IETF Logo Mail Archive

Re: [Trans] Adam Roach's Discuss on draft-ietf-trans-rfc6962-bis-31: (with DISCUSS and COMMENT)

Rob Stradling <rob@sectigo.com> Wed, 26 June 2019 10:05 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF203120278; Wed, 26 Jun 2019 03:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXhLAm0_mekq; Wed, 26 Jun 2019 03:05:46 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800059.outbound.protection.outlook.com [40.107.80.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECE451201F8; Wed, 26 Jun 2019 03:05:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pJOQklaa/TKczVFOqZCHJK5usMUMpAh8ksM4PQjNHEE=; b=lXGEy0TQgHEbxp5KRc71Smw3uTY8PmkJX8zUbSjn96Vh5dEQSsJvZs6Da2HstWWqDy6ULqAbzQwl5Vn4XtgJ84YkDwguA1xPtACFqailR77huw7DZGD1RX8yxxjYtd+ok301PSuJu0YT3awGn6QxaJbjwBiBZLiV+lVMkSnx5R4=
Received: from DM5PR17MB1211.namprd17.prod.outlook.com (10.173.132.148) by DM5PR17MB1434.namprd17.prod.outlook.com (10.175.223.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 26 Jun 2019 10:05:44 +0000
Received: from DM5PR17MB1211.namprd17.prod.outlook.com ([fe80::b556:345c:94cf:7258]) by DM5PR17MB1211.namprd17.prod.outlook.com ([fe80::b556:345c:94cf:7258%6]) with mapi id 15.20.2008.018; Wed, 26 Jun 2019 10:05:44 +0000
From: Rob Stradling <rob@sectigo.com>
To: Adam Roach <adam@nostrum.com>
CC: Eric Rescorla <ekr@rtfm.com>, Trans <trans@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>, "draft-ietf-trans-rfc6962-bis@ietf.org" <draft-ietf-trans-rfc6962-bis@ietf.org>, "trans-chairs@ietf.org" <trans-chairs@ietf.org>, The IESG <iesg@ietf.org>, Paul Wouters <paul@nohats.ca>
Thread-Topic: Adam Roach's Discuss on draft-ietf-trans-rfc6962-bis-31: (with DISCUSS and COMMENT)
Thread-Index: AQHU2Wch53aa+rMxm0GatE3OyKQHD6YJjl4AgABCe4CAADnJAICXuSIAgAt+JACAARiwgA==
Date: Wed, 26 Jun 2019 10:05:43 +0000
Message-ID: <4b56efb6-5d26-59d2-c6d0-7fe76c77675e@sectigo.com>
References: <155245900142.5466.15600148045977298644.idtracker@ietfa.amsl.com> <CABcZeBNMt8y7EoFr3PXR84zPgvssp5=B2x7-7sQOb4wM_94RGg@mail.gmail.com> <bd8c65b5-b760-e393-2936-8dfbf6ded1b6@nostrum.com> <cb8b1664-6176-4c62-9651-5922f7d0ae2e@www.fastmail.com> <cd5c5ea3-3b56-fc19-b617-c62166981cb4@sectigo.com> <943a0e44-faab-28f0-f677-b41faa870558@nostrum.com>
In-Reply-To: <943a0e44-faab-28f0-f677-b41faa870558@nostrum.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P265CA0299.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a5::23) To DM5PR17MB1211.namprd17.prod.outlook.com (2603:10b6:3:8b::20)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:25d:300:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3182162c-864b-4ce2-d635-08d6fa1dd9cf
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR17MB1434;
x-ms-traffictypediagnostic: DM5PR17MB1434:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <DM5PR17MB143412D6FF0D30FAC3C9D9A6AAE20@DM5PR17MB1434.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(39850400004)(346002)(366004)(136003)(199004)(189003)(51444003)(54164003)(14454004)(446003)(53546011)(5660300002)(71200400001)(102836004)(66574012)(71190400001)(46003)(52116002)(305945005)(73956011)(11346002)(2616005)(7736002)(6246003)(66946007)(86362001)(76176011)(486006)(31696002)(99286004)(64756008)(66446008)(66556008)(66476007)(81166006)(6916009)(81156014)(966005)(31686004)(561944003)(478600001)(6306002)(54906003)(476003)(8676002)(6436002)(316002)(68736007)(8936002)(6512007)(6486002)(36756003)(4326008)(6506007)(186003)(229853002)(25786009)(53936002)(6116002)(386003)(2906002)(256004)(14444005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR17MB1434; H:DM5PR17MB1211.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: N59dIOS+FfXN2jiYgPr4/YObb4IS2A2npFuOkAs6vDJMMUN74cTFte1NpmcTpL85IBrww+rkh1ZtwJFT2GI3+WJ5UhpVtp83pvincVEsdNKuYEI0I87t5njWPJanaWp7hwwWlmyDdIUyyk3A1KPYSHp5WvvK2zqZYPpZdfLW3yoz9V+RI1ge/2vRalgMh/MKAtPAAQzmF4ESP+QxLZ1T74PqdkyGAU7h18qmRw1n59QoRTGrB2c16zG/xoaHCMWxrFrX7RFi8JCMawiDAZvEhVrWNZ6xgQUA+X3y9SQIY6JDRzt4ZFZ7e187yLRa/W1NkhrHuxrCfa+XBJCEZvQ9MNACq9BxzL2hZYQGRExcd/ONWgsQqfA9EV9VWEAox6Sl9sPdsk0+wBjlJ5KjEx0DMVRbJxCxm5m5F1CLqr2xEGw=
Content-Type: text/plain; charset="utf-8"
Content-ID: <B93E708E0DF6CB4790131E48F433A4F2@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3182162c-864b-4ce2-d635-08d6fa1dd9cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 10:05:43.8709 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: robs@comodoca.net
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR17MB1434
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/aq9Ojwqw8cPtXsUsofJhE_YO4Q0>
Subject: Re: [Trans] Adam Roach's Discuss on draft-ietf-trans-rfc6962-bis-31: (with DISCUSS and COMMENT)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 10:05:50 -0000

On 25/06/2019 18:21, Adam Roach wrote:
> On 6/18/19 4:50 AM, Rob Stradling wrote:
>> Adam, thanks for your review, and I apologize that none of this
>> document's authors have been available to respond until now.
>>
>> I have filed
>> https://github.com/google/certificate-transparency-rfcs/pull/310, which
>> I believe addresses all of your concerns.
> 
> 
> Thanks! This looks good, although you'll also need to register "ct" in 
> the Well-Known URIs registry [1]. See [2] for the registration template, 
> and [3] for an example of it in use.

Adam, thanks for reviewing this PR.  I submitted a request to register 
"ct" in the Well-Known URIs registry last week, but I sent a follow-up 
message a couple of days ago to cancel the request.  This is because a 
number of folks on the TRANS WG mailing list objected to this change, 
and because nobody has said that using .well-known is their preferred 
approach to satisfying BCP 190.

And so the TRANS list is currently discussing alternative approaches to 
satisfying BCP 190.  Once it's clear which approach folks are least 
unhappy with, we'll update 6962-bis accordingly.

> I'll clear my discuss as soon as a new version is available in the 
> internet-drafts repository.
> 
> /a
> 
> 
> ____
> [1] https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
> [2] https://tools.ietf.org/html/rfc5785#section-5.1.1
> [3] https://tools.ietf.org/html/rfc7033#section-10.1
> 
> 
>>
>> On 13/03/2019 20:52, Alexey Melnikov wrote:
>>> On Wed, Mar 13, 2019, at 5:26 PM, Adam Roach wrote:
>>>> On 3/13/19 8:28 AM, Eric Rescorla wrote:
>>>>> On Tue, Mar 12, 2019 at 11:36 PM Adam Roach via Datatracker
>>>>> <noreply@ietf..org <mailto:noreply@ietf.org>> wrote:
>>>>>
>>>>>
>>>>>      
>>>>> ----------------------------------------------------------------------
>>>>>      DISCUSS:
>>>>>      
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>>      Thanks to everyone who worked on updating this protocol to
>>>>>      reflect experience
>>>>>      gathered from the initial CT protocol. I have one blocking
>>>>>      comment, and a small
>>>>>      number of editorial suggestions.
>>>>>
>>>>>      
>>>>> --------------------------------------------------------------------------- 
>>>>>
>>>>>
>>>>>      §5:
>>>>>
>>>>>      >  Clients are configured with a base URL for a log and construct
>>>>>      URLs
>>>>>      >  for requests by appending suffixes to this base URL. This
>>>>>      structure
>>>>>      >  places some degree of restriction on how log operators can 
>>>>> deploy
>>>>>      >  these services, as noted in [RFC7320].  However, operational
>>>>>      >  experience with version 1 of this protocol has not 
>>>>> indicated that
>>>>>      >  these restrictions are a problem in practice.
>>>>>
>>>>>      The synthesis of URLs by a protocol in this fashion is prohibited
>>>>>      by BCP 190:
>>>>>
>>>>>         Scheme definitions define the presence, format, and 
>>>>> semantics of a
>>>>>         path component in URIs; all other specifications MUST NOT
>>>>>      constrain,
>>>>>         or define the structure or the semantics for any path 
>>>>> component.
>>>>>
>>>>>      Unless the intention of this document is to update BCP 190 to
>>>>>      change this
>>>>>      normative requirement, we can't publish it in its current form.
>>>>>      Note that doing
>>>>>      so would require a change of venue, as updates to BCP 190 would
>>>>>      not be covered
>>>>>      by the current TRANS charter.
>>>>>
>>>>>      Please see BCP 190 section 3 for alternate approaches. All three
>>>>>      approaches
>>>>>      could be made to work for CT, and I would be happy to explain how
>>>>>      to do so if
>>>>>      clarification is desired.
>>>>>
>>>>>
>>>>> While I agree that this is forbidden by BCP 190, this structure is
>>>>> inherited from
>>>>> RFC 6962, which predated 7320, so making that change seems like it's
>>>>> going
>>>>> to be fairly disruptive. This seems like it is falling into our
>>>>> discussion the other
>>>>> day about what must be changed in -bis documents.
>>>> I think the timing of this document is fortuitous, in that it can help
>>>> inform that conversation. In particular, this situation helps me
>>>> better understand why both you and Benjamin raised objections to the
>>>> high-level proposal that unchanged parts of -bis documents shouldn't
>>>> be subject to DISCUSS positions. The take-away that I plan to bring to
>>>> that conversation is that such a decision needs to be informed by (a)
>>>> scope of changes between a document and its -bis, and (b) scope of
>>>> changes required to satisfy a potential DISCUSS position.
>>>>
>>>> In cases like this one, where a not-even-remotely-backwards-compatible
>>>> suite of protocol changes is being made to a protocol in a document
>>>> update whose diff [1] is basically the entire document, I don't think
>>>> the principle of ignoring existing flaws in a previous document really
>>>> applies. I get that both of those predicates are somewhat subjective
>>>> evaluations, and that drawing a line in a process document might be
>>>> difficult; but I think that any standard, however subjective, that you
>>>> would be willing to sign on to would place this document outside the
>>>> category of "bis versions that are making small, incremental changes
>>>> to existing documents."
>>>>
>>>> If the remedy for the flaw were a major overhaul rather than a
>>>> relatively minor tweak, it would again shift the evaluation a bit;
>>>> however, the naïve band-aid solution of moving CT endpoints to live
>>>> under "/.well-known/ct" is a trivial change, both for this document
>>>> and for implementations (in fact, for implementations, it can
>>>> generally be accomplished with a configuration tweak rather than
>>>> writing new code). To be clear, this is a textbook example of the kind
>>>> of situation URI templates were designed for, but that would require
>>>> substantially more work than simply moving it into the .well-known
>>>> tree. Either approach would address the URI ownership issue.
>>>>
>>> I am in full agreement with this.
>>>
> 

-- 
Rob Stradling
Senior Research & Development Scientist
Email: rob@sectigo.com
Bradford, UK
Office: +441274024707
Sectigo Limited

This message and any files associated with it may contain legally 
privileged, confidential, or proprietary information. If you are not the 
intended recipient, you are not permitted to use, copy, or forward it, 
in whole or in part without the express consent of the sender. Please 
notify the sender by reply email, disregard the foregoing messages, and 
delete it immediately.

v2.23.0 | Report a Bug | By Email