IETF Logo Mail Archive

Re: [stir] WGLC: draft-ietf-stir-passport-rcd-09

Ben Campbell <ben@nostrum.com> Mon, 25 July 2022 15:23 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33A9C131955 for <stir@ietfa.amsl.com>; Mon, 25 Jul 2022 08:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.685
X-Spam-Level:
X-Spam-Status: No, score=-1.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ML9A7lnhhmMB for <stir@ietfa.amsl.com>; Mon, 25 Jul 2022 08:23:21 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7098CC131950 for <stir@ietf.org>; Mon, 25 Jul 2022 08:23:10 -0700 (PDT)
Received: from smtpclient.apple (dhcp-82ac.meeting.ietf.org [31.133.130.172]) (authenticated bits=0) by nostrum.com (8.17.1/8.17.1) with ESMTPSA id 26PFMxxw076400 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 25 Jul 2022 10:23:06 -0500 (CDT) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1658762587; bh=Ff0MIFwWA2ZcBFTCezlJLxrw3XP5huNsywsHq8Wai5A=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=SzgetKdchfC1JksnA/fHnwo6JeJz587HKRAtnfQ8Y7Q1VbkB/MNVBD7P04Gbp2zYr a75natCdJaY2RTcBoF3oLcB0iIVKCNFm+vN+5lukXe4BsOiCv+AGP0Exs8CAPj5TQx AcQiDG9mUjHxiShvcbnKJVQ19oCr1x5cSwkeVXwc=
X-Authentication-Warning: raven.nostrum.com: Host dhcp-82ac.meeting.ietf.org [31.133.130.172] claimed to be smtpclient.apple
From: Ben Campbell <ben@nostrum.com>
Message-Id: <DFA0884A-6803-4935-97D3-AE1C74A10536@nostrum.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0805893A-50B0-4BCF-9D05-1BDE98957638"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Mon, 25 Jul 2022 11:22:54 -0400
In-Reply-To: <50F50BA5-20ED-49ED-B124-926A74AE4050@chriswendt.net>
Cc: Russ Housley <housley@vigilsec.com>, IETF STIR Mail List <stir@ietf.org>
To: Chris Wendt <chris-ietf@chriswendt.net>
References: <5393b70d-bfc7-c8ac-eb8d-30c8087a1e89@nostrum.com> <6981C79A-4024-4291-B2BB-A969EF8FD930@vigilsec.com> <6B54979F-CFFF-4634-9B06-F0F52AE69F76@nostrum.com> <50F50BA5-20ED-49ED-B124-926A74AE4050@chriswendt.net>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/KlefLb-k698S8QyFJOygBPxsS1U>
Subject: Re: [stir] WGLC: draft-ietf-stir-passport-rcd-09
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2022 15:23:25 -0000

As Chair, but speaking for just myself and not my co-chairs:  I agree with having the update available for the meeting. We’d like to close this out as soon as possible.

As individual: The responses to my comments all look good to me. One comment below on the data URI:

> On Jul 25, 2022, at 11:16 AM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
> 
>> 
>> 
>> §6.1.2: “Even though this is probably not the typical case, an "rcdi" JSON pointer or integrity digest is optional if the image value is directly included via a data URI.”
>> 
>> Apologies, I should have caught this one in an earlier version. But wouldn’t a data: URL typically point to a body part that is not covered by the PASSporT signature? If so, it could be subject to tampering in route. Would that need integrity protection less than a HTTPS URL? I guess tampering would require an on-path attacker. But I am still skeptical of the exception unless the data: URL points to data covered by the PASSporT signature.
> 
> My understanding is that data URIs (rfc2397) always include the data inline, so would not be separate from the data:.  Here is an image example: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==
> 
> That said, i included an explicit reference to RFC2397.
> 

Oops, this was my mistake. I had the data URI scheme confused with the “reference another body part in a MIME multipart” URI scheme. Never mind.  (But the reference is good.)

Thanks!

Ben.

v2.23.0 | Report a Bug | By Email