IESG Comments on draft-ietf-trade-voucher-vtsapi-05.txt and proposed resolutions
Masayuki Terada <te@mml.yrp.nttdocomo.co.jp> Thu, 19 February 2004 13:35 UTC
Return-Path: <ietf-trade-errors@lists.elistx.com>
Received: from FILTER-ELIST-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC0080232HQ9@eListX.com> (original mail from ietf-trade+moderator@lists.elistx.com); Thu, 19 Feb 2004 08:35:06 -0500 (EST)
Received: from DIRECTORY-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC00L011HKUP@eListX.com> for ietf-trade+moderator@lists.elistx.com (ORCPT ietf-trade@lists.elistx.com); Thu, 19 Feb 2004 08:00:56 -0500 (EST)
Received: from FILTER-ELIST-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC00L021HKUM@eListX.com> for ietf-trade+moderator@lists.elistx.com (ORCPT ietf-trade@lists.elistx.com) ; Thu, 19 Feb 2004 08:00:56 -0500 (EST)
Received: from DIRECTORY-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC00L011HIUK@eListX.com> for ietf-trade@lists.elistx.com; Thu, 19 Feb 2004 08:00:55 -0500 (EST)
Received: from mail0.yrp.nttdocomo.co.jp (mail0.yrp.nttdocomo.co.jp [202.245.184.18]) by eListX.com (PMDF V6.0-025 #44856) with ESMTP id <0HTC00L6C1HG7P@eListX.com> for ietf-trade@lists.elistx.com; Thu, 19 Feb 2004 08:00:54 -0500 (EST)
Received: from mml.yrp.nttdocomo.co.jp (mml.yrp.nttdocomo.co.jp [172.21.48.50]) by mail0.yrp.nttdocomo.co.jp (8.12.10/YRPHUB0-8820020412) with ESMTP id i1JCxM83029856; Thu, 19 Feb 2004 21:59:22 +0900 (JST)
Received: from regina.yrp.nttdocomo.co.jp (regina.yrp.nttdocomo.co.jp [172.21.49.45]) by mml.yrp.nttdocomo.co.jp (8.12.6/8.12.6) with ESMTP id i1JCxI2a081911; Thu, 19 Feb 2004 21:59:22 +0900 (JST)
Received: from localhost (regina [127.0.0.1]) by regina.yrp.nttdocomo.co.jp (Postfix) with ESMTP id 60EF923; Thu, 19 Feb 2004 22:04:33 +0900 (JST)
Date: Thu, 19 Feb 2004 22:04:33 +0900
From: Masayuki Terada <te@mml.yrp.nttdocomo.co.jp>
Subject: IESG Comments on draft-ietf-trade-voucher-vtsapi-05.txt and proposed resolutions
In-reply-to: <20040219.155844.130235704.te@mml.yrp.nttdocomo.co.jp>
To: ietf-trade@lists.elistx.com
Cc: ned.freed@mrochek.com, fujimura@isl.ntt.co.jp
Message-id: <20040219.220433.39158386.te@mml.yrp.nttdocomo.co.jp>
MIME-version: 1.0
X-Mailer: Mew version 4.0.63 on Emacs 21.3.1 / Mule 5.0 (SAKAKI)
Content-type: Text/Plain; charset="us-ascii"
Content-transfer-encoding: 7bit
References: <40309F79.2010808@isl.ntt.co.jp> <20040218.174702.48512496.te@mml.yrp.nttdocomo.co.jp> <20040219.155844.130235704.te@mml.yrp.nttdocomo.co.jp>
List-Owner: <mailto:ietf-trade-help@lists.elistx.com>
List-Post: <mailto:ietf-trade@lists.elistx.com>
List-Subscribe: <http://lists.elistx.com/subscribe>, <mailto:ietf-trade-request@lists.elistx.com?body=subscribe>
List-Unsubscribe: <http://lists.elistx.com/unsubscribe>, <mailto:ietf-trade-request@lists.elistx.com?body=unsubscribe>
List-Archive: <http://lists.elistx.com/archives/ietf-trade/>
List-Help: <http://lists.elistx.com/elists/admin.shtml>, <mailto:ietf-trade-request@lists.elistx.com?body=help>
List-Id: <ietf-trade.lists.elistx.com>
Hello trade WG list, We received the following comments on the draft from IESG: > The security API is inadequate. It doesn't support things like > challenge/response, it doesn't support cryptography, it makes no > provision for the client to authenticate the server (we've already > seen fake server attacks in the wild; this threat isn't > hypothetical), it doesn't seem to have a way to convey a user name, > it doesn't have the right primitives to support TLS, etc. > > The document uses the domain foo.bar in examples rather than the > domains reserved for such purposes: example.com and example.org. Of course, security is very important for trading vouchers, and it must be provided by a VTS (plug-in). VTS-API is intended to provide well-abstracted and unified semantic primitives for user (and wallet) to interact with such a VTS. And also, I believe that VTS-API provides enough primitives for VTS to support security, like challenge/response needed in distributed VTS. We have implemented and demonstrated a voucher wallet (and issuing/collecting) system with a smartcard-based VTS implementation at the 54th IETF Yokohama. The previous draft (-05), however, could have too simple explanation about securing VTS implementation. To address the concerns from IESG, we revised the draft based upon the following considerations: 1) About supporting challenge/response VTSAgent#prepare() may be used to get a challenge from the receiver of a voucher (see 5.4.3). After invoking prepare(), the sender's VTS plug-in may create the corresponding response and send it to the receiver by VTSAgent#transfer() (or issue/consume/present), which (logically) rewrites the ownership of the voucher in the VVS. The description in the previous draft (-05), however, could be too simplified and misleading as if the rewriting were always performed physically upon the central database (in a centralized VTS implementation). In the revised draft (-06), we described more explicitly that the rewrite is logical and it may be performed by sending the response (corresponding to a challenge) in a distributed VTS implementation. 2) About supporting cryptography VTS should support cryptography, but cryptography algorithms/protocols used in a VTS (e.g. in challenge/response) should be determined by the provider of the VTS, not a user (of the wallet). Cryptography should be encapsulated in a VTS and doesn't appear in the API. For similar reason to 1), we described explicitly that cryptography should be used to secure the challenge/response or the authentication of the user in VTSAgent#login(). 3) About provision for the client to authenticate the server I supposed that this comment discusses client/server authentications of the centralized VTS implementation in 5.4.1 VTSAgent#login(), since "server" only appears there in the previous (-05) draft. In a centralized VTS implementation, a client (i.e. the VTS plug-in) can be assumed to know the server's address and the authentification information (e.g. the public key certificate of the server) in a preference file or a smartcard. a VTS may use them to prevent fake server attacks. However, I agree that it would be better for VTS providers to warn the fake server attacks in the draft. Some implementation notes are added in 5.4.1 VTSAgent#login(). 4) About having a way to convey a user name I'm not sure what this comment would point out, but we add some comment lines about usernames to the example code. 5) About having the right primitives to support TLS VTS-API doesn't provide specific primitives to support TLS by same reason as 3). However, TLS would be useful and should be recommended to secure communication channels such as those connect between clients and the server in a centralized VTS implementation. TLS is recommended as a means to secure communication channels in the revised draft. 6) About domain names in the example. It's my mistake; fixed as the comment. ----- I believe that the changes made in the revised draft would address all of the comments from IESG, however, I'd appreciate additional comments or suggestions if any. Best regards, Masayuki Terada <te@mml.yrp.nttdocomo.co.jp> Security Systems Lab., NTT DoCoMo Multimedia Labs.
- IESG Comments on draft-ietf-trade-voucher-vtsapi-… Masayuki Terada
- IESG Comments on draft-ietf-trade-voucher-lang-05… Ko Fujimura