Re: [Tzdist] AD review of draft-ietf-tzdist-service-07 - Sections 8 - 10
Daniel Migault <daniel.migault@ericsson.com> Tue, 12 May 2015 17:55 UTC
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: tzdist@ietfa.amsl.com
Delivered-To: tzdist@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9C61ACDC4; Tue, 12 May 2015 10:55:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wwYljQ1KGEj; Tue, 12 May 2015 10:55:01 -0700 (PDT)
Received: from usevmg20.ericsson.net (usevmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5951ACDBE; Tue, 12 May 2015 10:55:00 -0700 (PDT)
X-AuditID: c618062d-f79a96d000007fb1-d0-5551e63104c4
Received: from EUSAAHC003.ericsson.se (Unknown_Domain [147.117.188.81]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id 3D.34.32689.136E1555; Tue, 12 May 2015 13:38:25 +0200 (CEST)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC003.ericsson.se ([147.117.188.81]) with mapi id 14.03.0210.002; Tue, 12 May 2015 13:54:59 -0400
From: Daniel Migault <daniel.migault@ericsson.com>
To: Cyrus Daboo <cyrus@daboo.name>, Barry Leiba <barryleiba@computer.org>, "draft-ietf-tzdist-service@ietf.org" <draft-ietf-tzdist-service@ietf.org>
Thread-Topic: [Tzdist] AD review of draft-ietf-tzdist-service-07 - Sections 8 - 10
Thread-Index: AQHQjNA/AAi1TeE3OESHPKAcsDvrh514jjpw
Date: Tue, 12 May 2015 17:54:57 +0000
Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C1602B83@eusaamb107.ericsson.se>
References: <CALaySJKUcgkMNsFPk0X6ur-Fw0LrB0-miQvAKYJD2rMCEFpBSQ@mail.gmail.com> <88871A9AF67EF351387A3BBF@cyrus.local>
In-Reply-To: <88871A9AF67EF351387A3BBF@cyrus.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.9]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLLMWRmVeSWpSXmKPExsUyuXRPoK7hs8BQgwdnZSwOLb7EavF3yzk2 i+/HvCxaT6U5sHi0rOpl9pjxzMpjyZKfTAHMUVw2Kak5mWWpRfp2CVwZfT2t7AVn1StaJ3xh amC8JN/FyMkhIWAisW76cSYIW0ziwr31bF2MXBxCAkcZJU6eu8kM4SxnlHjRuoAdpIpNwEii 7VA/O0hCRGAao8Syh/tYQRLMAuoS/TuPMoLYwgLBEktOLAMaywFUFCIx43sxSFgEqPfLpcss IDaLgKrEsck/wcp5Bbwl5n9bywZiCwlUSvz+PxlsF6eAscS0D0fB6hmBrvt+ag0TxCpxiVtP 5kNdLSCxZM95ZghbVOLl43+sELaixL7+6ewQ9ToSC3Z/YoOwtSWWLXzNDLFXUOLkzCcsExjF ZiEZOwtJyywkLbOQtCxgZFnFyFFanFqWm25ksIkRGD/HJNh0dzDueWl5iFGAg1GJh/fBtMBQ IdbEsuLK3EOM0hwsSuK8ix4cDBESSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXAOIHXQV60ZQab DY900nvxHws0FlWxNUq9tF2e+JGVf/GF3x137AvkJI6H7t76qUTEOOP6tOrqFp9D13z1ty7f 7/XKk+/bUq8NC4qe8vMvuv9Y5/nneSfmnr6b7SrpfEDlaq6sVsi5zx3qb12WexTNiekWUd/2 IZ07vu+G7euDJ6KfJjLsvnDmhxJLcUaioRZzUXEiAHr06KCAAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/tzdist/4akW99GFbaXWgESUBJR1LrGazas>
Cc: "tzdist@ietf.org" <tzdist@ietf.org>
Subject: Re: [Tzdist] AD review of draft-ietf-tzdist-service-07 - Sections 8 - 10
X-BeenThere: tzdist@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <tzdist.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tzdist>, <mailto:tzdist-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tzdist/>
List-Post: <mailto:tzdist@ietf.org>
List-Help: <mailto:tzdist-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tzdist>, <mailto:tzdist-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 17:55:03 -0000
Hi,
Please see my comments inline.
BR,
Daniel
> -- Section 9 --
>
> 3. Always fetch and synchronize the entire set of time zone data to
> avoid leaking information about which time zones are actually in
> use by the client.
>
> *** Really? Wow. That's sorta like saying that web clients should
> fetch hundreds of randomly selected web sites along with the one
> they're actually intending to retrieve, in order to hide what the user
> is asking for. It sounds like really bad advice to me. If you're
> using TLS, don't you have this taken care of that way? Is it *really*
> good advice for the client to fetch a lot of time zone data that it
> doesn't and probably never will need?
There was a thorough security/privacy review by Daniel Kahn Gillmor that lead to the current text in Section 9 (see tzdist mailing messages with "[saag]" in the subject).
I think some of these precautions are there to cover those who take privacy very seriously - but it is only advice and not a requirement
DANIEL: Maybe we should add a note on the counter effect. Maybe one could also mention that this could be mitigated by tzdist resolvers that would work on behalf of stub tzdist clients. -- left for future.
> Similarly for other advice: if the client follows (1), does it really
> need to worry about (4)? Or (5) or (6)?
For (4), yes, because each individual time zone might have a unique fingerprint (sizes differ) and that could be exposed via traffic analysis even with TLS in use. (5) and (6) (and also (4) are about tracking by untrusted servers and is relevant no matter whether TLS is being used.
> I don't understand (7) at all: won't the client use authenticated HTTP
> requests if and only if the server requires them?
Again this is advice about untrusted servers. If you already signed-up with a service that requires authentication, then yes it is possible to argue that you have already agreed to trust it in some respects, so this advice might not be so relevant. But perhaps the untrusted server could prompt for some kind of 3rd party authentication (maybe OAuth)
> What threat is (9) really trying to address, which isn't already
> exposed by the fact that the server has the client's IP address and
> might even be requiring the client to log in?
Well the point is the client's IP address can vary, but the fingerprinting described in (9) would allow a server to uniquely identify the client machine, even with a varying IP address.
Anyway, I am not sure, beyond some small clarifications, if anything needs to change in this section. Certainly it needs input from SAAG/Security ADs if we do decide to make changes now. Perhaps this should be left to an IETF wide review (with another call to SAAG folks to pay attention to it)?
DANIEL: I also believe clarifications would be sufficient, so people that have not followed the whole discussion can have a good understanding of the issues. There are two aspects in these considerations: 1) First pointing out the information that may leak and 2) Second possible mitigations. At some point the mitigation may look "suprising". It is good to clearly state these are possible ways to mitigate, and these are up to the client or server to implement these recommendations. Implementation may be balanced with other aspects. Even though they may look surprising I believe they can be useful to understand the scope of the issue.
> *** You're specifying a Standards Track RFC *and* review by a
> designated expert. Why do you need both? Presumably, time zone
> experts in the IETF (such as the participant whom the IESG might
> designate) will be participating in the consensus process anyway. Why
> is it good to set up a situation wherein one individual is empowered
> to override (rather than to participate in and influence) IETF
> consensus?
>
> Small thing: If you want a Standards Track RFC to be required, you
> should say that the registration policy is "Standards Action", and
> reference RFC 5226. If you do *also* want a designated expert, you
> should use "Standards Action and Expert Review", and you should
> specify instructions for the designated expert.
>
> *** The instructions to the DE should explain what the DE should be
> considering, and when it's appropriate to decline a registration
> request ("reject with cause", in your terminology). It's not
> acceptable to give a designated expert license to reject a request
> without any guidance about when that's appropriate.
If others are OK with it, I would be willing to just go with "Specification Required" (as per RFC5226) and provide suitable instructions for the designated expert.
DANIEL: I am fine with that too.
--
Cyrus Daboo
_______________________________________________
Tzdist mailing list
Tzdist@ietf.org
https://www.ietf.org/mailman/listinfo/tzdist
- [Tzdist] AD review of draft-ietf-tzdist-service-07 Barry Leiba
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Cyrus Daboo
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Cyrus Daboo
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Ken Murchison
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Barry Leiba
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Cyrus Daboo
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Ken Murchison
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Barry Leiba
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Daniel Migault
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Barry Leiba
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Barry Leiba
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Cyrus Daboo
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Eliot Lear
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Cyrus Daboo
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Cyrus Daboo
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Ken Murchison
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Barry Leiba
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Daniel Migault
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Daniel Migault
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Mike Douglass
- Re: [Tzdist] AD review of draft-ietf-tzdist-servi… Eliot Lear