Re: [Taps] Barry Leiba's No Objection on draft-ietf-taps-transport-security-11: (with COMMENT)
Tommy Pauly <tpauly@apple.com> Wed, 22 April 2020 17:11 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09E233A1095; Wed, 22 Apr 2020 10:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmMdO-AGKy4p; Wed, 22 Apr 2020 10:11:33 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 236683A1080; Wed, 22 Apr 2020 10:11:33 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.42/8.16.0.42) with SMTP id 03MH7CoE012801; Wed, 22 Apr 2020 10:11:29 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=hk1zcUaoUMr8FKdqeSVrEvhAOc5HspIwKs+a5NklbD8=; b=l+nI9qtGhHO7Vg1ofPban+6nGnIJ9xAhHRFo0TC+41chl9jgVrr2CLE3l/sFdm5fLrEf MeZkfKsopgyn8SO9WQK/T3Zlo+GtgxuFN4SdXv0hIyagXsV1H+Oq25MvudpgHxDfmTC7 YCpHztaLlZhxTZJa3T+lU7WE76Y7Ao2OflF9w23y4LPHcKioscKyqS7ugJ+/uE+YUP/T kke6PHQHButak85BbyQKAP2/R59YP+FjzV6h7uv/5FrlkWf5qRMoUYbMQrAwHiy8Shhh 42yriQM3jeY2NSo3A/IM11JGSWr072o6ql2Fb3DKvYiGUKoBbuyq4kqVi2e2anvPsqkT Cw==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by nwk-aaemail-lapp02.apple.com with ESMTP id 30hhyh2985-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Apr 2020 10:11:29 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPS id <0Q9700NCV93542A0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Wed, 22 Apr 2020 10:11:29 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) id <0Q9700L008PIX500@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 22 Apr 2020 10:11:29 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 5e0758ac758adaea6a44b8b32ea89e72
X-Va-E-CD: e2683231398be4050a86e8e77efb761c
X-Va-R-CD: 74216d21bb5feab0c413ccca5648d3ac
X-Va-CD: 0
X-Va-ID: f6117657-ba5c-4b10-aca7-41730340027e
X-V-A:
X-V-T-CD: 5e0758ac758adaea6a44b8b32ea89e72
X-V-E-CD: e2683231398be4050a86e8e77efb761c
X-V-R-CD: 74216d21bb5feab0c413ccca5648d3ac
X-V-CD: 0
X-V-ID: dc6b8727-3494-4c50-8a23-a834a81a58b6
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-22_06:2020-04-22, 2020-04-22 signatures=0
Received: from [17.232.192.67] (unknown [17.232.192.67]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPSA id <0Q9700JMN9341E00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 22 Apr 2020 10:11:29 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <1C6D2F3A-D3CE-4474-A36C-EDEBB0475AEA@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_9B8D147B-1549-472B-836C-DE23DF6E4725"
MIME-version: 1.0 (Mac OS X Mail 13.4 \(3608.80.7.2.3\))
Date: Wed, 22 Apr 2020 10:11:28 -0700
In-reply-to: <158632492387.9927.14911806705395970669@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-taps-transport-security@ietf.org, taps-chairs@ietf.org, taps@ietf.org, Philipp Tiesel <philipp@tiesel.net>, caw@heapingbits.net
To: Barry Leiba <barryleiba@computer.org>
References: <158632492387.9927.14911806705395970669@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3608.80.7.2.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-22_06:2020-04-22, 2020-04-22 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/Q9aOdTdAT_7oM7-qsDao-RUJi4E>
Subject: Re: [Taps] Barry Leiba's No Objection on draft-ietf-taps-transport-security-11: (with COMMENT)
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 17:11:35 -0000
Hi Barry, Thanks for the review! You can find an updated version of the document here: https://ietf-tapswg.github.io/draft-ietf-taps-transport-security/draft-ietf-taps-transport-security.html <https://ietf-tapswg.github.io/draft-ietf-taps-transport-security/draft-ietf-taps-transport-security.html> Responses to your individual points inline. > On Apr 7, 2020, at 10:48 PM, Barry Leiba via Datatracker <noreply@ietf.org> wrote: > > Barry Leiba has entered the following ballot position for > draft-ietf-taps-transport-security-11: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-taps-transport-security/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for this helpful document. Just some editorial comments beyond what > others have mentioned: > > — Section 1 — > > It examines Transport Layer Security > (TLS), Datagram Transport Layer Security (DTLS), IETF QUIC, Google > QUIC (gQUIC), tcpcrypt, Internet Key Exchange with Encapsulating > Security Protocol (IKEv2 + ESP), SRTP (with DTLS), WireGuard, > CurveCP, and MinimalT. > > It’s funny that this carefully expands every abbreviation except “SRTP”. > Please do that one too. Expanded! > > Ubiquitous IETF protocols such as (D)TLS, as well as non-standard > protocols such as gQUIC, are both included > > The word “both” doesn’t work here. I think a reasonable fix is just to remove > the single word. Maybe a better fix is to slightly reword, as, “Ubiquitous > IETF protocols such as (D)TLS are included, and so are non-standard protocols > such as gQUIC, despite...” Fixed by removing the word. > > — Section 1.1 — > > For example, a security > protocol that expects to run over a reliable stream of bytes, like > TLS, restrict the set of transport protocols that can be used > Number agreement: make it “restricts” to match the singular subject “a security > protocol”. Fixed. > > — Section 2 — > > Examples include > confidentiality, reliable delivery, ordered delivery, message- > versus-stream orientation, etc. > > You don’t need both “examples include” and “etc.”; I suggest eliminating the > latter (and sticking in an “and”). Fixed. > > — Section 3.1.1 — > > to marshal (possibly encrypted) data from one peer to the other. > > Possibly? I understand you’re covering the handshake there as well, but for a > summary as (reasonably) brief as this I think it’s misleading to say “possibly”. This is now: "The record protocol is used to marshal and, once the handshake has sufficiently progressed, encrypt, data from one peer to the other. " > > — Section 3.2.1 — > > ZRTP [RFC6189] is an alternative key agreement and identity > management protocols for SRTP. > > Number agreement: “protocol” Fixed! > > — Section 3.4.3 — > > For key establishment, OpenVPN can use TLS as a handshake protocol or > pre-shared keys. > > This reads oddly, as though there are two things OpenVPN can use TLS for. I > would make it, “...or it can use pre-shared keys.” Changed to: "For key establishment, OpenVPN can either use TLS as a handshake protocol or use pre-shared keys." > > — Section 5.1 — > > * Extensions (Application-Layer Protocol Negotiation) (EXT): The > application enables or configures extensions that are to be > negotiated by the security protocol, such as ALPN [RFC7301]. > > Isn’t the expansion of “ALPN” misplaced here? This is now written out in expanded form "Application-Layer Protocol Negotiation (ALPN) [RFC7301]" > > Thanks, Tommy
- [Taps] Barry Leiba's No Objection on draft-ietf-t… Barry Leiba via Datatracker
- Re: [Taps] Barry Leiba's No Objection on draft-ie… Tommy Pauly
- Re: [Taps] Barry Leiba's No Objection on draft-ie… Barry Leiba