IETF Logo Mail Archive

Re: [stir] For the sake of implementers, please verify errata in a timely manner

Marc Petit-Huguenin <marc@petit-huguenin.org> Wed, 14 April 2021 15:37 UTC

Return-Path: <marc@petit-huguenin.org>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D4E83A13A0 for <stir@ietfa.amsl.com>; Wed, 14 Apr 2021 08:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iE_FBMR9rGO9 for <stir@ietfa.amsl.com>; Wed, 14 Apr 2021 08:37:35 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2001:4b98:dc0:45:216:3eff:fe7f:7abd]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 324873A13A3 for <stir@ietf.org>; Wed, 14 Apr 2021 08:37:35 -0700 (PDT)
Received: from [IPv6:2601:648:8400:8e7d:d250:99ff:fedf:93cd] (unknown [IPv6:2601:648:8400:8e7d:d250:99ff:fedf:93cd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) client-signature RSA-PSS (2048 bits)) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id C0212AE255; Wed, 14 Apr 2021 17:37:26 +0200 (CEST)
To: "Peterson, Jon" <jon.peterson@team.neustar>, "stir@ietf.org Mail List" <stir@ietf.org>
References: <adc8bd10-a04d-aff5-e03f-183f0d59c22c@petit-huguenin.org> <FA469E63-F026-4450-92FE-E6ABED6B6B07@team.neustar>
From: Marc Petit-Huguenin <marc@petit-huguenin.org>
Message-ID: <72b5b056-73a2-a39c-d1cb-5284d351a7bb@petit-huguenin.org>
Date: Wed, 14 Apr 2021 08:37:25 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <FA469E63-F026-4450-92FE-E6ABED6B6B07@team.neustar>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/fjkUq5keHSfT4WzZPQu1NWaqVIU>
Subject: Re: [stir] For the sake of implementers, please verify errata in a timely manner
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 15:37:40 -0000

Thanks Jon.  Hopefully that's enough comments to have our chairs verify/hold/reject these errata.

On 4/14/21 8:12 AM, Peterson, Jon wrote:
> Hey Marc,
> 
> Just to give my own impressions...
> 
> 	1. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid5390__;!!N14HnBHF!vB-riIssLbCue77ZKcQR5dQ9bLfLiUdeH7FpVBy5_W-tYbCEDX33sgxRwzNd2Y5CGLQ$
> 
> I agree that the potential attack vector is not limited to DTLS-SRTP as a use case,  but I'm not sure I consider this fix "errata." The statement in the 12.1 is not normative, and as far as I can tell is a true description of the behavior of the mechanism. The fact that the signature might also protect things other than DTLS-SRTP just isn't the subject of that sentence taken in isolation.
> 
> 	2. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid5391__;!!N14HnBHF!vB-riIssLbCue77ZKcQR5dQ9bLfLiUdeH7FpVBy5_W-tYbCEDX33sgxRwzNdnkkFpis$
> 
> We definitely decided to do it this way, it wasn't an accident, and so I don't view this as an error. I can see the argument for stating explicitly that RFC 8224 overrides the text in RFC 7518 section 4.1.6 to remove any confusion, but I'm not sure that would make a difference for me as to what behavior I put in, were I implementing it. If you don't like the override, the text still lets you use the clock at the AS to generate an "iat" value.
> 
> 	3. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid5715__;!!N14HnBHF!vB-riIssLbCue77ZKcQR5dQ9bLfLiUdeH7FpVBy5_W-tYbCEDX33sgxRwzNd6Z8MYnY$
> 
> I'm sure that the language could be cleaned up in both RFC8224 and RFC8225 here. Our use of "object" vs. "array" vs. just "value", or even "claim" or "element",  was definitely a bit sloppy, and they were the subject of some last-minute wordsmithing, which didn't lead to total alignment. That much said, I'm not entirely sure what bar to implementation would be removed by tightening all this up, and it would be an exercise to figure out exactly which parts to tighten. So I'm a little lukewarm on this one.
> 
> 	4. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid6499__;!!N14HnBHF!vB-riIssLbCue77ZKcQR5dQ9bLfLiUdeH7FpVBy5_W-tYbCEDX33sgxRwzNdg4WYbn4$
> 
> That seems like actual errata to me. Fine by me to fix it.
> 
> 	5. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid6519__;!!N14HnBHF!vB-riIssLbCue77ZKcQR5dQ9bLfLiUdeH7FpVBy5_W-tYbCEDX33sgxRwzNdWn4ubGw$
> 
> This one we're discussing elsewhere, but it looks good to me.
> 
> Jon Peterson
> Neustar, Inc.
> 


-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: https://marc.petit-huguenin.org
Profile: https://www.linkedin.com/in/petithug

v2.23.0 | Report a Bug | By Email