IETF Logo Mail Archive

Re: [Taps] I-D Action: draft-ietf-taps-transport-security-03.txt

Christopher Wood <christopherwood07@gmail.com> Sat, 27 October 2018 05:08 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A444412DD85; Fri, 26 Oct 2018 22:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNpD5LKJf23T; Fri, 26 Oct 2018 22:08:00 -0700 (PDT)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B8B41292AD; Fri, 26 Oct 2018 22:08:00 -0700 (PDT)
Received: by mail-vs1-xe2c.google.com with SMTP id q15so2144892vso.1; Fri, 26 Oct 2018 22:08:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Lgujw6CeK/SwnMRf80b8/+KgQwewbJEhQ4n7/fZ5eZk=; b=TMS59H327kccwKHen1Yry6+Af96AccqOZOPB0o+GYoHGSbvvKCNS/pbDLlQge0303f cQ5RMi1vWnk4hdAwrPNTeHim5BdkB6trLgeURTWpnkzVhArXFyCE+C215eBpqSWkSLKl G5831kyycsGjvLPY5n3xUuzzAw/VoRDwKP/csiQLt5rmLrsXxWoUziYC+OITQ62zdyNQ ZehSOst63CMlUqhmK0RrfR+6Og2ljPNewI4sgAhwSQ3FSBR2qP+TRW+EgkwY5SpbmQ0t cW9AwrgZxu5srKsxvOJwzhTFbbarbjkKknMDjuZLRBe6mKDBjtrMu+AxN/ivqrPrAFtw 22zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Lgujw6CeK/SwnMRf80b8/+KgQwewbJEhQ4n7/fZ5eZk=; b=RXnXDujiMktkn5HSovgnMKGsqneol6MwdEG0eua2bFXLUdoZeg2BkD2SUvPl73TL+6 0UvCiDz1pUWEEIYR0VKpdfyYMrA3+hnxuRI6ZU9SZecRkBPHFAQxpw/nZdv4RhfQ5VGX uXlP8alIYWLd04yjkmFtqI0Ofp/A6SQi9uf8L0tLGx1JL6yQRTz6cvuQPOACc2lU44Uw b0MDMHCyIPWO1c2wC2Oua+sdayPuF1L11DpzOkuwKQ32/3LMUhTfY+vLO1xPOXdEaGyu +bbhr7kGtV2o0EC8KQ3Wf8tU4wrIMvBEOXtBN5NBOvvgSOvpacCKMDDKRorIVYmRlIyQ Og3w==
X-Gm-Message-State: AGRZ1gJrIyszc9L/qEo2OJLSDc1uwmaiZnzRlbF6SOkB6MW3qGpARVEr qNJKD4gFylD5F4c3/crtjjGPeVA2KYW87Lwuvo5VWA==
X-Google-Smtp-Source: AJdET5fGGjZhcM6sUei+gNWkiER8tH0fTzndkOzJTxzqUEmbibKWC1lTH7udxFqXRAOPBvwAeuIPKeKuK3Rba832qHA=
X-Received: by 2002:a67:eb45:: with SMTP id x5mr2826686vso.13.1540616878975; Fri, 26 Oct 2018 22:07:58 -0700 (PDT)
MIME-Version: 1.0
References: <154022748014.6890.5464777930050299508@ietfa.amsl.com> <6fb7824e-b24e-1b88-f8eb-3e8005906e1b@inet.tu-berlin.de> <A6F37FDD-77F6-497B-B35F-652CF0A29C48@akamai.com>
In-Reply-To: <A6F37FDD-77F6-497B-B35F-652CF0A29C48@akamai.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Fri, 26 Oct 2018 22:07:47 -0700
Message-ID: <CAO8oSXnQ4caha7R6buzb3J67WEzjKd7qiBKY+9qCwNymdoeoRw@mail.gmail.com>
To: Aaron Falk <aafalk@akamai.com>
Cc: Theresa Enghardt <theresa@inet.tu-berlin.de>, draft-ietf-taps-transport-security@ietf.org, taps@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ce70a405792ed1b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/ZEj1SRMc6-GnVNueVreWIMulg8c>
Subject: Re: [Taps] I-D Action: draft-ietf-taps-transport-security-03.txt
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Oct 2018 05:08:03 -0000

Hi Aaron,

On Fri, Oct 26, 2018 at 10:46 AM Aaron Falk <aafalk@akamai.com> wrote:

> Dear Authors,
>
> We agreed at the last IETF that the authors would send a note when this
> draft was ready for SecDir review. Is it ready? Do you want to talk about
> Theresa's comments in Bangkok first?
>

It is not yet ready. We will send it to SecDir when that changes. I don’t
think Theresa’s comments are blockers here. (I’ll spin a new version with
her comments for submission when the tracker reopen.)

Best,
Chris


> --aaron
>
> On 26 Oct 2018, at 5:15, Theresa Enghardt wrote:
>
> Dear TAPS,
>
> having shepherded the minset draft, and, in the process, having seen a
> lot of discussion around security, where we mostly pointed to the
> security survey draft, I gave this draft another read in the current
> version, with a focus on Section 5.
>
> Thanks for the update, this document was a good read.
>
> However, I have some comments, which I'm sharing now rather than later,
> just in case there's anything which is better discussed in-person in
> Bangkok.
>
>
> Right now, the abstract states that this document is a survey of
> security protocols. I suggest to add text saying that the document also
> provides a minimal set of security features. Essentially, this document
> and minset together cover the "minimum requirements of a secure
> transport system".
>
>
> In Section 5, the document groups security features into mandatory and
> optional features, and states their transport dependency and application
> dependency. Application dependency, for me, relates to whether a feature
> is "functional", "optimizing", or "automatable" (in minset terminology).
> For example, if there is no application dependency, the feature is
> "automatable" and does not have to be exposed to the application. In
> contrast, a "function" feature needs to be exposed to the application.
>
> In Section 5.1, I am missing transport dependency and application
> dependency for the mandatory transport features. For example, I would be
> interested to know what is the minimum that the transport system needs
> to expose to the application for public-key based authentication?
>
> In Section 5.1, what is "unilateral responder authentication", which I
> haven't found in other places in the document under this name?
>
> In Section 5.2, "Session caching and management" has no application
> dependency. However, later in Section 6.1, we do expose Session Cache
> Management to the application. My interpretation is that this is just an
> "optimizing" feature, which is why there is no application dependency,
> but it is still useful to expose. It might help to make this explicit in
> the text.
>
> In Section 5, do we want to mention any security features related to
> integrity protection?
>
>
> As far as I can see, none of the protocols we survey provide any
> features explicitly providing privacy. Maybe this is worth highlighting
> in the Security considerations section, beyond saying that no claims of
> privacy properties are made.
>
>
> Finally, I would be in favor of asking for a Secdir early review to make
> sure we're not missing anything in the survey.
>
>
> Thank you again for this draft. I really appreciate that we're
> discussing transport security features in this way.
>
>
> Best,
> Theresa
>
> _______________________________________________
> Taps mailing list
> Taps@ietf.org
> https://www.ietf.org/mailman/listinfo/taps
>

v2.23.0 | Report a Bug | By Email