Re: [secdir] secdir review of draft-ietf-core-link-format-11

"Richard L. Barnes" <rbarnes@bbn.com> Thu, 08 March 2012 19:54 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABF6B21E800C; Thu, 8 Mar 2012 11:54:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.347
X-Spam-Level:
X-Spam-Status: No, score=-106.347 tagged_above=-999 required=5 tests=[AWL=0.252, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqQONsJshhfH; Thu, 8 Mar 2012 11:54:30 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id D9A3621F8672; Thu, 8 Mar 2012 11:54:29 -0800 (PST)
Received: from ros-dhcp192-1-51-17.bbn.com ([192.1.51.17]:51778) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1S5jPk-00094a-Qz; Thu, 08 Mar 2012 14:54:16 -0500
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=us-ascii
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <F666D01D-0962-44E5-9AF7-85C20673D3F5@sensinode.com>
Date: Thu, 8 Mar 2012 14:54:34 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <95A990F2-89D7-4CE9-B751-36E58E725AF0@bbn.com>
References: <3E9A3BC9-6AEB-4E03-A053-5E7A172DA4E7@bbn.com> <F666D01D-0962-44E5-9AF7-85C20673D3F5@sensinode.com>
To: Zach Shelby <zach@sensinode.com>
X-Mailer: Apple Mail (2.1257)
Cc: draft-ietf-core-link-format@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-core-link-format-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 19:54:30 -0000

Hey Zach,

Glad to be helpful.  Sounds like we're basically on the same page; couple of minor responses inline.

> Richard,
> 
> Thanks for the review, see my responses in-line. 
> 
> On Feb 25, 2012, at 12:40 PM, Richard Barnes wrote:
> 
>> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
>> 
>> This document defines a format for describing a list of resources linked from a server, e.g., an HTTP or CoAP server.  The document suggests the use of TLS or DTLS on the underlying transport for transport security.  My only remaining security concern is that there could be access control concerns as well.  For example, a server might not authorize all clients to see all services, or might provide some clients with different levels of access (e.g., read vs. read/write).  The document already envisions that the list of links will have some dynamism, allowing for filtering based on link attributes.  I would suggest simply noting that servers may want to support HTTP, CoAP, or [D]TLS client authentication and adaptation of the list of returned links based on the client's identity and authorizations.  
>> 
>> Suggested text for Section 6:
>> "
>> Some servers may provide resource discovery services to a mix of clients that are trusted to different levels.  For example, a lighting control system might allow any client to read state variables, but only certain clients to write state (turn lights on or off).  Servers SHOULD support authentication features of the underlying transport protocols (HTTP, CoAP, or DTLS/TLS) and allow operators to return different lists of links based on a client's identity and authorization.
>> "
> 
> Excellent suggestion, I will make a ticket. 
> 
>> 
>> Non security-related comments follow.
>> 
>> General: This document seems a little bit awkward semantically.  The HTTP Link header is intended to provide links from a given resource (identified by the request URI) to associated resources.  The service described in this document seems to provide a general list of URIs, without a firm idea of what the "source" of these references is.
> 
> The source (context) of the references is meant to be the server itself. Our main use case is the discovery of resources that a web server is hosting. A secondary use case would be to describe relations between resources on the same server (but this is rare for constrained devices). 
> 
>> Indeed, with the "anchor" parameter, it seems like this document allows a service at "/.well-known/core" to act as a general "Tell me about this URI" service, which seems over-broad.  Is this the intent of the WG?  
> 
> No, that is not the intent. 
> 
>> Perhaps the "anchor" parameter should be restricted to relative, not absolute, URIs?  
> 
> Yes, this is something that we could certainly do. One aspect that I would point out is that the list of resources that a web server has may also be hosted by a resource directory on behalf of the server (see draft-shelby-core-resource-directory). Currently we are not using the anchor parameter for that, so your suggestion should not be a problem. 
> 
>> And how is this different from just doing a HEAD request to the URI to get a Link header that would contain the same information?
> 
> Of course that would work for the HTTP case (CoAP does not have a Link header), but it would only provide links related to that particular request URI. The intention of this link document available on /.well-known/core is that it returns the resources the server has available (at least the top-level ones that are useful to discover). 

Sorry, I had missed this subtlety.  Now the .well-known approach makes more sense.


>> General: In a similar vein, it seems like this format need not necessarily be restricted to CORE.  Might it not have more general utility for HTTP service discovery?  Really the only impact would be to change the name of the well-known URI from "core" to something more generic.
> 
> That is the intention that this is equally applicable to both HTTP and CoAP, and in general CoRE is about RESTful environments so I wouldn't think the /.well-known/core really limits anything. Although I would mainly recommend this /.well-known/core mechanism for machine-to-machine web applications, for more general web page discovery there are other technologies already available in the App area.  

If the idea is to describe things on this server, maybe the right tag is "/.well-known/here" :)

Best,
--Richard