IESG Comments on draft-ietf-trade-voucher-vtsapi-05.txt and proposed resolutions

Masayuki Terada <te@mml.yrp.nttdocomo.co.jp> Thu, 19 February 2004 13:35 UTC

Return-Path: <ietf-trade-errors@lists.elistx.com>
Received: from FILTER-ELIST-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC0080232HQ9@eListX.com> (original mail from ietf-trade+moderator@lists.elistx.com); Thu, 19 Feb 2004 08:35:06 -0500 (EST)
Received: from DIRECTORY-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC00L011HKUP@eListX.com> for ietf-trade+moderator@lists.elistx.com (ORCPT ietf-trade@lists.elistx.com); Thu, 19 Feb 2004 08:00:56 -0500 (EST)
Received: from FILTER-ELIST-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC00L021HKUM@eListX.com> for ietf-trade+moderator@lists.elistx.com (ORCPT ietf-trade@lists.elistx.com) ; Thu, 19 Feb 2004 08:00:56 -0500 (EST)
Received: from DIRECTORY-DAEMON.eListX.com by eListX.com (PMDF V6.0-025 #44856) id <0HTC00L011HIUK@eListX.com> for ietf-trade@lists.elistx.com; Thu, 19 Feb 2004 08:00:55 -0500 (EST)
Received: from mail0.yrp.nttdocomo.co.jp (mail0.yrp.nttdocomo.co.jp [202.245.184.18]) by eListX.com (PMDF V6.0-025 #44856) with ESMTP id <0HTC00L6C1HG7P@eListX.com> for ietf-trade@lists.elistx.com; Thu, 19 Feb 2004 08:00:54 -0500 (EST)
Received: from mml.yrp.nttdocomo.co.jp (mml.yrp.nttdocomo.co.jp [172.21.48.50]) by mail0.yrp.nttdocomo.co.jp (8.12.10/YRPHUB0-8820020412) with ESMTP id i1JCxM83029856; Thu, 19 Feb 2004 21:59:22 +0900 (JST)
Received: from regina.yrp.nttdocomo.co.jp (regina.yrp.nttdocomo.co.jp [172.21.49.45]) by mml.yrp.nttdocomo.co.jp (8.12.6/8.12.6) with ESMTP id i1JCxI2a081911; Thu, 19 Feb 2004 21:59:22 +0900 (JST)
Received: from localhost (regina [127.0.0.1]) by regina.yrp.nttdocomo.co.jp (Postfix) with ESMTP id 60EF923; Thu, 19 Feb 2004 22:04:33 +0900 (JST)
Date: Thu, 19 Feb 2004 22:04:33 +0900 (JST)
From: Masayuki Terada <te@mml.yrp.nttdocomo.co.jp>
Subject: IESG Comments on draft-ietf-trade-voucher-vtsapi-05.txt and proposed resolutions
In-reply-to: <20040219.155844.130235704.te@mml.yrp.nttdocomo.co.jp>
To: ietf-trade@lists.elistx.com
Cc: ned.freed@mrochek.com, fujimura@isl.ntt.co.jp
Message-id: <20040219.220433.39158386.te@mml.yrp.nttdocomo.co.jp>
MIME-version: 1.0
X-Mailer: Mew version 4.0.63 on Emacs 21.3.1 / Mule 5.0 (SAKAKI)
Content-type: Text/Plain; charset=us-ascii
Content-transfer-encoding: 7bit
References: <40309F79.2010808@isl.ntt.co.jp> <20040218.174702.48512496.te@mml.yrp.nttdocomo.co.jp> <20040219.155844.130235704.te@mml.yrp.nttdocomo.co.jp>
List-Owner: <mailto:ietf-trade-help@lists.elistx.com>
List-Post: <mailto:ietf-trade@lists.elistx.com>
List-Subscribe: <http://lists.elistx.com/subscribe>, <mailto:ietf-trade-request@lists.elistx.com?body=subscribe>
List-Unsubscribe: <http://lists.elistx.com/unsubscribe>, <mailto:ietf-trade-request@lists.elistx.com?body=unsubscribe>
List-Archive: <http://lists.elistx.com/archives/ietf-trade/>
List-Help: <http://lists.elistx.com/elists/admin.shtml>, <mailto:ietf-trade-request@lists.elistx.com?body=help>
List-Id: <ietf-trade.lists.elistx.com>

Hello trade WG list,

We received the following comments on the draft from IESG:

> The security API is inadequate.  It doesn't support things like
> challenge/response, it doesn't support cryptography, it makes no
> provision for the client to authenticate the server (we've already
> seen fake server attacks in the wild; this threat isn't
> hypothetical), it doesn't seem to have a way to convey a user name,
> it doesn't have the right primitives to support TLS, etc.
> 
> The document uses the domain foo.bar in examples rather than the
> domains reserved for such purposes: example.com and example.org.

Of course, security is very important for trading vouchers, and it
must be provided by a VTS (plug-in).  VTS-API is intended to provide
well-abstracted and unified semantic primitives for user (and wallet)
to interact with such a VTS.

And also, I believe that VTS-API provides enough primitives for VTS to
support security, like challenge/response needed in distributed VTS.
We have implemented and demonstrated a voucher wallet (and
issuing/collecting) system with a smartcard-based VTS implementation
at the 54th IETF Yokohama.

The previous draft (-05), however, could have too simple explanation
about securing VTS implementation.  To address the concerns from IESG,
we revised the draft based upon the following considerations:

1) About supporting challenge/response

VTSAgent#prepare() may be used to get a challenge from the receiver of
a voucher (see 5.4.3).  After invoking prepare(), the sender's VTS
plug-in may create the corresponding response and send it to the
receiver by VTSAgent#transfer() (or issue/consume/present), which
(logically) rewrites the ownership of the voucher in the VVS.

The description in the previous draft (-05), however, could be too
simplified and misleading as if the rewriting were always performed
physically upon the central database (in a centralized VTS
implementation).  In the revised draft (-06), we described more
explicitly that the rewrite is logical and it may be performed by
sending the response (corresponding to a challenge) in a distributed
VTS implementation.

2) About supporting cryptography

VTS should support cryptography, but cryptography algorithms/protocols
used in a VTS (e.g. in challenge/response) should be determined by the
provider of the VTS, not a user (of the wallet).  Cryptography should
be encapsulated in a VTS and doesn't appear in the API.

For similar reason to 1), we described explicitly that cryptography
should be used to secure the challenge/response or the authentication
of the user in VTSAgent#login().

3) About provision for the client to authenticate the server

I supposed that this comment discusses client/server authentications
of the centralized VTS implementation in 5.4.1 VTSAgent#login(), since
"server" only appears there in the previous (-05) draft.

In a centralized VTS implementation, a client (i.e. the VTS plug-in)
can be assumed to know the server's address and the authentification
information (e.g. the public key certificate of the server) in a
preference file or a smartcard.  a VTS may use them to prevent fake
server attacks.

However, I agree that it would be better for VTS providers to warn the
fake server attacks in the draft.  Some implementation notes are added
in 5.4.1 VTSAgent#login().

4) About having a way to convey a user name

I'm not sure what this comment would point out, but we add some
comment lines about usernames to the example code.

5) About having the right primitives to support TLS

VTS-API doesn't provide specific primitives to support TLS by same
reason as 3).

However, TLS would be useful and should be recommended to secure
communication channels such as those connect between clients and the
server in a centralized VTS implementation.  TLS is recommended as a
means to secure communication channels in the revised draft.

6) About domain names in the example.

It's my mistake; fixed as the comment.

-----

I believe that the changes made in the revised draft would address all
of the comments from IESG, however, I'd appreciate additional comments
or suggestions if any.


Best regards,

    Masayuki Terada <te@mml.yrp.nttdocomo.co.jp>
    Security Systems Lab., NTT DoCoMo Multimedia Labs.