Re: [Taps] Secdir early review of draft-ietf-taps-arch-12
Tommy Pauly <tpauly@apple.com> Fri, 03 June 2022 16:18 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0D9EC14F73F; Fri, 3 Jun 2022 09:18:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.852
X-Spam-Level:
X-Spam-Status: No, score=-2.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEh2fNj4egHB; Fri, 3 Jun 2022 09:18:22 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB411C14F723; Fri, 3 Jun 2022 09:18:18 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 253FxIw3038208; Fri, 3 Jun 2022 09:18:15 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=8CDZcmEnQEb2bweR5Ush7rfZthK2sT3U5Wi2nWkll+E=; b=o1j1AYzZsqp1PlE5RtbukWikndL52rB5L4njU+y4STYdbCeZKPcFT2olqMHqGm5Tmxc3 gOO71vKE6bqqJgRqIJAYF8u7pfXA2BxyfWofDS7lMkDEAEwfeDV8rcm2DnZTb6PA+x0T 6wNqxKIoPVAdDfp13JGESyxy4FqSKAbX9VZ8xkMvlTNXtXUpw455JkIBDx7rJD1EQYoR 256gD5cbS+WokQnOyRYwKc1x7brEHecGGSWxXX83nnnrwzPeRmmCOW1qlqOY8AMUujAr CeQ+9P8Hm58UEfDmOwwntSdHFJPDJomI3cG5AKCY2PRQjoyHsIEGHsxWEICuyKeZX6vE xA==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 3gbjd4h4j9-11 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 03 Jun 2022 09:18:15 -0700
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPS id <0RCW00WBMTAE9M70@rn-mailsvcp-mta-lapp02.rno.apple.com>; Fri, 03 Jun 2022 09:18:14 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) id <0RCW00D00T5KSJ00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Fri, 03 Jun 2022 09:18:14 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 5a79c165eae7bca3e214413a625caeec
X-Va-E-CD: b3f48708de994e1343249df1f83fb4b0
X-Va-R-CD: 8b32282fa8230822f4f0e017e9139574
X-Va-CD: 0
X-Va-ID: 37edfc6f-4c45-417f-b56d-48003625fde8
X-V-A:
X-V-T-CD: 5a79c165eae7bca3e214413a625caeec
X-V-E-CD: b3f48708de994e1343249df1f83fb4b0
X-V-R-CD: 8b32282fa8230822f4f0e017e9139574
X-V-CD: 0
X-V-ID: 53ee59c6-a5ea-494b-8160-d07bbbecb46c
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.874 definitions=2022-06-03_05:2022-06-02, 2022-06-03 signatures=0
Received: from smtpclient.apple (unknown [17.11.74.95]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPSA id <0RCW00VG5TAA3900@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Fri, 03 Jun 2022 09:18:11 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <D320DD41-F8FC-4DB7-B361-E7C8481FF9F9@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_B2316FCF-5732-48FD-909B-83CE89582A2F"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3720.0.4.1.4\))
Date: Fri, 03 Jun 2022 09:18:10 -0700
In-reply-to: <165397523063.4704.11303393156719203618@ietfa.amsl.com>
Cc: secdir@ietf.org, draft-ietf-taps-arch.all@ietf.org, taps@ietf.org
To: Watson Ladd <watsonbladd@gmail.com>
References: <165397523063.4704.11303393156719203618@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3720.0.4.1.4)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.874 definitions=2022-06-03_05:2022-06-02, 2022-06-03 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/mobUcAQmlxHZ7Ao9jL79z1cpJdo>
Subject: Re: [Taps] Secdir early review of draft-ietf-taps-arch-12
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2022 16:18:22 -0000
Hi Watson, Thanks for the review! I’ve captured your review in an issue: https://github.com/ietf-tapswg/api-drafts/issues/1041 And proposed some changes in this PR: https://github.com/ietf-tapswg/api-drafts/pull/1042 Respones inline: > On May 30, 2022, at 10:33 PM, Watson Ladd via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Watson Ladd > Review result: Has Nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > In summary I think this document has nits. > > One minor nit in particular concerns the example of TLS fallback. It's not the > case that one needs to carry out a fallback to TLS 1.2 if TLS 1.3 is available, > and indeed that shouldn't be done. Ordinary TLS version negotiation should work > just fine. Yeah, this text was confusing. I’ve updated it to be more clear that really this is about the system respecting the minimum version requirements an application might have. Essentially, this is about APIs like this: https://developer.apple.com/documentation/security/3180218-sec_protocol_options_set_min_tls > > A deeper nit concerns the way security is supposed to work in this system. It's > true that e.g. both TLS and IKEv2 can use X509 certificates. It is not the case > they use them the same way as they aren't authenticating the same thing. It is > very much not the case that X509 validation involving trust verfication > callbacks by the application works correctly, even conceptually or in most > libraries, and the WebPKI will have very different additional requirements than > other PKIs. It gets even more complicated when we consider how origin authority > actually works in the web. There’s no intention of trying to use certificates across TLS and IKE! That certainly doesn’t make sense. I don’t think the text implied that anywhere, but I’ve tried to make that more explicit in the PR. > > I'm confused by the warnings on cross-protocol use of key material. For a PSK > one really does want to link it to the protocol, but the same isn't true for > X509 certificates across TLS and QUIC: you're supposed to use the same ones. > I'm not sure how effective handling this all over to the application will be, > or how the API will effectively make clear what connection the material will be > used with in a racing environment. Overall, I think the requirement is that the security options need to be very explicit in what protocol you’re setting specific material for — and certainly, setting a common cert between QUIC and TLS/TCP is a standard feature. Best, Tommy > > Sincerely, > Watson Ladd > > > _______________________________________________ > Taps mailing list > Taps@ietf.org > https://www.ietf.org/mailman/listinfo/taps
- [Taps] Secdir early review of draft-ietf-taps-arc… Watson Ladd via Datatracker
- Re: [Taps] Secdir early review of draft-ietf-taps… Tommy Pauly