Re: [Taps] Roman Danyliw's Discuss on draft-ietf-taps-interface-24: (with DISCUSS and COMMENT)
Tommy Pauly <tpauly@apple.com> Thu, 11 January 2024 17:48 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 846E9C14CEED for <taps@ietfa.amsl.com>; Thu, 11 Jan 2024 09:48:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgTJcYY12OQw for <taps@ietfa.amsl.com>; Thu, 11 Jan 2024 09:48:09 -0800 (PST)
Received: from ma-mailsvcp-mx-lapp01.apple.com (ma-mailsvcp-mx-lapp01.apple.com [17.32.222.22]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C194CC19ECBE for <taps@ietf.org>; Thu, 11 Jan 2024 09:48:09 -0800 (PST)
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by ma-mailsvcp-mx-lapp01.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S7300KL9YRR8R00@ma-mailsvcp-mx-lapp01.apple.com> for taps@ietf.org; Thu, 11 Jan 2024 09:48:08 -0800 (PST)
X-Proofpoint-ORIG-GUID: nf2VT5wwFt6EElGCtGQZNp66MrHnIggQ
X-Proofpoint-GUID: nf2VT5wwFt6EElGCtGQZNp66MrHnIggQ
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.997 definitions=2024-01-11_09:2024-01-11, 2024-01-11 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 adultscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 phishscore=0 mlxscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401110140
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=aOZxNxMRPgwYnelXGcLohsQvKReBlv/gkiSinlvQupQ=; b=nLCLjitnSauJ+hWKA28ApVFpVi3XofzV/B3Ynw3s1r+/06k7o/F49S1Ij9BvfGh45FU3 +SYHjEgWY51wBO5dsIRztSrGoOVQOGo/U6FwXAxFjhtfyVb327+hoVwDvkWt8YVe0dCk M3ciHdr5DzNmS/rcHWopJKKQQBm4SSgEJaWAxJwKcJvLZxy8FYcWA4QS0lfnN7GXwNjG AYwtBA79YXufwvvQAQek+Gn+FKVpSGySHOFBaYcyjm3kprDz2a7AdkniB+pxk7WTOkax sytLVV1YGape/hq4+L0YbEZRqO9wOc6AgJgRBSwqkyOoJmIl3JGeq66UDgmjj3cMWXA1 gQ==
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S7301179YS4U4R0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Thu, 11 Jan 2024 09:48:04 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) id <0S7300T00YPTQT00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 11 Jan 2024 09:48:04 -0800 (PST)
X-Va-A:
X-Va-T-CD: 4ec1d282b8771f346bdd96c8adf118fc
X-Va-E-CD: 33fe75587f31c62e5a4d7b17d088c8ca
X-Va-R-CD: e5cb839f4e56d504f75947648d4dcad9
X-Va-ID: d3dc0608-a206-4a0d-9aaa-28a8e634e714
X-Va-CD: 0
X-V-A:
X-V-T-CD: 4ec1d282b8771f346bdd96c8adf118fc
X-V-E-CD: 33fe75587f31c62e5a4d7b17d088c8ca
X-V-R-CD: e5cb839f4e56d504f75947648d4dcad9
X-V-ID: 6b544ebc-6aee-4b08-b20d-9158729bbb2f
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-11_09,2024-01-11_01,2023-05-22_02
Received: from smtpclient.apple ([17.230.169.128]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPSA id <0S7300L57YS3LB00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 11 Jan 2024 09:48:04 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <4AD3A40D-5A6B-48C8-8BF8-11D67F4583B0@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_9EA76904-3411-4917-A7ED-F36F61BFD83E"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Thu, 11 Jan 2024 09:47:53 -0800
In-reply-to: <170474593108.56200.14211704546607049395@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-taps-interface@ietf.org, taps-chairs@ietf.org, taps@ietf.org, Anna Brunström <anna.brunstrom@kau.se>
To: Roman Danyliw <rdd@cert.org>
References: <170474593108.56200.14211704546607049395@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/etwEce1jKmhDUUbrKKI62WAHL50>
Subject: Re: [Taps] Roman Danyliw's Discuss on draft-ietf-taps-interface-24: (with DISCUSS and COMMENT)
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2024 17:48:13 -0000
Hi Roman, I’ve opened a PR to try to clarify these points — it doesn’t change the fundamental meaning, but structures the security parameters more like the transport parameters above, and clarifies that the normative bit is “expose parameters to set these”, but the types are going to be platform-specific. https://github.com/ietf-tapswg/api-drafts/pull/1463 Please take a look and see if this helps. Thanks, Tommy > On Jan 8, 2024, at 12:32 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-taps-interface-24: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-taps-interface/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thanks for the revised text in v-22, -23 and -24. I’m still do not > understanding what exact Security Parameters that Section 6.3.1 is normatively > specifying (and which of them are examples). My confusion is that Section 6.2 > has a crisp list of parameters with an explicit names, type, and default value. > The equivalent is not present for the security related parameters. > > Section 6.3 says “except as noted below, as with the rest of the Transport > Services API, exact names of parameters and/or values of enumerations (e.g., > ciphersuites) used in the security parameters are system and implementation > specific, and ought to be chosen to follow the principle of least surprise for > users of the platform / language environment in question.” How does one read > “except when noted below”? Is this section saying the normative parameters are > server-certificate, client-certificate, pinned-server-certificate, alpn, > supported-group, ciphersuite, signature-algorithm, max-cached-sessions, > cached-session-lifetime-seconds, pre-shared-key OR that “an API should define > certificate bundles, certificate chains for pinned certificates, ALPN, session > cache management parameters, supported groups/ciphersuite/ parameters, and PSK > parameters but no further details are provided here beyond naming these > categories of parameters”? > > I observe that the guidance in Section 4.1 suggests that parameter names are in > CamelCase. That isn’t used here (e.g., “server-certificate” should be > “ServerCertificate”). This might hint that there are not parameters here. > However, the bulleted list in Section 6.3.1. is prefaced with “Security > configuration parameters and sample usage follow:” seems to suggest that these > are concrete parameters. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Sean Turner for the SECDIR review. > > >
- [Taps] Roman Danyliw's Discuss on draft-ietf-taps… Roman Danyliw via Datatracker
- Re: [Taps] Roman Danyliw's Discuss on draft-ietf-… Tommy Pauly