Re: [Uta] [saag] UTA WG report
Keith Moore <moore@network-heretics.com> Thu, 30 March 2017 21:47 UTC
Return-Path: <moore@network-heretics.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB3F8129665 for <uta@ietfa.amsl.com>; Thu, 30 Mar 2017 14:47:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Ewl7rhj_3lj for <uta@ietfa.amsl.com>; Thu, 30 Mar 2017 14:47:24 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDAD812960F for <uta@ietf.org>; Thu, 30 Mar 2017 14:47:21 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 684EE20A54; Thu, 30 Mar 2017 17:47:21 -0400 (EDT)
Received: from frontend1 ([10.202.2.160]) by compute6.internal (MEProxy); Thu, 30 Mar 2017 17:47:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= fm1; bh=CuCcpLAaRiG0rpooo+5cylP3170b48RCgDbkdubBJ9Q=; b=Mef+ut41 XT3e5LmX8pXVwHyM1DTftum7HE1JkGYgG1fPTvgmB3FbU9T81Ka4ak3I/r3yfXYf BKv55gvueCLsGO6iKC7RosRAF4UiFN2/tTNQ6z/lBZ9/m+Eobb5O7OF/r3mZWam5 hkbV8WIO6bz/2aLqCIq2CeLhRHc1RxGt+v2SryEDiK/ndKriNOrlEZUS4yHaHF+v +P0IdoYfFL9Reln1uIIOaf03Adg4WsUVGBGC0zJyhIXYapcYn5PxihtHXfkJQeC9 +Y6Dujcqi/phRWcc/0nj5Lzko7tAAOD3R4FGEd4ggv5h4VqIzh+izpBekXQWmm+X fUr1yaiTz0BFKQ==
X-ME-Sender: <xms:6XzdWMwxVAT07Djwg4DL_q5PwdRDr09Lej51wKMO8PEmg0cvilNCZQ>
X-Sasl-enc: 2e8Lz4OCOyhfatCrm+V8NvJheHO7gFfSm7Na+PXAtK+F 1490910441
Received: from [31.133.138.173] (unknown [31.133.138.173]) by mail.messagingengine.com (Postfix) with ESMTPA id 259197E334; Thu, 30 Mar 2017 17:47:21 -0400 (EDT)
To: Jim Fenton <fenton@bluepopcorn.net>, Orit Levin <oritl@microsoft.com>, "uta@ietf.org" <uta@ietf.org>
References: <CY1PR0301MB212290BDEA02EDE3ECEE0724AD340@CY1PR0301MB2122.namprd03.prod.outlook.com> <866da370-1475-c4cb-f86a-7a92b3778160@network-heretics.com> <CY1PR0301MB21225D1659C24FD946B66E5AAD340@CY1PR0301MB2122.namprd03.prod.outlook.com> <5356f074-6aa0-e6f6-1dde-173b1772ad69@bluepopcorn.net>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <8162d36f-2365-ddf5-5e58-2c341d846452@network-heretics.com>
Date: Thu, 30 Mar 2017 17:47:20 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <5356f074-6aa0-e6f6-1dde-173b1772ad69@bluepopcorn.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/wGT-dzFek7lIeTxORx9U08fTjZc>
Subject: Re: [Uta] [saag] UTA WG report
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 21:47:26 -0000
On 03/30/2017 05:26 PM, Jim Fenton wrote: > [removing saag list because this is probably at a lower level of > detail than appropriate there. But feel free to add them if I'm wrong] > > My sense that there is a "BCP part" to the draft is probably more > clearly stated that there are really two different things described in > the draft, as the draft itself says in section 5 paragraph 4: > > "Note that security directives are a separate mechanism from minimum > confidentiality assurance levels." > > It appears to me that it's possible independently to implement/deploy > confidentiality assurance levels and security directives. So I would > split them up into separate documents. > > I still see confidentiality assurance levels as more of a BCP-ish > mechanism. It defines particular security requirements for MUA-MTA > connections to meet Confidentiality Assurance Level (CAL) 1, and > different ones for CAL 0. That seems like a best current practice to me. Disagree. Compliance with both the CAL and the security directives are a matter of protocol interaction between client and server. The only real difference is that in the CAL case, no new protocol features need to be defined (we're talking about new client interactions with existing server features); whereas for security directives there are changes to the protocols used by the servers. But in both cases these are protocol interactions. A client's compliance with this protocol can be tested, and the protocol could reasonably advance to full standard (or not) based on such testing with multiple client implementations. So I don't understand why BCP is more appropriate. (But if that's what IESG wanted to do, I wouldn't fight it. Let's just try to not let this question delay the document, ok?) I also believe it would be more confusing to have two documents for confidentiality assurance level and security directives, because both of them require the client to disconnect if the requirements aren't met. But I'll think about that some more. The current document is longer than I'd like, and there's a tendency for readers to get overwhelmed by long documents and miss things. But when readers have to read multiple documents in order to implement changes, it usually makes the problem worse. > I think we should tease these two things apart into separate > specifications so that it's clear you can have one or the other or both. The only benefit I can see to that is that server implementors and MSPs and server implementors wouldn't have to read the CAL document [*], since that's all done on the user end. Offhand, I don't see why it's beneficial for an MUA to be able to implement either CAL or security directives or both. The two features were designed to work together. [*] except that MSPs would still need to know about CAL for customer support reasons Keith
- [Uta] UTA WG report Orit Levin
- Re: [Uta] [saag] UTA WG report Orit Levin
- Re: [Uta] [saag] UTA WG report Jim Fenton
- Re: [Uta] [saag] UTA WG report Keith Moore