Re: [Drip] Opsdir early partial review of draft-ietf-drip-registries-09
Adam Wiethuechter <adam.wiethuechter@axenterprize.com> Tue, 13 June 2023 21:57 UTC
Return-Path: <adam.wiethuechter@axenterprize.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A77E6C151094; Tue, 13 Jun 2023 14:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=axenterprize.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AkDSo0oxqkZX; Tue, 13 Jun 2023 14:57:25 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2136.outbound.protection.outlook.com [40.107.243.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88F6EC151544; Tue, 13 Jun 2023 14:57:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dJqU8EVI1BLlinJYtHRzfZLVItgSoab3JUf9DxGP6g+WXv6OgRjeu3ftlb3H/MpKB9QNFoBBmO7/YZ4WFx4vQER9mOc+6cEoXq+eguOdAj5nIfrcPxr1anUrCe+JZuvvwZyeEkteajOIy2irDwQAmh8oGCQTa0Uy8pM3kt1lj8GE0RusznPEQzgDpPFSGcnHykaBNzXq2DmNs3QEkYuQY9NAycRvtWSuS2VDIzfpTlAPK8VMv7eF7E4gN4ePKPGuBOvWDtDCJIRLutp2Kjin1eaNqm/ZczfeqfQMnMMPcF1L4u1eRo8QTxK5YgHl5KjlGT1LvHzO6Exy26qMyLO0bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=psPgqujvP9u7ZEHMBT6fdvbTEpAG1ejBAlu316k7/zk=; b=QLE/aHy2XTR+epnEpb+MPggOG7fI0oLBf0ZwHztKEEiSdkF7/SJqlcMSCJuxS4Znpg5gJ9qULyUNXHVYqECmsFNgNUhuP8TsC4SHK2vqJIaUuRyqRqEL9BFn+F83GhYlBu8BaPbkBJ4Ao+EAtgU3caOJjAbNXQHp0z1eAroH+EvbguSKJCRmAOXYfLorF+mRqbOjfAf9eDEA4o4nip8HxigUfyf9l7jipyyi4LArf3h+BkDh8E5cJ+C9GsJpzH7uRXT/o6TdfN+bymfC84VlfoD2QrtKjREBTBMq7GsnaYcURkpA2w8lzrtdLqPy3a33F4nsqZZLqI7ot7iZf8WufQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=axenterprize.com; dmarc=pass action=none header.from=axenterprize.com; dkim=pass header.d=axenterprize.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axenterprize.onmicrosoft.com; s=selector1-axenterprize-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=psPgqujvP9u7ZEHMBT6fdvbTEpAG1ejBAlu316k7/zk=; b=FHNmHk7i+ouri/mCzZJrGEQ8L02SEJnPEmMK2N5mILlTpHeDmpafdKB5YwhUz6Np78skWvwU/HFam5zL1ksyyI5ECOOPiNlT2vwHfZj0fDC/FfjYzN/HexyHL41B+7MZ778UA+P9WSCk2X916EfBCpiFOBIZ5n3Q2QmSPlOT64Y=
Received: from SN6PR13MB2446.namprd13.prod.outlook.com (2603:10b6:805:5f::26) by SA1PR13MB5564.namprd13.prod.outlook.com (2603:10b6:806:233::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6477.29; Tue, 13 Jun 2023 21:57:22 +0000
Received: from SN6PR13MB2446.namprd13.prod.outlook.com ([fe80::e49f:e923:b64:cf55]) by SN6PR13MB2446.namprd13.prod.outlook.com ([fe80::e49f:e923:b64:cf55%3]) with mapi id 15.20.6455.043; Tue, 13 Jun 2023 21:57:22 +0000
From: Adam Wiethuechter <adam.wiethuechter@axenterprize.com>
To: "ops-dir@ietf.org" <ops-dir@ietf.org>, Joel Jaeggli <joelja@bogus.com>
CC: "draft-ietf-drip-registries.all@ietf.org" <draft-ietf-drip-registries.all@ietf.org>, "tm-rid@ietf.org" <tm-rid@ietf.org>
Thread-Topic: Opsdir early partial review of draft-ietf-drip-registries-09
Thread-Index: AQHZnXKgXsYrUyGF8Um5aJ2XXCDToa+JSDnr
Date: Tue, 13 Jun 2023 21:57:22 +0000
Message-ID: <SN6PR13MB2446287772715B948633027F8855A@SN6PR13MB2446.namprd13.prod.outlook.com>
References: <168660435392.62256.4321206643072484865@ietfa.amsl.com>
In-Reply-To: <168660435392.62256.4321206643072484865@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=axenterprize.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN6PR13MB2446:EE_|SA1PR13MB5564:EE_
x-ms-office365-filtering-correlation-id: cfe5b9c2-438c-4255-98b9-08db6c592a80
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hURyou9ynS67L6/MK8GcBTPPAB0P8sPZw0wnqSfwARccSlGWVnSPX+gELCGxinPSoGaDuu7XPy7vKki2X1bQHsjZCVmrCvGF732rPLN2JXIVDFrSHV5kfBGsA9MFec+gwMBetmeDZ+hEYeum/xbjKh8V43TSdvkm3BqRhmgS3Mxl/kWAfcZ56K1Xx7BH8HK3jWU+cwviMVm7jxJuVFCI03j3iVMAksiyv458nWqzcLUqmx1TY4BfOyZOJBEcO7DgCBmKR4I87ygRtc0XJsyzawDue8xMOQeKbylFxSX8J7CNpOje1phmB7y3Txn90ARYC6MK3/CH6ez1Op9eRCiy5zehMLZG9wXIzCe6e4JW7iVULKSk+bAH5Bmz1ciKFRf54JBHBUTBV8/pKiQR/gAoSgzgYU7ppWHE/J34u08UpX96j6O1lUGBo238a3rgkZ+f+CYpIWJtVWaSqqnJ4/cSZxjhctEz/4c72iggAGzeW5D7KR82cz+3HXHJRwHQmr1DpStNa4LYBTJEAuLTB2xfyuyNuhbpV12VjLaI6ZBgd1WZu1krx1L8vIrtPFRZWguESDW4kAKhh81HNjdf2+zHv3FqwEOSH/U1F891o1jO9lofyEq5ZkQJ6vcdqd1Tgx50kiL0Ds/2g/pbyfNfKiGJbg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR13MB2446.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(136003)(376002)(346002)(366004)(39830400003)(396003)(451199021)(19627405001)(64756008)(66446008)(66556008)(66476007)(66946007)(71200400001)(966005)(91956017)(76116006)(316002)(4326008)(54906003)(478600001)(110136005)(33656002)(86362001)(166002)(38070700005)(6506007)(26005)(9686003)(186003)(83380400001)(53546011)(2906002)(5660300002)(8676002)(52536014)(44832011)(8936002)(7696005)(55016003)(41300700001)(38100700002)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kdR4w/Mn/5b5KwTj42jtSbKALMrnKtzZTXbr9fNvwbOD7ymzyTmDgiAATZaT7lUyfgtPFtk7hk/UD3q1nmAnZ4j2ONDHdBA4TFebLmrlSkC8Q2LqE/Sj9ygkOzednLC6ktGcbBTXePGVFX95ABfL5VDfSwZp+5YZ2IRN/Vch1dA4rP4Cfm8CKLkWyAMvWBRCflxDpfLwRFTuyzOd58pBKu1kvHhVe1ExhYoAhJ6WTn9EW/5AlcRwssoUXtdF4KvjxVx17aUuztsRMRxUw1QG1z5jYVhITWcNR+56i+ity+8LH6Tf9XjF6eIVQV6bH+PkNEQtHrd/SWiU9A/oNOIPzCmYyOXSUCGo1GB92xulx3amEQ4W+PTxRxR5qBWAtsmfiTvMMGUBKVzCAkT4mcJcL9tek/q6gnNakn1Nf6gAF/Cg9703/1AbqzrOolk/iL0sSAnEts9Ro9o7Elcc26U4zWP1ikQjjdofZWb8h43AGU8l58xuXw5LR8cuR109K33KvOz8Ha25DreL+r0hft3BAUY2dve/t6WLmSMP2A7NEAfdRKHIzB0fzpZ+IHlH/85JiaYaugJLZcpAcaUqgm3O69+nTqq6/MsgU2UCN6e5wtsHaPA1PWcYIqLRy1LUQagWGNVsr3c3eoqBnKm/8fXmBrS1xGPkuQ1Nh0Ir3Rux7lhhDVmyua411pYzIvY60XdlkxejoUnyhFTWuelXZAZXhJluwsHvorURLbVIUXrWal4pklHbPRt4rgxKVBP96yIULo1ttcPmik9tWILiqR9GFzd6Y8qDXR+Nmp6H7Ra6vG17k/E2X4Yiw36fP1tc0fZw3s5M/zyHUe+ux8CkQawUiQvu4KTiIHg+4eLv2FvHnX7Bikryty88OBF7Lv/m86bzr5P3QP0y/fIoV5FgQ+/qcuL1DfuOwxdKn2dUTcXW6v5C5SVPItnS6u0z7XkH/hzniY9uGHDYEMSxtFk+gEfqQlADBUdgXUo4UHFcPqZIcQVFKKn4O9LuNrfiFzXjBqXLviyL2NE8yuOVBM6ksQH7uB5MHdEXBrDdrZWglG6o+GzvtnLbAH8VKEMH6a5jIoifaGjE+UpIaLVKY9FrrHVuZlrhuy4GWIqdSjEmxcZvqjV9caUYTU4DCNG0E1L7/0oqS0gVHPCY0rCCR4XoSBzJNbK0KkG2B4f5wR5LKCmUOkDNpyCUHPJ/ZeuucQKpsbhp/zrTcHZzEmNcOV96lEBccR8N5NJWuuNw6AgAx523GBuKGVJthJCCCCn/4tk87K7QHG/tQEm0pN0MqaW3/FNuJCUlsznTb2bC78wSzGxW1WccsNROpPvrjVKIkP7MV/cGgj1Mz9fxEDZZc0FrKuGBV3hduQcG5QgsNCZaobBAoWAFZcKTt1Tn+1s94wMkpmJOZnA2QmVJeW0s9oiP1sd4bwuQ3moie8pu2YdXXkfeDnGvj6S7m/wEslmzEZj2FhTX0s8OzGDVazXIuX8c+CXrGn1tnTt0Lz64heJCgCLHfmA/Lxn6zOx+fcDrdQpFARSs4i75I8yW/hhZKm0ODWIBiXsqr4up4UKmiKCEl5+m3n+I3k4eiS9wFbrYKh0KLTmsaWx6UeTWTlnd25Dp1b9lIQ==
Content-Type: multipart/alternative; boundary="_000_SN6PR13MB2446287772715B948633027F8855ASN6PR13MB2446namp_"
MIME-Version: 1.0
X-OriginatorOrg: axenterprize.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR13MB2446.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cfe5b9c2-438c-4255-98b9-08db6c592a80
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2023 21:57:22.3704 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 00ad0178-ead0-441e-96ff-0c72baf3a6fa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OZAoV4kq+haXDzIG0WRYm8tRiuJQFqVpCgolUfmCudfDlPyKFHR+yBQK1m1g3ZAWxXFiQYdVokeqLha5FqRjnxReQB3ZfLRm4HFEn/A9asjhtIlmHe+2rGA5+iS3QCso
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR13MB5564
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/SuF9DojIItSUrtj9G_pW7MCUpjY>
Subject: Re: [Drip] Opsdir early partial review of draft-ietf-drip-registries-09
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2023 21:57:29 -0000
Hi Joel, Thank you very much for the early review. A -10 has just been released that may help with some of your issues and was in the works before your review came in. It was noted by the authors that Section 6.1 was rather dense and hard to understand so we are glad you agreed with our observation. Please feel free to look over that section again to see if the clarity has improved. Your review should come up in the interim tomorrow for DRIP so hopefully the WG and authors can start working on your issues and be done soon. -------- 73, Adam T. Wiethuechter Software Engineer; AX Enterprize, LLC ________________________________ From: Joel Jaeggli via Datatracker <noreply@ietf.org> Sent: Monday, June 12, 2023 5:12 PM To: ops-dir@ietf.org <ops-dir@ietf.org> Cc: draft-ietf-drip-registries.all@ietf.org <draft-ietf-drip-registries.all@ietf.org>; tm-rid@ietf.org <tm-rid@ietf.org> Subject: Opsdir early partial review of draft-ietf-drip-registries-09 Review is partially done. Another assignment may be needed to complete it. Reviewer: Joel Jaeggli Review result: Has Issues Greetings, I have reviewed https://datatracker.ietf.org/doc/draft-ietf-drip-registries/ on behalf of the Operations and Managament area. this is an early review so take it with a grain of salt. --- Section 5.3 us underspecified at a minimum for the normative operation of a nameserver providing services. (the authors note this) 5.3. Name Server (NS) The interface of the Name Server to any component (nominally the Registry) in a DIME is out of scope as typically they are implementation specific. Author Note: This may be very important here as we should not preclude a USS from running his own Name Server but they are not DNS experts and will need guidance or at least pointers to it to not mess it up. Such as SOA and NS formats to allow delegation if as RAA. In particular name resolution for UAS registries seems like the sort of application that should come with language about availability as a potentially life-critical system. --- I struggle with the descriptions in section 6.1 6.1. Serial Number There are four ways a Serial Number is supported (by DRIP): 1. As itself as a clear-text string with additional information 2. As itself as a clear-text string mapped to a DET "post" generation by the manufacturer (for use in authentication) and additional information 3. As itself as a clear-text string mapped to a DET "post" generation by the user (for use in authentication) and additional information 4. As an encoding of an HI and associated DET by the manufacturer (for use in authentication) with additional information these could be both tightened up and be more clear if written as something like the following track backing and forth between the explanitory notes or the cases should end up being 4 sub headings e.g. 6.1.1 2/3/4 and not simply a list. 6.1. Serial Number There are four ways a Serial Number is supported (by DRIP): 1. A clear-text string with additional information The case where a UA is provisioned with a Serial Number by the manufacturer. The manufacturer is runs an MAA and uses the mechanisms of this document to provide additional information. 2. A clear-text string mapped to a DET "post" generation by the manufacturer (for use in authentication) and additional information A UAS is provisioned with a Serial Number and DET by the manufacturer enabling their devices to use [drip-auth] and provide additional information. A public mapping of the Serial Number to DET and all public artifacts MUST be provided by the manufacturer. This document RECOMMENDS the manufacturer use an MAA for this task. 3. A clear-text string mapped to a DET "post" generation by the user (for use in authentication) and additional information where a UAS has a Serial Number (from the manufacturer) and the user has a mechanism to generate and map a DET to the Serial Number after production. This can provide dynamic signing keys for DRIP Authentication Messages via [drip-auth] for UAS that MUST fly only using Serial Numbers. Registration SHOULD be allowed to any relevant DIME that supports it. 4. As an encoding of an HI and associated DET by the manufacturer (for use in authentication) with additional information where a UAS manufacturer chooses to use the Serial Number scheme defined in [RFC9374] to create Serial Numbers, their associated DETs for [drip-auth] and provide additional information. This document RECOMMENDED that the manufacturer "locks" the device from changing its authentication method so identifiers in both the Basic ID and Authentication Message do not de-sync. The manufacturer MUST use an MAA for this task, with the mapping between their Manufacturer Code and the upper portion of the DET publicly available. --- section 6.3.1 6.3.2 should be labeled properly as session-ids --- section 7 is observably incomplete It is noted by the authors that as this system scales the problem becomes a, well known and tricky, key management problem. While recommendations for key management are useful they are not necessarily in scope for this document as best common practices around key management should already be mandated and enforced by the cognizant authorities in their existing systems. This document instead focuses on finding a balance for generic wide-spread interoperability between DIMEs with authorities and their existing systems in a Differentiated Access Process (DAP). at a minimum the key managment problem should be elucidated DRIP has no intention to develop a new "art" of key management, instead hoping to leverage existing systems and be flexible enough to adapt as new ones become popular. --- ICAO administered domain apex sounds like this is specifying a type of TLD, if it is not then what is described should be more narrowly specified. if it does this is ietf direction to ICANN 8. DRIP in the Domain Name System Per [drip-arch] all information classified as public is stored in the DNS to satisfy REG-1 from [RFC9153]. The apex for domain names MUST be under the administrative control of ICAO, the international treaty organization providing the critical coordination platform for civil aviation. ICAO SHOULD be responsible for the operation of the DNS-related infrastructure for these domain name apexes. It MAY chose to run that infrastructure directly or outsource it to competent third parties or some combination of the two. ICAO SHOULD specify the technical and administrative criteria for the provision of these services: contractual terms (if any), reporting, uptime, SLAs (if any), DNS query handling capacity, response times incident handling, complaints, law enforcement interaction and so on. --- DNS review should probably come from a DNS SME for additional considerations.
- [Drip] Opsdir early partial review of draft-ietf-… Joel Jaeggli via Datatracker
- Re: [Drip] Opsdir early partial review of draft-i… Adam Wiethuechter