Re: [xmpp] Benoit Claise's No Objection on draft-ietf-xmpp-dna-10: (with COMMENT)

Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 11 August 2015 02:09 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A00861A8907; Mon, 10 Aug 2015 19:09:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Wk--BHpUYQB; Mon, 10 Aug 2015 19:09:04 -0700 (PDT)
Received: from mail-pa0-x22a.google.com (mail-pa0-x22a.google.com [IPv6:2607:f8b0:400e:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D2401A891B; Mon, 10 Aug 2015 19:08:28 -0700 (PDT)
Received: by pawu10 with SMTP id u10so152543357paw.1; Mon, 10 Aug 2015 19:08:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xX6z2+U03/v1C/aE5Iv4Ue2Xq+6VAcXPjZ1xIXin6O0=; b=xVfzz6rXh13xKkAusx+SYJqNwFVkCnllrdBwrs/1aw/Pg0X4j8bLuqu3cFxG/WtFzC TkFKygpGc0r6Y/kwPczGnTc7+5SSxp46jTNOAJ1KUlIzXF16Q78zCqowiUOx/xNQB+pP h+fy1frRZyjx9ld0ep1fwSd0zLHEQBsRqnr28zJnprK2Z8SVthrS8pAuMHvc3quwngbT BLI8wOLdeBTBdzM48uSRdlX79DoGBAfFTGGgNnyZJ3pCuNJE8AMzV/c+Rh2OGR+d3Ex9 B1YCpi09ONKc6K38YSS4s+72tSbJCAGc6srMDBTeQzk1zPirMC7qh7Knt6o6AKWd9v7L 43rQ==
X-Received: by 10.68.194.170 with SMTP id hx10mr51260829pbc.64.1439258908138; Mon, 10 Aug 2015 19:08:28 -0700 (PDT)
Received: from [10.24.84.226] ([128.107.241.188]) by smtp.gmail.com with ESMTPSA id qc2sm354058pbc.79.2015.08.10.19.08.25 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Aug 2015 19:08:27 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <55C9344F.90201@andyet.net>
Date: Mon, 10 Aug 2015 19:09:04 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <11AAE863-30CB-4B50-90FE-C83D68E434EA@gmail.com>
References: <20150806103342.2703.18148.idtracker@ietfa.amsl.com> <55C9344F.90201@andyet.net>
To: Peter Saint-Andre - &yet <peter@andyet.net>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/xmpp/GyF_dMgSLgxk0Tgq1QksaJhUHLM>
X-Mailman-Approved-At: Mon, 10 Aug 2015 20:10:17 -0700
Cc: draft-ietf-xmpp-dna.ad@ietf.org, draft-ietf-xmpp-dna@ietf.org, xmpp-chairs@ietf.org, xmpp@ietf.org, The IESG <iesg@ietf.org>, Benoit Claise <bclaise@cisco.com>, draft-ietf-xmpp-dna.shepherd@ietf.org
Subject: Re: [xmpp] Benoit Claise's No Objection on draft-ietf-xmpp-dna-10: (with COMMENT)
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 02:09:06 -0000

Peter,

I agree. As I suggested in the review, a reference to the section you reproduce below from draft-ietf-dane-srv (and a similar reference to a section in draft-ietf-xmpp-posh) is what you need in draft-ietf-xmpp-dna.

Cheers.

> On Aug 10, 2015, at 4:31 PM, Peter Saint-Andre - &yet <peter@andyet.net> wrote:
> 
> Hi Benoit, I posted a reply to the OPS-DIR review here:
> 
> https://mailarchive.ietf.org/arch/msg/xmpp/VymvhuVNfSFaNv8YEjpslzR_tw4
> 
> My feeling is that it would be best for this document to point to the companion documents (draft-ietf-xmpp-posh and draft-ietf-dane-srv) with regard to operations and management. Note that draft-ietf-dane-srv already includes the following text:
> 
> ###
> 
> 6.  Guidance for Server Operators
> 
>   To conform to this specification, the published SRV records and
>   subsequent address (A and AAAA) records MUST be secured with DNSSEC.
>   There SHOULD also be at least one TLSA record published that
>   authenticates the server's certificate.
> 
>   When using TLSA records with Certificate Usage "DANE-EE", it is not
>   necessary for the deployed certificate to contain an identifier for
>   either the source domain or target server host name.  However,
>   operators need to be aware that servers relying solely on validation
>   using Certificate Usage "DANE-EE" TLSA records might prevent clients
>   that do not support this specification from successfully connecting
>   with TLS.
> 
>   For TLSA records with Certificate Usage types other than "DANE-EE",
>   the certificate(s) MUST contain an identifier that matches:
> 
>   o  the service domain name (the "source domain" in [RFC6125] terms,
>      which is the SRV query domain); and/or
> 
>   o  the target server host name (the "derived domain" in [RFC6125]
>      terms, which is the SRV target host name).
> 
>   Servers that support multiple service domains (i.e., so-called
>   "multi-tenanted environments") can implement the Transport Layer
>   Security Server Name Indication (TLS SNI) [RFC6066] or its functional
>   equivalent to determine which certificate to offer.  Clients that do
>   not support this specification will indicate a preference for the
>   service domain name, while clients that support this specification
>   will indicate the target server host name.  However, the server
>   determines what certificate to present in the TLS handshake; e.g.,
>   the presented certificate might only authenticate the target server
>   host name.
> 
> ###
> 
> Is that text helpful and complete? (Note that draft-ietf-dane-srv has already been approved for publication, but if we need to make some slight adjustments during AUTH48 we could do so.)
> 
> Also, do you think it would be preferable for draft-ietf-xmpp-posh to include a similar section providing guidance for server operators in draft-ietf-xmpp-posh? If so, Matt and I can work to formulate some text.
> 
> Thanks!
> 
> Peter
> 
> On 8/6/15 4:33 AM, Benoit Claise wrote:
>> Benoit Claise has entered the following ballot position for
>> draft-ietf-xmpp-dna-10: No Objection
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> The conversation started between Mahesh (OPS-DIR reviewer) and the
>> authors on the following points:
>> 
>> Summary:
>> 
>> This document defines new “prooftype” used to establish a strong
>> association between a domain name and an XML stream. There are two
>> companion documents draft-ietf-xmpp-posh-04 and draft-ietf-dane-srv-12
>> that should be viewed as part of reviewing this document.
>> 
>> If there are any management requirements to configure the new
>> “prooftype”, they have not been discussed as part of this document. I did
>> not review the companion documents to see if management of the feature
>> has been addressed in them. This document should talk about how the
>> feature will be managed, even if it means referring to relevant sections
>> of the other documents. If there is a need to define a YANG model to
>> configure the feature, it should be identified, even if it is not defined
>> in this document.
>> 
>>> From an operational perspective, it would be helpful to know how this
>> would be deployed in the field. Are there any issues beyond certificate
>> configuration that operators should be aware of? Some of the services are
>> replacements for existing services, e.g. DNS with secure DNS. How would
>> the operators role out the service in the field with existing
>> service(s)?
>> 
>> Section 3:
>> 
>> The document talks about establishing a client to server Domain Name
>> Association (DNA) in this section. This is a simpler case of the server
>> to server DNA. However, it is not clear what happens if the certificate
>> verification fails. Is the behavior the same as when a self-signed
>> certificate is presented? Is there a fallback process or does the session
>> just terminate?
>> 
>> In addition, the following nits should be addressed in the document.
>> 
>>   Checking nits according to http://www.ietf.org/id-info/checklist :
>> 
>> ----------------------------------------------------------------------------
>> 
>>   == There are 2 instances of lines with non-RFC2606-compliant FQDNs in
>> the
>>      document.
>> 
>> 
>>   Checking references for intended status: Proposed Standard
>> 
>> ----------------------------------------------------------------------------
>> 
>>      (See RFCs 3967 and 4897 for information about using normative
>> references
>>      to lower-maturity documents in RFCs)
>> 
>>   == Outdated reference: A later version (-14) exists of
>>      draft-ietf-dane-srv-12
>> 
>>   ** Downref: Normative reference to an Informational RFC: RFC 4949
>> 
>>   -- Possible downref: Non-RFC (?) normative reference: ref. 'XEP-0220'
>> 
>>   == Outdated reference: draft-ietf-uta-xmpp has been published as RFC
>> 7590
>> 
>>   -- Obsolete informational reference (is this intentional?): RFC 3920
>>      (Obsoleted by RFC 6120)
>> 
>> 
>>      Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments
>> (—).
>> 
>> 
>> Thanks.
>> 
>> 
> 
> 
> -- 
> Peter Saint-Andre
> https://andyet.com/

Mahesh Jethanandani
mjethanandani@gmail.com