headers
Lisa Dusseault | 5 Jan 18:41
Picon
Gravatar

Lisa's Apps Area Activity Report for Dec 2009

News, updates

Registration and WG meeting scheduling open for IETF 74 in San Francisco, 22-27 March 2009. 
Jan 19: deadline for BOF proposals to ADs and WG meeting requests.

Document Status and Progress

Active Documents: my action
 - draft-ietf-sieve-mime-loop (PS): IETF Last Call ended, investigating next steps on feedback

Stalled, in review, waiting on other:
 - draft-ietf-sieve-managesieve (PS): In IESG Evaluation Jan 15.
 - draft-melnikov-sieve-imapext-metadata (PS): AD Evaluation done, in IETF Last Call
 - draft-ietf-calsify-rfc2445bis (PS):  Authors working on IESG Evaluation issues
 - draft-kucherawy-sender-auth-header (PS): IESG Evaluation issues.
 - draft-montemurro-gsma-imei-urn (Info): waiting for author changes or response
 - draft-freed-sieve-ihave (PS): Waiting for IESG DISCUSS position to be reviewed
 - draft-ietf-calsify-rfc2446bis (PS): Waiting for issues from another review to be addressed.  I requested IETF Last Call prematurely.
 - draft-snell-atompub-bidi (PS): A couple changes needed after IESG Evaluation.
 - draft-ietf-usefor-usepro (PS): Finished IETF Last Call.  Authors and chairs need to decide whether/what changes to make.
 - draft-wilde-sms-uri (PS): IESG Evaluation found a number of issues. Author needs to revise or respond.

Finished Processing -- new in RFC Ed queue and new RFCs
 - draft-irtf-asrg-dnsbl (Info): IESG agreed that this IRTF document does not conflict with IESG work --> approved
 - draft-ietf-sieve-notify-mailto (PS):  Approved, in RFC Ed queue.
 - RFC 5397: WebDAV Current Principal Extension



WG Status
ALTO: Mostly quiet in December.
CALSIFY: Mostly quiet in December
HTTPBIS:   Plugging away on issues. Some discussion of related but non WG drafts like draft-nottingham-http-link-header, draft-dusseault-http-patch and draft-broyer-http-cookie-auth.
IDNABIS:  New versions of several documents posted and under discussion.
SIEVE: Finishing up several docs. 
USEFOR:  No action since last report.

_______________________________________________
Apps-Discuss mailing list
Apps-Discuss <at> ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss
Permalink | Reply | 0 comments |
headers
Anthony Bryan | 7 Jan 03:26
Picon
Gravatar

Re: Metalink XML Download Description Format (draft-bryan-metalink-01)

On Mon, Sep 1, 2008 at 12:44 AM, Anthony Bryan <anthonybryan <at> gmail.com> wrote:
> Greetings,
>
> Here is the Internet Draft for Metalink, available at
> http://tools.ietf.org/html/draft-bryan-metalink-01
> with interim revisions at
> http://metalinks.svn.sourceforge.net/viewvc/metalinks/internetdraft/ .
> We're looking for review and public comments.
>
> Metalink is currently supported by some 35 applications and used by
> projects such as OpenOffice.org, openSUSE, Ubuntu, cURL, and others.
>
>  Metalink is an XML-based document format that describes a file or
>  lists of files to be added to a download queue.  Lists are composed
>  of a number of files, each with an extensible set of attached
>  metadata.  For example, each file can have a description, checksum,
>  and list of URIs that it is available from.
>
>  The primary use case that Metalink addresses is the description of
>  downloadable content in a format so download agents can act
>  intelligently and recover from common errors with little or no user
>  interaction necessary.  These errors can include multiple servers
>  going down and data corrupted in transmission.

A new version of this draft is available at
http://tools.ietf.org/html/draft-bryan-metalink-04

It contains clarifications including a simpler "Securing Metalink
Documents" section.

As always, we welcome comments and suggestions.

We could also use help with
- Inclusion of digital signatures (other than PGP) of a file listed in
a metalink.

For instance, files are frequently signed with PGP (section 4.2.14),
and these can be included in a metalink so signature verification can
be automated:

<signature type="pgp">
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkkcJgEACgkQeOEcayedXJFf6QCgy9pkyqqTtRZiZlz4GSLr1D13
avAAoMrPU7nomJysDbqo3uTDYcdbpz2T
=GBjI
-----END PGP SIGNATURE-----
</signature>

We don't describe other ways to sign a file and include it in the
metalink. If you are familiar with other ways, please help us add
these to the draft.

Thanks!
--

-- 
(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
  )) Easier, More Reliable, Self Healing Downloads
Permalink | Reply | 1 comment |
headers
Chris Newman | 8 Jan 18:27
Picon

Algorithm for comparing two email addresses (draft-ietf-smime-3850bis)?

When I was reviewing draft-ietf-smime-3850bis, I noticed it mandates 
comparison of email addresses but did not specify the algorithm for doing 
so.

My DISCUSS comment is here: 
<https://datatracker.ietf.org/idtracker/ballot/2906/>

Is anyone aware of a stable reference for the algorithm to compare two 
email addresses (one from a header), so we can avoid embedding an outline 
of the algorithm in this specification to get it done promptly?

The closest I could find is the "relaxed" Header Canonicalization Algorithm 
in RFC 4871 section 3.4.2.  But it has unnecessary steps and additional 
steps would be needed to remove the non-significant WSP from the addr-spec 
prior to comparison.  I don't think that's a good reference.

Can anyone think of a better reference?  I really don't want to be 
obstructionist about this, but I do think getting the algorithm specified 
will improve interoperability (since I've personally experienced S/MIME 
interoperability problems due to this issue).

As always, feel free to let me know if you feel my discuss position is not 
reasonable.  Getting the balance between quality and approval speed right 
is difficult and I do get it wrong sometimes, so feedback is welcome.

		Thanks,
		- Chris
Permalink | Reply | 2 comments |
headers
Paul Hoffman | 8 Jan 19:10
Picon
Gravatar

Re: Algorithm for comparing two email addresses (draft-ietf-smime-3850bis)?

At 9:27 AM -0800 1/8/09, Chris Newman wrote:
>Can anyone think of a better reference?  I really don't want to be obstructionist about this, but I do think
getting the algorithm specified will improve interoperability (since I've personally experienced
S/MIME interoperability problems due to this issue).

It would be better if this algorithm came from the Apps community than expecting the security folks to come
up with it.

>As always, feel free to let me know if you feel my discuss position is not reasonable.  Getting the balance
between quality and approval speed right is difficult and I do get it wrong sometimes, so feedback is welcome.

Given that this same wording is in RFC 3850 and even its predecessor (RFC 2632), it seems a bit onerous to
require this now. I agree that there could be a BCP on address matching, but stopping a bis (or, reall, ter)
document on it seems over the top.
Permalink | Reply | 0 comments |
headers
Barry Leiba | 8 Jan 20:11
Picon
Favicon

Re: Algorithm for comparing two email addresses (draft-ietf-smime-3850bis)?

I'm with Paul on the DISCUSS question.  The proper method for comparing addresses 
has to be specified somewhere (I'm not sure your algorithm is even complete; what 
about RFC 2047 encodings; what about Unicode issues when we go to EAI?), but it's 
not here, and this shouldn't be held up for it.  At the most, I'd ask that they 
put in a notation that the right side SHOULD be treated as ASCII-case-insensitive.

As to where such a document belongs, I suggest EAI: since it's changing the 
rules, it should probably document them.

[For what it's worth, I think this is related to the issue of mail loops in 
sieve-notify-mailto, and sieve-vacation, along with other instances in other 
places.  There may be a need for a BCP about certain aspects of dealing with 
email, and it needs to be tackled.  But we can't just pick some unfortunate 
victim that happens to mention the problem and say, basically, "You touched it; 
you fix it."]

Barry
Permalink | Reply | 1 comment |
headers
Marc Blanchet | 8 Jan 20:21
Picon
Favicon

Re: Algorithm for comparing two email addresses (draft-ietf-smime-3850bis)?

- I guess one has to take into account EAI too...
- therefore, a possible draft which takes into account EAI would be a
good doc.

Marc.

Chris Newman a écrit :
> When I was reviewing draft-ietf-smime-3850bis, I noticed it mandates
> comparison of email addresses but did not specify the algorithm for
> doing so.
> 
> My DISCUSS comment is here:
> <https://datatracker.ietf.org/idtracker/ballot/2906/>
> 
> Is anyone aware of a stable reference for the algorithm to compare two
> email addresses (one from a header), so we can avoid embedding an
> outline of the algorithm in this specification to get it done promptly?
> 
> The closest I could find is the "relaxed" Header Canonicalization
> Algorithm in RFC 4871 section 3.4.2.  But it has unnecessary steps and
> additional steps would be needed to remove the non-significant WSP from
> the addr-spec prior to comparison.  I don't think that's a good reference.
> 
> Can anyone think of a better reference?  I really don't want to be
> obstructionist about this, but I do think getting the algorithm
> specified will improve interoperability (since I've personally
> experienced S/MIME interoperability problems due to this issue).
> 
> As always, feel free to let me know if you feel my discuss position is
> not reasonable.  Getting the balance between quality and approval speed
> right is difficult and I do get it wrong sometimes, so feedback is welcome.
> 
>         Thanks,
>         - Chris
> 
> _______________________________________________
> Apps-Discuss mailing list
> Apps-Discuss <at> ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--

-- 
=========
IPv6 book: Migrating to IPv6, Wiley, 2006. http://www.ipv6book.ca
Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
Permalink | Reply | 0 comments |
headers
Zoltan.Ordogh | 9 Jan 10:51
Picon

RE: Algorithm for comparing two email addresses (draft-ietf-smime-3850bis)?

Hi all,
I agree with the previous speakers on EAI.
But, I feel that IDNA should be taken into account, too. 

Best regards: Zoltán Ördögh
E-mail: zoltan dot ordogh at nokia dot com
Phone: +358 50 386 0566

-----Original Message-----
From: apps-discuss-bounces <at> ietf.org [mailto:apps-discuss-bounces <at> ietf.org] On Behalf Of ext Barry Leiba
Sent: 08 January, 2009 21:12
To: Chris Newman; apps-discuss <at> ietf.org
Cc: Tim Polk; smime-chairs <at> tools.ietf.org; draft-ietf-smime-3850bis <at> tools.ietf.org
Subject: Re: Algorithm for comparing two email addresses (draft-ietf-smime-3850bis)?

I'm with Paul on the DISCUSS question.  The proper method for comparing addresses has to be specified
somewhere (I'm not sure your algorithm is even complete; what about RFC 2047 encodings; what about
Unicode issues when we go to EAI?), but it's not here, and this shouldn't be held up for it.  At the most, I'd
ask that they put in a notation that the right side SHOULD be treated as ASCII-case-insensitive.

As to where such a document belongs, I suggest EAI: since it's changing the rules, it should probably
document them.

[For what it's worth, I think this is related to the issue of mail loops in sieve-notify-mailto, and
sieve-vacation, along with other instances in other places.  There may be a need for a BCP about certain
aspects of dealing with email, and it needs to be tackled.  But we can't just pick some unfortunate victim
that happens to mention the problem and say, basically, "You touched it; you fix it."]

Barry

_______________________________________________
Apps-Discuss mailing list
Apps-Discuss <at> ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss
Permalink | Reply | 0 comments |
headers
Lisa Dusseault | 9 Jan 20:23
Picon
Gravatar

Fwd: RFC Errata Update for Working Group Chairs

FYI not just for chairs -- Apps has errata in a wide variety of areas, and what to do about the errata is not always obvious.

Lisa

---------- Forwarded message ----------
From: RFC Editor <rfc-editor <at> rfc-editor.org>
Date: Thu, Jan 8, 2009 at 12:31 PM
Subject: RFC Errata Update for Working Group Chairs
To: wgchairs <at> ietf.org
Cc: RFC Editor <rfc-editor <at> rfc-editor.org>


WG chairs,

We have made some updates to the RFC errata system and would like to
inform you of the new features and explain how these features may
impact your working group.

1) We'd like to bring your attention to the improved search for RFC
errata on http://www.rfc-editor.org/errata.php. You can search by WG
acronym and other information.

Please contact your Area Director if you find errata reports that need
correction.  For example, the Type (Editorial/Technical) may be
incorrect.  Area Directors can log in to verify errata in RFCs
produced by the IETF stream, so if you want to to recommend that a
report be Verified/Rejected/Held, then please let the relevant AD
know. (For the meanings of Status and Type for RFC errata, please see
http://www.rfc-editor.org/status_type_desc.html.)

2) Previously, the initial report message was sent to the authors of
the RFC and the relevant WG chairs and ADs when the RFC was a product
of a WG.  The IESG has suggested that the WG mailing list be CC'ed on
these messages, and we have implemented this feature.  For example,
grow <at> ietf.org would now be CC'ed on the message below.  The idea is to
notify the WG of the new report and potentially initiate a discussion
of the validity of the report among those who are familiar with the
content.  This will allow the verifier to update the erratum so that
its Status and Notes capture the conclusion of any discussion.

Please distribute this information to your working groups as you see
fit, and let us know if you have any comments or concerns.

Thank you.

RFC Editor

>From: RFC Errata System <rfc-editor <at> rfc-editor.org>
>Date: October 23, 2008 6:05:46 PM PDT
>To: vaf <at> cisco.com, tli <at> tropos.com, dromasca <at> avaya.com,
>rbonica <at> juniper.net, pds <at> lugs.com, christopher.morrow <at> gmail.com
>Cc: tony.li <at> tony.li, rfc-editor <at> rfc-editor.org
>Subject: [Technical Errata Reported] RFC4632 (1577)
>
>
>The following errata report has been submitted for RFC4632,
>"Classless Inter-domain Routing (CIDR): The Internet Address
>Assignment and Aggregation Plan".
>
>--------------------------------------
>You may review the report below and at:
>http://www.rfc-editor.org/errata_search.php?rfc=4632&eid=1577
>
>--------------------------------------
>Type: Technical
>Reported by: Tony Li <tony.li <at> tony.li>
>
>Section: 3.1
>
>Original Text
>-------------
>   For example, the legacy "Class B" network 172.16.0.0, with an
>implied
>   network mask of 255.255.0.0, is defined as the prefix
>172.16.0.0/16,
>   the "/16" indicating that the mask to extract the network
>portion of
>   the prefix is a 32-bit value where the most significant 16 bits
are
>   ones and the least significant 16 bits are zeros.  Similarly, the
>   legacy "Class C" network number 192.168.99.0 is defined as the
>prefix
>   192.168.99.0/24; the most significant 24 bits are ones and the
>least
>   significant 8 bits are zeros.
>
>
>
>Corrected Text
>--------------
>   For example, the legacy "Class B" network 172.16.0.0, with an
>implied
>   network mask of 255.255.0.0, is defined as the prefix
>172.16.0.0/16,
>   the "/16" indicating that the mask to extract the network
>portion of
>   the prefix is a 32-bit value where the most significant 16 bits
are
>   ones and the least significant 16 bits are zeros.  Similarly, the
>   legacy "Class C" network number 192.168.99.0 is defined as the
>prefix
>   192.168.99.0/24; the most significant 24 bits are ones and the
>least
>   significant 8 bits are zeros.
>
>   In cases where a prefix has 1, 2, or 3 trailing insignificant
>   octets, it is permissible to elide the insignificant octets and
>   trailing '.' separators. Thus, 172.16.0.0/16 may also be
>represented
>   as 172.16/16, and 192.168.99.0/24 is equivalent to 192.168.99/24.
>
>
>
>
>Notes
>-----
>This adds some clarifying text and documents a common convention
>for displaying prefixes.  It was never the intention of the authors
>to exclude the alternative notation and it has since come into
>vogue.  It should be explicitly documented as being acceptable.
>
>Instructions:
>-------------
>This errata is currently posted as "Reported". If necessary, please
>use "Reply All" to discuss whether it should be verified or
>rejected. When a decision is reached, the verifying party (IESG)
>can log in to change the status and edit the report, if necessary.
>
>--------------------------------------
>RFC4632 (draft-ietf-grow-rfc1519bis-04)
>--------------------------------------
>Title               : Classless Inter-domain Routing (CIDR): The
>Internet Address Assignment and Aggregation Plan
>Publication Date    : August 2006
>Author(s)           : V. Fuller, T. Li
>Category            : BEST CURRENT PRACTICE
>Source              : Global Routing Operations
>Area                : Operations and Management
>Stream              : IETF
>Verifying Party     : IESG
>


_______________________________________________
Apps-Discuss mailing list
Apps-Discuss <at> ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss
Permalink | Reply | 2 comments |
headers
Mark Nottingham | 13 Jan 07:00
Favicon
Gravatar

DNS prefetching

seems to be catching on:
   https://addons.mozilla.org/en-US/firefox/addon/8923
and this
   http://plasmasturm.org/log/528/
implies that Google's new Chrome browser does it.

I'm curious to know what the IETF community thinks of this. The Web  
caching community experimented with HTTP prefetching for a while (and  
I believe that some browsers also dabble with it), but we were burnt  
by unintended side effects (e.g., taking sites down with the extra  
traffic, burning up costly bandwidth in non-US locations).

Also, are there any security implications here, considering that DNS- 
based attacks often rely upon timing?

Cheers,

--
Mark Nottingham     http://www.mnot.net/
Permalink | Reply | 4 comments |
headers
SJ Kissane | 13 Jan 07:06
Picon

Re: DNS prefetching

Hi

I think DNS prefetching should be less of a concern than HTTP prefetching, given DNS caching.
If your ISP's/network's DNS server is caching, and the link is to a site with a sensible TTL, then
the extra network impact of DNS prefetching should be marginal, especially for popular pages.
Also, the size of the data being transferred with DNS is smaller, and the efficiency is better.

Now, one security concern, is if a web page has a huge number of links, all to different host names.
It might be sensible to set a limit, e.g. on any web page, I will prefetch the first 20 hostnames
I see, but stop there. Otherwise, I could insert into a HTML page hidden links to h1.example.com,
h2.example.com, .... up to h1000000.example.com, and then have your web browser blindly issue
1,000,000 DNS queries. Another security requirement would be to have a sensible pause between
each lookup, or else I could use that nasty HTML page to flood your DNS server.

Cheers
Simon

2009/1/13 Mark Nottingham <mnot <at> mnot.net>
seems to be catching on:
 https://addons.mozilla.org/en-US/firefox/addon/8923
and this
 http://plasmasturm.org/log/528/
implies that Google's new Chrome browser does it.

I'm curious to know what the IETF community thinks of this. The Web caching community experimented with HTTP prefetching for a while (and I believe that some browsers also dabble with it), but we were burnt by unintended side effects (e.g., taking sites down with the extra traffic, burning up costly bandwidth in non-US locations).

Also, are there any security implications here, considering that DNS-based attacks often rely upon timing?

Cheers,

--
Mark Nottingham     http://www.mnot.net/

_______________________________________________
Apps-Discuss mailing list
Apps-Discuss <at> ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss

_______________________________________________
Apps-Discuss mailing list
Apps-Discuss <at> ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss
Permalink | Reply | 3 comments |

Gmane