Re: [secdir] Secdir review of draft-ietf-nfsv4-rpcsec-gssv3-14
"Adamson, Andy" <William.Adamson@netapp.com> Tue, 22 December 2015 17:15 UTC
Return-Path: <William.Adamson@netapp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA971A8992; Tue, 22 Dec 2015 09:15:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IS_KwvWAYKnD; Tue, 22 Dec 2015 09:15:30 -0800 (PST)
Received: from mx142.netapp.com (mx142.netapp.com [216.240.21.19]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D0C81A899C; Tue, 22 Dec 2015 09:15:30 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.20,465,1444719600"; d="scan'208";a="84356883"
Received: from hioexcmbx01-prd.hq.netapp.com ([10.122.105.34]) by mx142-out.netapp.com with ESMTP; 22 Dec 2015 09:10:30 -0800
Received: from HIOEXCMBX03-PRD.hq.netapp.com (10.122.105.36) by hioexcmbx01-prd.hq.netapp.com (10.122.105.34) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Tue, 22 Dec 2015 09:10:29 -0800
Received: from HIOEXCMBX03-PRD.hq.netapp.com ([::1]) by hioexcmbx03-prd.hq.netapp.com ([fe80::d0b6:c2cf:8cbc:16b8%21]) with mapi id 15.00.1130.005; Tue, 22 Dec 2015 09:10:29 -0800
From: "Adamson, Andy" <William.Adamson@netapp.com>
To: Radia Perlman <radiaperlman@gmail.com>
Thread-Topic: Secdir review of draft-ietf-nfsv4-rpcsec-gssv3-14
Thread-Index: AQHRN69zZbHX3YsQJkywCdvQTsMBeZ7XzgwA
Date: Tue, 22 Dec 2015 17:10:29 +0000
Message-ID: <84711186-856F-49B9-8FDA-C3326F8EA2D0@netapp.com>
References: <CAFOuuo5ZBH3RW_nCGzOSPsrZrK31BiQ3pEjgBTsfOj6F-BXGcA@mail.gmail.com>
In-Reply-To: <CAFOuuo5ZBH3RW_nCGzOSPsrZrK31BiQ3pEjgBTsfOj6F-BXGcA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.2098)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.122.56.79]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B472F788A9CBF840B99067C5E3F7F54C@hq.netapp.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/K-5WuxfXK91TioCwplelgXGW9Z8>
X-Mailman-Approved-At: Tue, 22 Dec 2015 09:49:02 -0800
Cc: The IESG <iesg@ietf.org>, "draft-ietf-nfsv4-rpcsec-gssv3.all@tools.ietf.org" <draft-ietf-nfsv4-rpcsec-gssv3.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-nfsv4-rpcsec-gssv3-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 17:15:32 -0000
> On Dec 15, 2015, at 10:10 PM, Radia Perlman <radiaperlman@gmail.com> wrote: > > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > Note I'm reviewing the version 14 (although it was version 13 in the assignments list). > > The document specifies where to carry Mandatory Access Control information in the protocol. It does not specify the Mandatory Access Control information itself… that is inherited from another spec. Hi draft version 14 says: 2.7.1.3. Label Assertions ….Full mode MAC is enabled when an RPCSEC_GSS_CREATE process subject label assertion is combined with a file object label provided by the NFSv4.2 sec_label attribute. and Servers that support labeling in the requested LFS MAY map the requested subject label to a different subject label as a result of server-side policy evaluation. I guess I could be a bit clearer - "the Label assertion asserts the client process subject labels" > > The language in places is a bit foreign to me, perhaps because I don't "speak" GSS-API or mandatory access control. So, for instance, in the sentence > > "Existing GSS-API mechanisms are insufficient for communicating certain aspects of authority to a server" > > I gather from context that this is authorization information. I'd have said "...insufficient for communicating certain authorization information". If "aspects of authority" means something else then perhaps "aspects of authority" should be defined here, even if defined elsewhere. If indeed this is common terminology then OK. We used ‘aspects of authority’ instead of ‘authorization information’ as the multi-principal assertion adds additional authentication. We could change it to ‘…insufficient for communicating certain authorization and authentication information" > > There's a typo in section 2.5 "with an acccept stat of PROC_UNAVAIL" (extra "c" in accept) Oops - thought I got rid of that :) Thanks for the review —>Andy > > Radia > > >
- [secdir] Secdir review of draft-ietf-nfsv4-rpcsec… Radia Perlman
- Re: [secdir] Secdir review of draft-ietf-nfsv4-rp… Adamson, Andy