[secdir] Re: [Last-Call] Secdir last call review of draft-ietf-asdf-sdf-18

Carsten Bormann <cabo@tzi.org> Tue, 28 May 2024 05:56 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCAF5C14F698; Mon, 27 May 2024 22:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9LLT_f43srK; Mon, 27 May 2024 22:56:17 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D749AC14F615; Mon, 27 May 2024 22:56:13 -0700 (PDT)
Received: from [192.168.217.145] (p5089ae14.dip0.t-ipconnect.de [80.137.174.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4VpMFl14SQzDCfg; Tue, 28 May 2024 07:56:11 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <171687277928.58506.15548370459995846366@ietfa.amsl.com>
Date: Tue, 28 May 2024 07:56:10 +0200
X-Mao-Original-Outgoing-Id: 738568570.612147-8ce8bae8504497d10564146567562cbd
Content-Transfer-Encoding: quoted-printable
Message-Id: <FAFF4355-359E-4436-BAE5-9CFB206ED70C@tzi.org>
References: <171687277928.58506.15548370459995846366@ietfa.amsl.com>
To: Magnus Nyström <magnusn@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Message-ID-Hash: 2CZ4CHBTQVOR4QKC2NCMKIYDFU76IT5R
X-Message-ID-Hash: 2CZ4CHBTQVOR4QKC2NCMKIYDFU76IT5R
X-MailFrom: cabo@tzi.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, asdf@ietf.org, draft-ietf-asdf-sdf.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: [Last-Call] Secdir last call review of draft-ietf-asdf-sdf-18
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wg75YLrjspKWLAscqaPbYWevnoE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Hi Magnus,

thank you for this review.
A couple of quick comments to your specific items:

> - The Security Considerations section mentions the possible need for
> confidentiality of an SDF model ("There may be confidentiality requirements on
> SDF models, both on their content and on the fact that a specific model is used
> in a particular Thing or environment"). Couldn't there also be a need for
> integrity/authenticity of a given SDF model? The document is silent on this.

Actually, we use (twice) a much stronger word: provenance.
This combines integrity and authentication with some appraisal (or at least policy) of how the data from the authenticated source can be used.
We are not pointing to a specific mechanism here, as that is likely to be ecosystem specific.
We could, however, explicitly remind the reader that provenance has integrity and authenticity as a prerequisite.
A minimal change in:

https://github.com/ietf-wg-asdf/SDF/pull/157

> -
> Related to the previous point, was it ever discussed to allow for an integrity
> or authenticity value accompanying or being part of an SDFThing instance?

Given the role of SDF as a hub format, SDF needs to be agnostic to the kinds of integrity protection and authenticity that is used with it.  Embedding a model into an SDFThing instance is certainly one way to provide this information in a way that could make use of protection already available for the Thing in general.  It is more likely, though, that a Thing will provide a reference to its model that is stored somewhere else.  That would be described in a model using an extension such as that proposed in [1] (if it is offered as an affordance from an instance) or possibly [2].  (These are likely to become WG documents after the current rechartering.)

[1]: https://datatracker.ietf.org/doc/draft-bormann-asdf-sdftype-link/
[2]: https://datatracker.ietf.org/doc/draft-laari-asdf-relations/

Grüße, Carsten