Re: [Uta] AD review of draft-ietf-uta-xmpp-05
Peter Saint-Andre - &yet <peter@andyet.net> Fri, 03 April 2015 20:05 UTC
Return-Path: <peter@andyet.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F78D1A01C6 for <uta@ietfa.amsl.com>; Fri, 3 Apr 2015 13:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ku6dnIUWYawC for <uta@ietfa.amsl.com>; Fri, 3 Apr 2015 13:05:12 -0700 (PDT)
Received: from mail-ig0-f172.google.com (mail-ig0-f172.google.com [209.85.213.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AAA91A01AE for <uta@ietf.org>; Fri, 3 Apr 2015 13:05:12 -0700 (PDT)
Received: by igcau2 with SMTP id au2so106523947igc.0 for <uta@ietf.org>; Fri, 03 Apr 2015 13:05:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=FDqc+VI2zWHikXHg/r88+/Pji42Fs+CHaHHQZDDH2F8=; b=Nc3Yzpl0uW0U/mJWVwszB1PDXoQewFSAvlt+yg6R/6+6Ote5cG/aa6WJSfDz2AQpWi mvrMpTeGKSHiog9G/ReJa7a5XPlrCZNmGn2LqhCpIP/OnwtYM9Zw8KZfJI6P3i/UxWXA e5/1NZ5/2VkfAqFx+2jrxnAKUtxF8lhLechZA6pAxubFpyD4Y/EDsEeZFBDngN2hJMMU c1P8XX6vATNeF/FflLIer1wFh3XrL8Df2pKyqsXYA9pjJ6zAJMlVd9OzsapycoGfpmlc iW1ihNcb05luXZsVtVo3dpVIbZB9JEncnNKwYsD2HI4ktK385wUSBElzdHKwVw1SUCrs drmw==
X-Gm-Message-State: ALoCoQnE/SK9ZpC/mbdXIQu6jovAeKff4o4BebJNyyaeBNmu6vEtKa5buq8PWRAPY+RC0mz/78Kc
X-Received: by 10.42.0.9 with SMTP id 9mr5960042ica.49.1428091512042; Fri, 03 Apr 2015 13:05:12 -0700 (PDT)
Received: from aither.local (c-73-34-202-214.hsd1.co.comcast.net. [73.34.202.214]) by mx.google.com with ESMTPSA id f142sm6147074ioe.3.2015.04.03.13.05.10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Apr 2015 13:05:11 -0700 (PDT)
Message-ID: <551EF276.9010700@andyet.net>
Date: Fri, 03 Apr 2015 14:05:10 -0600
From: Peter Saint-Andre - &yet <peter@andyet.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "uta@ietf.org" <uta@ietf.org>
References: <5516C8FB.3010905@cs.tcd.ie>
In-Reply-To: <5516C8FB.3010905@cs.tcd.ie>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/mb46FwlhoNpMKkz71sgIOVk8nho>
Subject: Re: [Uta] AD review of draft-ietf-uta-xmpp-05
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 20:05:14 -0000
Hi Stephen, thanks for the review and my apologies about the delayed reply.
On 3/28/15 9:30 AM, Stephen Farrell wrote:
>
> Hiya,
>
> As your non-shiny new helper AD I've reviewed draft-ietf-uta-xmpp-05.
> I have some comments (below), none need hold up IETF LC I think so
> please treat these as you would IETF LC comments.
>
> I'll request IETF LC momentarily.
>
> Thanks,
> S.
>
> - 3.4: I'm not clear what the last paragraph is telling
> me. What should I do about that?
Some motivating and concluding text might be helpful, such as:
OLD
The Domain Name Associations (DNA) specification [I-D.ietf-xmpp-dna]
describes a framework for XMPP server authentication methods, which
include not only PKIX but also DNS-Based Authentication of Named
Entities (DANE) as defined in [I-D.ietf-dane-srv] and PKIX over
Secure HTTP (POSH) as defined in [I-D.ietf-xmpp-posh].
NEW
In some scenarios such as multi-tenanted environments, it can be
extremely difficult to obtain or deploy PKIX certificates with the
proper Subject Alternative Names. To overcome that challenge, the
Domain Name Associations (DNA) specification [I-D.ietf-xmpp-dna]
describes a framework for XMPP server authentication methods, which
include not only PKIX but also DNS-Based Authentication of Named
Entities (DANE) as defined in [I-D.ietf-dane-srv] and PKIX over
Secure HTTP (POSH) as defined in [I-D.ietf-xmpp-posh]. These
methods can provide a basis for server identity verification when
appropriate PKIX certificates cannot be obtained or deployed.
> - 3.7: practically, is it feasible to provide a client
> with information about server-server uses of TLS? (And
> how many server-server TLS "hops" might there be?)
See my reply to Roni Even's Gen-ART review. It is *not* feasible (at
least not in a way that would provide information the client could
trust), and the text was unclear enough to cause confusion. I suggested
alternative text in my reply to Roni.
> - 3.7: Would it be sensible here to recommend that
> servers log information about the use of TLS so as to be
> able to spot e.g. that what used normally be sent over
> TLS, is now in clear? I'm not sure how feasible it would
> be to do that very well, but maybe we could give
> developers some hints here and see what they come up
> with?
It seems better to require the use of TLS and never allow cleartext
connections.
> - 5: Would it be worth noting there that this is not e2e
> (obvious I guess) but that that means that some gateways
> (e.g. to SIP) may mean that we even if we really get all
> hops protected, we may not be able to report on that?
This document does not cover gateways, nor does RFC 6120. IMHO text
about gatewaying belongs the appropriate specifications. For example,
there is text about it in RFC 7247 and in draft-ietf-stox-im.
> nits:
>
> - 3.5: maybe s/passive eavesdropping/eavesdropping/ and a
> reference to RFC7258 might save someone the trouble about
> arguing that case in XMPP land later.
Good idea.
> - ID nits has some reference version nits, it's fine to
> fix those next time some changes are needed.
Given the scope of changes occasioned by Roni's review, we'll need a
revised I-D before IESG consideration.
Peter
--
Peter Saint-Andre
https://andyet.com/
- [Uta] AD review of draft-ietf-uta-xmpp-05 Stephen Farrell
- Re: [Uta] AD review of draft-ietf-uta-xmpp-05 Peter Saint-Andre - &yet
- Re: [Uta] AD review of draft-ietf-uta-xmpp-05 Peter Saint-Andre - &yet
- Re: [Uta] AD review of draft-ietf-uta-xmpp-05 Stephen Farrell