IETF Logo Mail Archive

Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 10 June 2019 23:14 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 796C9120086 for <anima@ietfa.amsl.com>; Mon, 10 Jun 2019 16:14:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TKxv3ToJCA0b for <anima@ietfa.amsl.com>; Mon, 10 Jun 2019 16:14:31 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C347120025 for <anima@ietf.org>; Mon, 10 Jun 2019 16:14:30 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 0F86538187; Mon, 10 Jun 2019 19:13:08 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 3D079EAE; Mon, 10 Jun 2019 19:14:29 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 3A460BB8; Mon, 10 Jun 2019 19:14:29 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eric Rescorla <ekr@rtfm.com>, Anima WG <anima@ietf.org>
In-Reply-To: <da17de42-dc02-38bf-3593-e95e2f715650@gmail.com>
References: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com> <02DFBB01-F7BA-4BCA-B8C5-CF14E8B7A6F4@cisco.com> <20190604192843.gbavqofsq4btcgx3@faui48f.informatik.uni-erlangen.de> <045A7809-CB6F-493E-B9F2-FBF563AD5378@cisco.com> <20190607211720.y63ysayeqtkgi3lj@faui48f.informatik.uni-erlangen.de> <60BB0A11-A12B-4EA5-9379-12C75100D64C@cisco.com> <77dc7db3-e281-2475-6909-c9c5a982f973@gmail.com> <CABcZeBPcJN9eweSW8ayVAbyehjizycpLN2=dDe1txZEh8dm7QQ@mail.gmail.com> <6636.1560178188@localhost> <CABcZeBOJrnhi1vhZ5dcfS3-3DH_duWKCora-+AjARx5MwfUi+g@mail.gmail.com> <da17de42-dc02-38bf-3593-e95e2f715650@gmail.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 10 Jun 2019 19:14:29 -0400
Message-ID: <20800.1560208469@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/oEBZefM9WqQlkp8GY3qpjkik8eY>
Subject: Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 23:14:34 -0000

Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
    mcr> Brian suggested the example null vs nu11.
    mcr> This is not about super-cookies, etc. and it doesn't suggest any kind of
    mcr> process involving the list of publicsuffixes.

    ekr> The general shape of this kind of attack is that the attacker wants
    ekr> to impersonate A and so gets a domain with name A' that looks like
    ekr> A. However, this depends on A' being something the attacker can
    ekr> register. The public suffix list embodies the concept (more or less)
    ekr> of "anyone can register here". By contrast, a.example.com
    ekr> <http://a.example.com> is (I assume) owned by example.com
    ekr> <http://example.com> and so your average attacker can't do anything
    ekr> with b.example.com <http://b.example.com>.

    bc> However, examp1e.com is 2001:470:1f07:1126::555:1212 or 64.57.183.2 so
    bc> we *really* can't use it. examp1e.net is 133.242.206.244 and actually
    bc> responds to HTTP.

yes, some nice people have been sending example.* traffic to /dev/null.

    > You're right that in theory subdomains are unrealistic examples, but does that
    > matter for an illustrative example?

Exactly.
We are just trying to avoid c1sco.com / cisco.com as the example.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email