IETF Logo Mail Archive

Re: [stir] For the sake of implementers, please verify errata in a timely manner

"Peterson, Jon" <jon.peterson@team.neustar> Wed, 14 April 2021 15:12 UTC

Return-Path: <prvs=773866a705=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 884183A1270 for <stir@ietfa.amsl.com>; Wed, 14 Apr 2021 08:12:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar header.b=Fz6kZYlt; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=neustar.onmicrosoft.com header.b=KJOIg89D
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhdOS6aKzXxR for <stir@ietfa.amsl.com>; Wed, 14 Apr 2021 08:12:25 -0700 (PDT)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1A33A1272 for <stir@ietf.org>; Wed, 14 Apr 2021 08:12:25 -0700 (PDT)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 13EEup6M026563 for <stir@ietf.org>; Wed, 14 Apr 2021 11:12:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=GOi++Li9ju4kZSCZBAm7Yx1QNcBq0WGiQqUwnieEXxc=; b=Fz6kZYltj12SPh9kXaRKjdZKMilo4oHeJBXjfZMD+ezgY0edeGggznOE3aphMcAuw5+o eklSCzmdb2sNgPgUIZK4wBdx4OlN7JlStF8/svsysED6/6150Xf+PzXHjeiaLC7/LJ+Q Ubs/Tre8QLiYpnt3pSGwrUUOWISCsnAd4Y4W/rdVw6t3UflK3kPGbpdAPzXsauPhuJd4 gDcwpYAASD/25p6Y6CalRAwkRWIn6bXuRJJOiEtzElk0YJQ4doPQNAsOSL6ZDkmdcCjI e/MA5pUj8WGMo9R32uOc7m/ih11bKEx5/XDubOYtEcZ9TAaxZPNq8PLRqQjHFT4402j8 qw==
Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-0018ba01.pphosted.com with ESMTP id 37vxp179gb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <stir@ietf.org>; Wed, 14 Apr 2021 11:12:25 -0400
Received: from m0078666.ppops.net (m0078666.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 13EFCOo4020046 for <stir@ietf.org>; Wed, 14 Apr 2021 11:12:24 -0400
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2175.outbound.protection.outlook.com [104.47.58.175]) by mx0a-0018ba01.pphosted.com with ESMTP id 37vxp179g6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Apr 2021 11:12:24 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bK9tPIpKrx7UwRP3eA07fvk9AZoLSAOqUi0z7RK345UvKhFZcw001PlaO5XhonA1xd+cmC5Cc3U2D6bHb1N9SpeAh4qsAQE8A7LvuGyCWNxk/8lHivKm1N1OMxCEuJoojznMeh9T7oO7OzEJ6t3CTUwBgjRpc90jt9Xjd2/wMJyAfqiCBEmBlNJzl3DRXP3cJ1xplrykPBt9LM0nmESg9Q6bHYYsMiHla+ji8/eJRjgSFMoOdGO8o/0aC3jpbVCf+CoX0lz1zOz1G99gMsC3gXcfUnbdkhxItTQCGeaUtxoN23DgJBs4vYMZ+MVHfLGMnhISXTcoa86LngS2JUiHjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OJx34MpE3RC7wdSnhK8QZh3obr9eFMxfpuD4ecVCJHU=; b=Ko4+lBqNONjDCnXe9+UgrYkij0azSgePPyClTjLCKVU4c5fJz/dEvJ9/A6TbXqCB+xhsPBgExm8akFlPfLdzU+u23yDTdL5LKT27iYEagwNVaYsAwKLzrbK7dpG+zguTiHJahzF/SUEH7iFbR3stm4wpWo82D3knJfVH+sONEOA/OLhweQWU/pvgUHsrPk8fkHmLUdc7cHEFWVk9tPAF5cbJQx+xl4uHpKUBcNQFdzQoj2l+oh6gTiR5zRF4X4NNnesOOAfZtJ7DFbYUG9bNvAgQEA0MP6oUknBY29croUp7f4KLwE8aSxhP/CtE89QzbfBYbldFsrP7IbM0uliTvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.neustar; dmarc=pass action=none header.from=team.neustar; dkim=pass header.d=team.neustar; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=neustar.onmicrosoft.com; s=selector1-neustar-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OJx34MpE3RC7wdSnhK8QZh3obr9eFMxfpuD4ecVCJHU=; b=KJOIg89DXZ3Hnpd6XirdZrif9dRTlSfNc3igogmxaNlQYL80xNC9SElcRElIl2SF+G1dOoD8wiQ57YR1wZ8XkMkED88/5Y9DYkXx3OI6QcwbgMD5/gnoqi5sW+ZUovtf/NumTdL/dbILjkItV7yTRYFIoYloZ0EeRZKFFIlONL4=
Received: from BY5PR17MB3569.namprd17.prod.outlook.com (2603:10b6:a03:1b9::20) by BYAPR17MB2456.namprd17.prod.outlook.com (2603:10b6:a03:8c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.22; Wed, 14 Apr 2021 15:12:22 +0000
Received: from BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::fd51:22ce:499d:3ae4]) by BY5PR17MB3569.namprd17.prod.outlook.com ([fe80::fd51:22ce:499d:3ae4%3]) with mapi id 15.20.4020.023; Wed, 14 Apr 2021 15:12:22 +0000
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Marc Petit-Huguenin <marc@petit-huguenin.org>, "stir@ietf.org Mail List" <stir@ietf.org>
Thread-Topic: [stir] For the sake of implementers, please verify errata in a timely manner
Thread-Index: AQHXLHW/SsUQAJ76WUaE6v9wF9Qc1Kqzst2A
Date: Wed, 14 Apr 2021 15:12:22 +0000
Message-ID: <FA469E63-F026-4450-92FE-E6ABED6B6B07@team.neustar>
References: <adc8bd10-a04d-aff5-e03f-183f0d59c22c@petit-huguenin.org>
In-Reply-To: <adc8bd10-a04d-aff5-e03f-183f0d59c22c@petit-huguenin.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.1b.201012
authentication-results: petit-huguenin.org; dkim=none (message not signed) header.d=none;petit-huguenin.org; dmarc=none action=none header.from=team.neustar;
x-originating-ip: [108.208.24.189]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6b1dde8e-cacb-4d3e-f9f7-08d8ff57b432
x-ms-traffictypediagnostic: BYAPR17MB2456:
x-microsoft-antispam-prvs: <BYAPR17MB2456713186A4CFA36A2AE196E24E9@BYAPR17MB2456.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8VwJnoXlRPV5DjFuSavqiNuI2gBn3Wa4oEDdpx1P/+/kRkwcfruPhtZuWsqyr/YHaY7iOzgrvu3DnRhLtaor0F9r9cQ5C01Qr8al4+UiF4ddWjq5qTBN15ma2P8cJ2RAw10ZmQ6n1dfOkifaKon5xKJUXbNMO59naRImmXIE4B3nWQGBgltG8n67AesxYYUxdqfeE/k2bPFp4Rp/x8SBZuXuq/HqvWLTI2stoo1wShPrCPw3uwykT2f2fL85zDZN6XtPWom/fIcf8qtW0Xg60uSiv6/S/MD3PBugN58Hr9yDuGlwN7O9YT6dMXTSy5PZ/fonEDLh8dpnwfK1p55mT4AtZ1uLZcHSen83Dhj9LMlLgTNsSVT55FrOrWAgSVN5KrqMV2lXevjaRQUxcyJb6Ly86e/4wgXD/h2T2Nfl2rzgijPUmpDtBKYsIdH4c5Uhop7yVRkRt+Tm7V5DCkufDnZ3zCwFUwi3AXmliLeQwzedZ6iJ9qhr0rJn0ZT2LpT5TcWhYoQ26hl2RQqhJycy8a6Eg3ZYJsuc6SJQ8UX/P3bq22UkgHVfNIxyDYG+EGzRbdmY0vv07XWxmHhg02xnybjF07bzse37Vog3/JHCXuY3nEwR6bu4CgUNt47mQcWjuPdfl1HWjQNUSIKb26fsAEPGQOKU1BzcHALOKt3rUGa55Qz2ad8oR7wQoPCe78uhPundUK/nUywomMPIBa/iq7EbuykLCpj7aJyNNXzmStneE/n5wrbYQRQl7T2deLS3qjzvdGWJySmEnU9oEc4B6bFi0VO1FuXmn/r+4Os45w8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR17MB3569.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39860400002)(346002)(376002)(396003)(66946007)(64756008)(6506007)(76116006)(966005)(38100700002)(110136005)(2906002)(33656002)(2616005)(26005)(66556008)(83380400001)(186003)(478600001)(316002)(6486002)(5660300002)(8936002)(122000001)(86362001)(8676002)(6512007)(71200400001)(66476007)(66446008)(46492009)(42163001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: Lx2n8McFAyqeS2OoD18DDVWe/G5NsEWFSHgPlLZN9xRn5HKyHV0e9VgExVQY8AcfMT1UWTPk/tFCYmQ2RsnVWhO6oUTHW2oTCEctK15vhO3jqoKeHmpr8CF+Dog68LLlM6dC/wIrjogOA4szEypWUSN3nO+wrF60ulW/oLQInc9ZWLwqiMTkCK+DsfCvU9na+401Bj00PVQ4iOGNqZTFruC0B24W/8z8yj5MR0xo7++WctLnCiKFAZFjQ8Lx5iuytKGckMcERZs9TTCc4nUrrYhPVQ4wwFigqJWQTgYauATgPmRDvLJnQV1GpWuX/Od7Lv/b+wMug5SzgZ8qIgTSWeTdCxqEKNfb0hMa0Ml22rSe+SwEthuxIh8bXDSVu5BNHXgXpyUo6PCcMH4+6iJ6/y3flHGRuyxUFwtKBNBo/M+nNP5IqudyIEn5ZCyTVkUd4oBxSKNalujK0xp+N5JIDQ9sI+V+H2M6c6aEcuKnHfhWD9kZoV6AkHnEh3NuV0uNyeawCbJrKYCENbV05ehoifoUpkLdU7X9PzqwT3Zt/pbhIZMb1oQDABpfgx/HkuqeHEd7I+cNqL+Qs2i+0ITd8g9ZO7lSwSqAiiT+ucdU7a4OKg9kl6TrFIGWYLGUPRePVKgpS/f3HPrpYiUgoO13x1H9mRmTwhMv5hqGF+gh5SnjkkdwuYJZ5wcj5h8WxQL8Mks3RCyn6wENBFHI+5abNujybpPK7vyYoSh6RpMKHR0y+Cehw4NvDQsiSwwiBey2ScPVFAr1L1ZlMW0e83v8RlySAuuYREuinhXH/pWE76WL/hBN+o8gYIVMlBwXuFIt4EOp2e7YrlpkyoPvfvyt8GIEiJtoijIsOVofgpRes81/tbwTPo3OwVY0gN1/N+uVLXqgCoFPqpk86PL91nchpfIvwLLnkXf+eksUZ8q4qxaL9gFCPUuZ9s5WopjZkKq0qhCsqMipmNVHVyYDXdWtgZ5ggkOUThQI7Bn8fFoqzXAV/B9f1hcO1MHRejUnYGQoGB8HHAvbllmBVb5AR9A4xj51cSJfKsqXHIGMcAtC8UFkguIYGVDPXTCzAkT/a102Pful5MwwBQoWCSYmtxhzqRnY1OCj7WP+nffgG3cpBh7r4WY2nsRB9+eTsG7cd0NeKTp8H6kb1xG15/hdk/VDGS4g0bTFwKQWKJ6XUMxMLY2WTOIr0B6OMccd9tWsYr9QOpLubGi715HuCuqXDphxHGtHlZPR5wZ/wewm0s5WiZ7B/Wx00k/IfzenArZ169OvXr2GJJ2pQt+BzFHphmcvmDIS4BQpRh8DWCHP7nV3n0gZHB/XyWN4aPuGdrsbH272YJatn149Wd3bYtl1NUanSQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <9A0848CF52AD1149B455C4D0C50A12C2@namprd17.prod.outlook.com>
X-OriginatorOrg: team.neustar
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR17MB3569.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6b1dde8e-cacb-4d3e-f9f7-08d8ff57b432
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2021 15:12:22.1833 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 73a2bbc1-f307-47c4-8f94-5f379c68bc30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vqMrnzCz7oRztKnXrME+p5NjznTw4AzhMTcZeyjJbWur/TppCJSjCNyW4vZVXAK/Rce8uq476FXlyXSmmGxgBMyVEsJK979rSVIl8dnTLPQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR17MB2456
X-Proofpoint-GUID: zzBOHMXzHeBsUVkXhpZbUpZX6Q8ww6wP
X-Proofpoint-ORIG-GUID: zzBOHMXzHeBsUVkXhpZbUpZX6Q8ww6wP
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-14_10:2021-04-14, 2021-04-14 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 mlxscore=0 spamscore=0 malwarescore=0 suspectscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=2 engine=8.12.0-2104060000 definitions=main-2104140102
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/oWUanDgIkfMuAK6lXBDIXWJgU0Y>
Subject: Re: [stir] For the sake of implementers, please verify errata in a timely manner
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 15:12:30 -0000

Hey Marc,

Just to give my own impressions...

	1. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid5390__;!!N14HnBHF!volm2Uvl1A0RaZiRMknqPXobk9w7XA4I4j5gLFDzzTnNSiHbbFyEZuA05bA$ 

I agree that the potential attack vector is not limited to DTLS-SRTP as a use case,  but I'm not sure I consider this fix "errata." The statement in the 12.1 is not normative, and as far as I can tell is a true description of the behavior of the mechanism. The fact that the signature might also protect things other than DTLS-SRTP just isn't the subject of that sentence taken in isolation.

	2. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid5391__;!!N14HnBHF!volm2Uvl1A0RaZiRMknqPXobk9w7XA4I4j5gLFDzzTnNSiHbbFyEmsKno6Y$ 

We definitely decided to do it this way, it wasn't an accident, and so I don't view this as an error. I can see the argument for stating explicitly that RFC 8224 overrides the text in RFC 7518 section 4.1.6 to remove any confusion, but I'm not sure that would make a difference for me as to what behavior I put in, were I implementing it. If you don't like the override, the text still lets you use the clock at the AS to generate an "iat" value.

	3. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid5715__;!!N14HnBHF!volm2Uvl1A0RaZiRMknqPXobk9w7XA4I4j5gLFDzzTnNSiHbbFyEX5bwuqc$ 

I'm sure that the language could be cleaned up in both RFC8224 and RFC8225 here. Our use of "object" vs. "array" vs. just "value", or even "claim" or "element",  was definitely a bit sloppy, and they were the subject of some last-minute wordsmithing, which didn't lead to total alignment. That much said, I'm not entirely sure what bar to implementation would be removed by tightening all this up, and it would be an exercise to figure out exactly which parts to tighten. So I'm a little lukewarm on this one.

	4. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid6499__;!!N14HnBHF!volm2Uvl1A0RaZiRMknqPXobk9w7XA4I4j5gLFDzzTnNSiHbbFyEa6rqiDI$ 

That seems like actual errata to me. Fine by me to fix it.

	5. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid6519__;!!N14HnBHF!volm2Uvl1A0RaZiRMknqPXobk9w7XA4I4j5gLFDzzTnNSiHbbFyEaZLX0P8$ 

This one we're discussing elsewhere, but it looks good to me.

Jon Peterson
Neustar, Inc.

v2.23.0 | Report a Bug | By Email