Re: [xmpp] Benoit Claise's No Objection on draft-ietf-xmpp-dna-10: (with COMMENT)
Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 11 August 2015 02:26 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9AE61A89A2; Mon, 10 Aug 2015 19:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zICUe_os7IrD; Mon, 10 Aug 2015 19:26:53 -0700 (PDT)
Received: from mail-pd0-x22e.google.com (mail-pd0-x22e.google.com [IPv6:2607:f8b0:400e:c02::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E4C71A89AC; Mon, 10 Aug 2015 19:26:51 -0700 (PDT)
Received: by pdrg1 with SMTP id g1so77877922pdr.2; Mon, 10 Aug 2015 19:26:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=t0KBT9EyrHsJlbb4u+l5drSoPjCDEDdTmJudqucWM+4=; b=yuMwMpMTcqVcdUbpyhQBVptxa0iGJFZwrsbF6nRpY2fzw/LG3yi+LGKO5RFpPnM4ZC qsK7TF0Li6RGDh3dtPNG9amTBDwL33S1XV2U65YJ9F1GqfUsOHmGTQ4nxlMf7g1K7caS XwcF6Xt7Kb6q3aLFviUnjmZtVdBHj7WV11pkqaBhfLAWr3lX12xrnlOb0Cvuxa+9kkX0 L44Q+pCz+3O8zgX8fulQKDvAqMpQFGTCiwWyDouu1y12uHJZvyB5iIbyeqTfd1ULwXKU 7khcs1NbipkmvN03ldW+a/IFeoPdYgSwbLyRxqKZ6v97Zt3gV9viO7QYitK/zW6moTqZ Zq7A==
X-Received: by 10.70.36.138 with SMTP id q10mr8957705pdj.32.1439260011079; Mon, 10 Aug 2015 19:26:51 -0700 (PDT)
Received: from ?IPv6:2001:420:c0c8:1003::323? ([2001:420:c0c8:1003::323]) by smtp.gmail.com with ESMTPSA id k5sm400815pdo.48.2015.08.10.19.26.49 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Aug 2015 19:26:50 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <55C95B20.3050902@andyet.net>
Date: Mon, 10 Aug 2015 19:27:27 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <8208F533-C48C-48DC-8756-7A3F99938F67@gmail.com>
References: <20150806103342.2703.18148.idtracker@ietfa.amsl.com> <55C9344F.90201@andyet.net> <11AAE863-30CB-4B50-90FE-C83D68E434EA@gmail.com> <55C95B20.3050902@andyet.net>
To: Peter Saint-Andre - &yet <peter@andyet.net>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/xmpp/-Imepm239u0C54b0aIe5abG2K1k>
X-Mailman-Approved-At: Mon, 10 Aug 2015 20:10:17 -0700
Cc: draft-ietf-xmpp-dna.ad@ietf.org, draft-ietf-xmpp-dna@ietf.org, xmpp-chairs@ietf.org, xmpp@ietf.org, The IESG <iesg@ietf.org>, Benoit Claise <bclaise@cisco.com>, draft-ietf-xmpp-dna.shepherd@ietf.org
Subject: Re: [xmpp] Benoit Claise's No Objection on draft-ietf-xmpp-dna-10: (with COMMENT)
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 02:26:55 -0000
Hi Peter, The text looks good to me. Thanks. > On Aug 10, 2015, at 7:17 PM, Peter Saint-Andre - &yet <peter@andyet.net> wrote: > > Hi Mahesh, > > I suggest that we add a section something like the following to draft-ietf-xmpp-dna and then add a section to draft-ietf-xmpp-posh as well (I haven't written any text for the latter yet, thus the "FIXME" for a section number in what follows). > > ### > > 8. Guidance for Server Operators > > This document introduces the concept of a prooftype in order to > explain and generalize the approach to establishing a strong > association between the DNS domain name of an XMPP service and the > XML stream that a client or peer server initiates with that service. > > The operators of XMPP services will not directly deploy DNA > prooftypes, and the operations and management implications will > depend on the prooftypes that an operator supports. For example: > > o To support the PKIX prooftype [RFC6120], an operator needs to > interact with a certification authority but does not need to > deploy DNS security. > > o To support the DANE prooftype [I-D.ietf-dane-srv], an operator can > generate its own certificates or obtain them from a certification > authority but needs to deploy DNS security. > > o To support the POSH prooftype [I-D.ietf-xmpp-posh], an operator > can generate its own certificates or obtain them from a > certification authority but does not need to deploy DNS security. > > Considerations for use of the foregoing prooftypes are explained in > the relevant specifications. See in particular Section 13.7 of > [RFC6120], Section 6 of [I-D.ietf-dane-srv], and Section FIXME of > [I-D.ietf-xmpp-posh]. > > Naturally, these operations and management considerations are > additive: if an operator wishes to use multiple prooftypes, the > complexity of deployment increases (e.g., the operator might want to > obtain a PKIX certificate from a certification authority for use in > the PKIX prooftype and generate its own certificate for use in the > DANE prooftype). This is an unavoidable aspect of supporting as many > prooftypes as needed in order to ensure that domain name associations > can be established in the largest possible percentage of cases. > > ### > > What do you think? > > (I haven't shared this text yet with my co-authors, since I've been working on it just now.) > > Peter > > On 8/10/15 8:09 PM, Mahesh Jethanandani wrote: >> Peter, >> >> I agree. As I suggested in the review, a reference to the section you reproduce below from draft-ietf-dane-srv (and a similar reference to a section in draft-ietf-xmpp-posh) is what you need in draft-ietf-xmpp-dna. >> >> Cheers. >> >>> On Aug 10, 2015, at 4:31 PM, Peter Saint-Andre - &yet <peter@andyet.net> wrote: >>> >>> Hi Benoit, I posted a reply to the OPS-DIR review here: >>> >>> https://mailarchive.ietf.org/arch/msg/xmpp/VymvhuVNfSFaNv8YEjpslzR_tw4 >>> >>> My feeling is that it would be best for this document to point to the companion documents (draft-ietf-xmpp-posh and draft-ietf-dane-srv) with regard to operations and management. Note that draft-ietf-dane-srv already includes the following text: >>> >>> ### >>> >>> 6. Guidance for Server Operators >>> >>> To conform to this specification, the published SRV records and >>> subsequent address (A and AAAA) records MUST be secured with DNSSEC. >>> There SHOULD also be at least one TLSA record published that >>> authenticates the server's certificate. >>> >>> When using TLSA records with Certificate Usage "DANE-EE", it is not >>> necessary for the deployed certificate to contain an identifier for >>> either the source domain or target server host name. However, >>> operators need to be aware that servers relying solely on validation >>> using Certificate Usage "DANE-EE" TLSA records might prevent clients >>> that do not support this specification from successfully connecting >>> with TLS. >>> >>> For TLSA records with Certificate Usage types other than "DANE-EE", >>> the certificate(s) MUST contain an identifier that matches: >>> >>> o the service domain name (the "source domain" in [RFC6125] terms, >>> which is the SRV query domain); and/or >>> >>> o the target server host name (the "derived domain" in [RFC6125] >>> terms, which is the SRV target host name). >>> >>> Servers that support multiple service domains (i.e., so-called >>> "multi-tenanted environments") can implement the Transport Layer >>> Security Server Name Indication (TLS SNI) [RFC6066] or its functional >>> equivalent to determine which certificate to offer. Clients that do >>> not support this specification will indicate a preference for the >>> service domain name, while clients that support this specification >>> will indicate the target server host name. However, the server >>> determines what certificate to present in the TLS handshake; e.g., >>> the presented certificate might only authenticate the target server >>> host name. >>> >>> ### >>> >>> Is that text helpful and complete? (Note that draft-ietf-dane-srv has already been approved for publication, but if we need to make some slight adjustments during AUTH48 we could do so.) >>> >>> Also, do you think it would be preferable for draft-ietf-xmpp-posh to include a similar section providing guidance for server operators in draft-ietf-xmpp-posh? If so, Matt and I can work to formulate some text. >>> >>> Thanks! >>> >>> Peter >>> >>> On 8/6/15 4:33 AM, Benoit Claise wrote: >>>> Benoit Claise has entered the following ballot position for >>>> draft-ietf-xmpp-dna-10: No Objection >>>> >>>> When responding, please keep the subject line intact and reply to all >>>> email addresses included in the To and CC lines. (Feel free to cut this >>>> introductory paragraph, however.) >>>> >>>> >>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >>>> for more information about IESG DISCUSS and COMMENT positions. >>>> >>>> >>>> The document, along with other ballot positions, can be found here: >>>> https://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/ >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> COMMENT: >>>> ---------------------------------------------------------------------- >>>> >>>> The conversation started between Mahesh (OPS-DIR reviewer) and the >>>> authors on the following points: >>>> >>>> Summary: >>>> >>>> This document defines new “prooftype” used to establish a strong >>>> association between a domain name and an XML stream. There are two >>>> companion documents draft-ietf-xmpp-posh-04 and draft-ietf-dane-srv-12 >>>> that should be viewed as part of reviewing this document. >>>> >>>> If there are any management requirements to configure the new >>>> “prooftype”, they have not been discussed as part of this document. I did >>>> not review the companion documents to see if management of the feature >>>> has been addressed in them. This document should talk about how the >>>> feature will be managed, even if it means referring to relevant sections >>>> of the other documents. If there is a need to define a YANG model to >>>> configure the feature, it should be identified, even if it is not defined >>>> in this document. >>>> >>>>> From an operational perspective, it would be helpful to know how this >>>> would be deployed in the field. Are there any issues beyond certificate >>>> configuration that operators should be aware of? Some of the services are >>>> replacements for existing services, e.g. DNS with secure DNS. How would >>>> the operators role out the service in the field with existing >>>> service(s)? >>>> >>>> Section 3: >>>> >>>> The document talks about establishing a client to server Domain Name >>>> Association (DNA) in this section. This is a simpler case of the server >>>> to server DNA. However, it is not clear what happens if the certificate >>>> verification fails. Is the behavior the same as when a self-signed >>>> certificate is presented? Is there a fallback process or does the session >>>> just terminate? >>>> >>>> In addition, the following nits should be addressed in the document. >>>> >>>> Checking nits according to http://www.ietf.org/id-info/checklist : >>>> >>>> ---------------------------------------------------------------------------- >>>> >>>> == There are 2 instances of lines with non-RFC2606-compliant FQDNs in >>>> the >>>> document. >>>> >>>> >>>> Checking references for intended status: Proposed Standard >>>> >>>> ---------------------------------------------------------------------------- >>>> >>>> (See RFCs 3967 and 4897 for information about using normative >>>> references >>>> to lower-maturity documents in RFCs) >>>> >>>> == Outdated reference: A later version (-14) exists of >>>> draft-ietf-dane-srv-12 >>>> >>>> ** Downref: Normative reference to an Informational RFC: RFC 4949 >>>> >>>> -- Possible downref: Non-RFC (?) normative reference: ref. 'XEP-0220' >>>> >>>> == Outdated reference: draft-ietf-uta-xmpp has been published as RFC >>>> 7590 >>>> >>>> -- Obsolete informational reference (is this intentional?): RFC 3920 >>>> (Obsoleted by RFC 6120) >>>> >>>> >>>> Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments >>>> (—). >>>> >>>> >>>> Thanks. >>>> >>>> Mahesh Jethanandani mjethanandani@gmail.com
- [xmpp] Benoit Claise's No Objection on draft-ietf… Benoit Claise
- Re: [xmpp] Benoit Claise's No Objection on draft-… Peter Saint-Andre - &yet
- Re: [xmpp] Benoit Claise's No Objection on draft-… Peter Saint-Andre - &yet
- Re: [xmpp] Benoit Claise's No Objection on draft-… Mahesh Jethanandani
- Re: [xmpp] Benoit Claise's No Objection on draft-… Mahesh Jethanandani
- Re: [xmpp] Benoit Claise's No Objection on draft-… Peter Saint-Andre - &yet
- Re: [xmpp] Benoit Claise's No Objection on draft-… Benoit Claise