IETF Logo Mail Archive

Re: [Taps] I-D Action: draft-ietf-taps-transport-security-03.txt

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 01 November 2018 21:35 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 210CA127B92; Thu, 1 Nov 2018 14:35:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rA1xGyRnyMu9; Thu, 1 Nov 2018 14:35:06 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9977612D4E8; Thu, 1 Nov 2018 14:35:05 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id k19-v6so10890018lji.11; Thu, 01 Nov 2018 14:35:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FzxYsxt+tolJO6QxYM3NLMxYest/lNf8OOQZLBo+0Y8=; b=fsfBnixt3vOgo08SoFtmKFnZ490z2nezJqNsebS6YjghZ51768o20VBPDIJ4KdTUFS A0BEktKYc0Gy0A75AMJivVRC7rISDfIRke6yzs5It1wFHnpbfEdvMrpwnkz9FemvyKat NyWo+ZILYH/Dmbnxoby/wF3B2uaNpRt4QDidIZBkneUYbu8hT/OvoYv1X7T24JH8vPPj ZlRVrvBPASbzhcSlNU+C2HCrk6bBfkIv0SiX3pvPLf3vwldoa59P5qEGQqJSsNzZAy1w oFC8yOMSizqc8xh00zCDYbSjY47YkIchZTnoFkr7s8j3El4Axec8fS7jz0OOfmP7btb7 rg5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FzxYsxt+tolJO6QxYM3NLMxYest/lNf8OOQZLBo+0Y8=; b=AcyNtfIiWyu4XCzWaNJ7BoIzIxcnLEbDnMM4iCetGw9aS2ydS6IK219y37SmR4Rc9E FJsOxNZ9XGFrVgidnypqZ1iseexULWJvfdx+GWgCe+DrpomMlGbkOGcS8Gla96Fl7X1l 8BtxQtCFAxj5s3qabOMwWPF884weCaV0mW9HCz3QXIM0O/6uICpcKY+2ulLvpZeDYfRK 1ECQWqH5etdpvYk8wnmfNg/g7X8MI/0tgJFAjFrmPjHpE99iNjUjcXXJenFvcHNQP8V4 fbrMkJQBRdYqk8VQd4w0o2fXYdOnfcyiQjYNWWurhigp0lBnSSd8Qt2MoXItg35wL844 cArA==
X-Gm-Message-State: AGRZ1gI642vCqe18lBAzvCOxSqgH2DvsnqBUSZ3uFLOexxndasN33PFS TF+WzC4fAsQWtIDzLw++ql8cGLNGtyS6j4rcvY8=
X-Google-Smtp-Source: AJdET5d78RXMb6Tc3bFKlzEHxKNkpIuas1EoeNJjze+dDD3D0hQL5QCX4ceTDZCvsHlc4nsWmgV8PTxGuTn9jJRP8Bk=
X-Received: by 2002:a2e:320c:: with SMTP id y12-v6mr5902545ljy.163.1541108103630; Thu, 01 Nov 2018 14:35:03 -0700 (PDT)
MIME-Version: 1.0
References: <154022748014.6890.5464777930050299508@ietfa.amsl.com> <6fb7824e-b24e-1b88-f8eb-3e8005906e1b@inet.tu-berlin.de> <A6F37FDD-77F6-497B-B35F-652CF0A29C48@akamai.com> <CAO8oSXnQ4caha7R6buzb3J67WEzjKd7qiBKY+9qCwNymdoeoRw@mail.gmail.com>
In-Reply-To: <CAO8oSXnQ4caha7R6buzb3J67WEzjKd7qiBKY+9qCwNymdoeoRw@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 01 Nov 2018 16:34:53 -0500
Message-ID: <CAKKJt-dL2x4U43YcFn1PALR5txNwQRE4mhyZqE0__UDs6TdgxQ@mail.gmail.com>
To: Christopher Wood <christopherwood07@gmail.com>
Cc: "Falk, Aaron" <aafalk@akamai.com>, taps WG <taps@ietf.org>, Theresa Enghardt <theresa@inet.tu-berlin.de>, draft-ietf-taps-transport-security@ietf.org
Content-Type: multipart/alternative; boundary="00000000000013d5a00579a1310a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/ll60J8Qj0fNZYvbdkaPJZQF0-5Y>
Subject: Re: [Taps] I-D Action: draft-ietf-taps-transport-security-03.txt
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 21:35:08 -0000

Hi, Christopher,

On Sat, Oct 27, 2018 at 12:08 AM Christopher Wood <
christopherwood07@gmail.com> wrote:

> Hi Aaron,
>
> On Fri, Oct 26, 2018 at 10:46 AM Aaron Falk <aafalk@akamai.com> wrote:
>
>> Dear Authors,
>>
>> We agreed at the last IETF that the authors would send a note when this
>> draft was ready for SecDir review. Is it ready? Do you want to talk about
>> Theresa's comments in Bangkok first?
>>
>
> It is not yet ready. We will send it to SecDir when that changes. I don’t
> think Theresa’s comments are blockers here. (I’ll spin a new version with
> her comments for submission when the tracker reopen.)
>

Given that TAPS meets fairly late on Wednesday, if you think there will be
discussion that a SECDIR reviewer might benefit from, it is likely possible
to let the secdir secretaries at
https://datatracker.ietf.org/group/secdir/about/ know that a request for
early review will be coming, so that a reviewer could be identified early
enough to be present.

If that won't be a helpful discussion for a reviewer to listen to, of
course, no need. Do the right thing :-)

Spencer


> Best,
> Chris
>
>
>> --aaron
>>
>> On 26 Oct 2018, at 5:15, Theresa Enghardt wrote:
>>
>> Dear TAPS,
>>
>> having shepherded the minset draft, and, in the process, having seen a
>> lot of discussion around security, where we mostly pointed to the
>> security survey draft, I gave this draft another read in the current
>> version, with a focus on Section 5.
>>
>> Thanks for the update, this document was a good read.
>>
>> However, I have some comments, which I'm sharing now rather than later,
>> just in case there's anything which is better discussed in-person in
>> Bangkok.
>>
>>
>> Right now, the abstract states that this document is a survey of
>> security protocols. I suggest to add text saying that the document also
>> provides a minimal set of security features. Essentially, this document
>> and minset together cover the "minimum requirements of a secure
>> transport system".
>>
>>
>> In Section 5, the document groups security features into mandatory and
>> optional features, and states their transport dependency and application
>> dependency. Application dependency, for me, relates to whether a feature
>> is "functional", "optimizing", or "automatable" (in minset terminology).
>> For example, if there is no application dependency, the feature is
>> "automatable" and does not have to be exposed to the application. In
>> contrast, a "function" feature needs to be exposed to the application.
>>
>> In Section 5.1, I am missing transport dependency and application
>> dependency for the mandatory transport features. For example, I would be
>> interested to know what is the minimum that the transport system needs
>> to expose to the application for public-key based authentication?
>>
>> In Section 5.1, what is "unilateral responder authentication", which I
>> haven't found in other places in the document under this name?
>>
>> In Section 5.2, "Session caching and management" has no application
>> dependency. However, later in Section 6.1, we do expose Session Cache
>> Management to the application. My interpretation is that this is just an
>> "optimizing" feature, which is why there is no application dependency,
>> but it is still useful to expose. It might help to make this explicit in
>> the text.
>>
>> In Section 5, do we want to mention any security features related to
>> integrity protection?
>>
>>
>> As far as I can see, none of the protocols we survey provide any
>> features explicitly providing privacy. Maybe this is worth highlighting
>> in the Security considerations section, beyond saying that no claims of
>> privacy properties are made.
>>
>>
>> Finally, I would be in favor of asking for a Secdir early review to make
>> sure we're not missing anything in the survey.
>>
>>
>> Thank you again for this draft. I really appreciate that we're
>> discussing transport security features in this way.
>>
>>
>> Best,
>> Theresa
>>
>> _______________________________________________
>> Taps mailing list
>> Taps@ietf.org
>> https://www.ietf.org/mailman/listinfo/taps
>>
> _______________________________________________
> Taps mailing list
> Taps@ietf.org
> https://www.ietf.org/mailman/listinfo/taps
>

v2.23.0 | Report a Bug | By Email