Re: [secdir] Review of draft-ietf-repute-query-http-09

"Murray S. Kucherawy" <superuser@gmail.com> Tue, 27 August 2013 05:10 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 173B021F9A1E for <secdir@ietfa.amsl.com>; Mon, 26 Aug 2013 22:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.414
X-Spam-Level:
X-Spam-Status: No, score=-2.414 tagged_above=-999 required=5 tests=[AWL=0.185, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKFVsMoq8haM for <secdir@ietfa.amsl.com>; Mon, 26 Aug 2013 22:10:40 -0700 (PDT)
Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 16FF521F99FA for <secdir@ietf.org>; Mon, 26 Aug 2013 22:10:39 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id t61so3530484wes.14 for <secdir@ietf.org>; Mon, 26 Aug 2013 22:10:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dyg4ul1cqq36MePz8ePR+3DA30aqRhVxWEr43vS4dI4=; b=JxYl20kc6BAwOpDCangTHwExCcRztdMavBI/xM0GHUxkLfHMwmpSIC0fiGHEQ2JOVh 6XgTtEaaILnf/B8KKUmCub5wo7tKie+zOeymcxeLou4BZzQyFGThbSZYCIAoAvQH3MR8 wous4vurVnfghaTM/Ma/E42lXUv/9FavwdGbL+Y9nkSs5JV09/9t7rJ5w00H0NsrmJp0 fspZJV+mJR2Q3UYv5+ZZKM4VasBDrFYLl+qMxGjzkvxQtovJ9Ru+hbdqRQvvg0emMJSL cCW1mYeNsqxzsdjICLz5+CfnjeqvX3R5+0nePM8SsX7JWGJltADBVFgHLbmiuRYUIza6 wg7Q==
MIME-Version: 1.0
X-Received: by 10.194.240.197 with SMTP id wc5mr12968747wjc.23.1377580238059; Mon, 26 Aug 2013 22:10:38 -0700 (PDT)
Received: by 10.180.75.144 with HTTP; Mon, 26 Aug 2013 22:10:37 -0700 (PDT)
In-Reply-To: <52198E83.7050406@oracle.com>
References: <51CAA254.6040303@oracle.com> <52158CF5.4050001@oracle.com> <521591FA.20601@dcrocker.net> <52198E83.7050406@oracle.com>
Date: Mon, 26 Aug 2013 22:10:37 -0700
Message-ID: <CAL0qLwY43MX8TgM2zFdw5hDF0qj3RsotqA22raKeTWNx7U6=UA@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Shawn M Emery <shawn.emery@oracle.com>
Content-Type: multipart/alternative; boundary=089e013d19ccbd410c04e4e6e416
X-Mailman-Approved-At: Tue, 27 Aug 2013 10:22:17 -0700
Cc: draft-ietf-repute-query-http.all@tools.ietf.org, Dave Crocker <dhc@dcrocker.net>, Dave Crocker <dcrocker@bbiw.net>, secdir@ietf.org
Subject: Re: [secdir] Review of draft-ietf-repute-query-http-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 05:10:41 -0000

Hi Shawn, thanks for the review.

On Sat, Aug 24, 2013 at 9:56 PM, Shawn M Emery <shawn.emery@oracle.com>wrote:

> On 08/21/13 10:22 PM, Dave Crocker wrote:
>
>> On 8/21/2013 9:00 PM, Shawn M Emery wrote:
>>
>>> However, none of the
>>> referenced RFCs and draft directly talk about the various attacks and
>>> how to mitigate against said attacks.
>>>
>>
>>
>> Shawn, some clarification please:
>>
>>    This is a simple query protocol, ableit yes one where the data is
>> making trust assertions.
>>
>>    A possible implication of your above comment is that all IETF
>> protocols should carry a threat analysis.  Have I misunderstood?
>>
>
> Hi Dave,
>
> Sorry for not being specific.  I will try to clarify my concerns:
>
> This draft references the reputation considerations draft when providing
> or using reputation services, I assume in a security context given that it
> is referenced in the security considerations section.  When I looked at the
> referenced draft's security considerations section it stated that there are
> threats discussed in the operation text above.  I think that these types of
> discussions deserve a separate section.  If the topic is mostly security it
> would be helpful to have a summary of the various threats and how to
> mitigate.  In any case, when looking through the entire draft I do see some
> suggestions for clients and their RSPs.
>
>
>
I'm still a little unclear about what the suggestion is here.  Since this
review is specific to query-http, I take your feedback to mean that
query-http itself is fine, but it's desirable that the considerations
document go into more detail about what it's discussing.  I think that's
fine and probably true, and I'll do so for that document, but I don't think
there's anything outstanding for this one.  Do you agree?

-MSK