Alvaro: I just uploaded version -08.txt. Please review it to see if has changed your feelings on the secure transport. See comments below.
-----Original Message----- From: Alvaro Retana [mailto:[email protected]] Sent: Wednesday, August 17, 2016 9:53 PM To: The IESG Cc: [email protected]; Jeffrey Haas; [email protected]; [email protected] Subject: Alvaro Retana's No Objection on draft-ietf-i2rs-protocol-security-requirements-07: (with COMMENT) Alvaro Retana has entered the following ballot position for draft-ietf-i2rs-protocol-security-requirements-07: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requirements/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- >I have the same concerns as others around the secure transport, but I'm not >putting in a DISCUSS because the concerns are already well represented. Just >one additional comment >on the topic: Please see if I have answered these questions in version -08.txt and in the email. If not, please let me know. >I think there is a contradiction between SEC-REQ-09 ("The I2RS protocol MUST >be able to transfer data over a secure transport and optionally MAY be able to >transfer data over a >non-secure transport") and this text from Section 3. >(Security-Related Requirements): "…MUST be able to exchange data over a secure >transport, but some functions may operate >on a non-secure transport." The >latter text talks bout "some functions" using a non-secure transport, while >SEC-REQ-09 implies that everything may use it. I do not see the contradiction in -08.txt. "The I2RS client and I2RS agent using the I2RS protocol MUST be able to exchange data over a secure transport, but some functions may operate on a non-secure transport." This says the I2RS client and I2RS agent must support using the I2RS protocol over a security transport, but I2RS client software and I2RS agent software may operate on non-secure transport. Other comments from Section 3.1. (Mutual authentication of an I2RS client and an I2RS Agent) >-- The text says that the "I2RS architecture [I-D.ietf-i2rs-architecture] sets >the following requirements". I'm not sure what you mean my "sets", as there >are no requirements > labeled as such) in the architecture document. If there are, then this > section doesn't seem to be needed (as others have mentioned). Maybe "these > requirements are derived > from the architecture", or something similar may be more appropriate. You are correct, the I2RS architecture does not label such requirements. We got into discussing a strawman protocol, and we found we needed to restate the I2RS architecture documents design in the specific requirements listed now in version 8 as: SEC-REQ-01 to SEC-REQ-07. In this case the restatement is useful (see Joel's comment). Do you have a suggestion for another term than "sets". >-- What is a "valid identifier"? A couple of requirements where a "valid >identifier" "MUST" be confirmed are listed, but no indication as to what >that may be in this document or the architecture one. The definition of > identifier doesn't help… Actually, the security people indicated that a "valid identifier" was the appropriate term. You have an identity which is expressed as an identifier. The identifier can (or cannot be) a valid identifier for the identity. Identity consists of loss of features. An identifier is the way to express the identity in a protocol. > SEC-REQ-05 and SEC-REQ-06 sound the same to me. What is the difference? > BTW, if there is a difference, instead of "IETF" I think that "standardized" > may be better. Merged these into one in version -08.txt . Let me know what you think of the merge. Sue _______________________________________________ i2rs mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2rs
