08:28:16 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "'tlyu@mit.edu'" <tlyu@mit.edu>, "'iesg@ietf.org'" <iesg@ietf.org>, "'secdir@ietf.org'" <secdir@ietf.org>, "'draft-ietf-regext-rdap-object-tag.all@ietf.org'" <draft-ietf-regext-rdap-object-tag.all@ietf.org>
Thread-Topic: [EXTERNAL] secdir review of draft-ietf-regext-rdap-object-tag-04
Thread-Index: AQHUKiNgOcZsa6t9lkakT4eS2Sgvw6SsY7FQ
Date: Thu, 02 Aug 2018 12:28:16 +0000
Message-ID: <ab45054aed8d411d809fb9bf58a4a0f8@verisign.com>
References: <ldvk1p9wckt.fsf@ubuntu-1gb-nyc1-01.localdomain>
In-Reply-To: <ldvk1p9wckt.fsf@ubuntu-1gb-nyc1-01.localdomain>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YgQEaYy8SbP2fAjr3N-Zid5tR9c>
Subject: Re: [secdir] secdir review of draft-ietf-regext-rdap-object-tag-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 12:28:28 -0000
> -----Original Message----- > From: Taylor Yu <tlyu@mit.edu> > Sent: Thursday, August 02, 2018 1:41 AM > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-regext-rdap-object- > tag.all@ietf.org > Subject: [EXTERNAL] secdir review of draft-ietf-regext-rdap-object-tag-04 > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. > > The summary of the review is Ready with nits. > > I agree with Ben Kaduk's comment: > > > Section 7 > > > > Perhaps note that it is using IANA as a well-known central trusted > > authority in order to provide the property of allowing users to get > > RDAP data from an authoritative source? > > > > [...] The method has the same security > > properties as the RDAP protocols themselves. The transport used to > > access the IANA registries can be more secure by using TLS [RFC5246], > > which IANA supports. > > > > Well, I don't know that "the same as" is quite right, especially given > > the following sentence. The composed chain of "talk to iana, talk to > > referred RDAP server" depends both on the security of the connection > > to the RDAP server and that of the connection to IANA; it seems > > prudent to note that if TLS is used for the RDAP connection, TLS > > should also be used when talking to IANA, or even that TLS should always > be used when talking to IANA. > > There is also the issue of trust anchors when using TLS. The normative > references also do not mention this issue, so maybe it is out of scope to > deal with it here. Thanks for the review, Taylor. I have new text provided by Ben enqueued for replacement. Scott
- [secdir] secdir review of draft-ietf-regext-rdap-… Taylor Yu
- Re: [secdir] secdir review of draft-ietf-regext-r… Hollenbeck, Scott