Re: [core] Review of draft-hartke-core-e2e-security-reqs-01
"weigengyu" <weigengyu@bupt.edu.cn> Wed, 14 September 2016 07:21 UTC
Return-Path: <weigengyu@bupt.edu.cn>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EFDD12B17E for <core@ietfa.amsl.com>; Wed, 14 Sep 2016 00:21:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.57
X-Spam-Level:
X-Spam-Status: No, score=-1.57 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36fpi0Jv0DJf for <core@ietfa.amsl.com>; Wed, 14 Sep 2016 00:21:14 -0700 (PDT)
Received: from mx1.bupt.edu.cn (mx1.bupt.edu.cn [211.68.68.2]) by ietfa.amsl.com (Postfix) with ESMTP id 08B8612B15D for <core@ietf.org>; Wed, 14 Sep 2016 00:21:14 -0700 (PDT)
Received: from mx1.bupt.edu.cn (unknown [127.0.0.1]) by mx1.bupt.edu.cn (AnyMacro(G7)) with SMTP id 28BC119F409 for <core@ietf.org>; Wed, 14 Sep 2016 15:21:13 +0800 (HKT)
Received: from WeiGengyuPC (unknown [114.255.40.57]) by mx1.bupt.edu.cn (AnyMacro(G7)) with ESMTPA id 7863E19F3DC; Wed, 14 Sep 2016 15:21:12 +0800 (HKT)
Message-ID: <5BC478FD5AC445798E221150D9C227C0@WeiGengyuPC>
From: weigengyu <weigengyu@bupt.edu.cn>
To: Jim Schaad <ietf@augustcellars.com>, 'Klaus Hartke' <hartke@tzi.org>
References: <036801d1ed09$507ef080$f17cd180$@augustcellars.com> <CAAzbHvbUW5ZAh2EQ2e-L-VRyFL-V_D+sA9G1jR6pf5h=kVJWFQ@mail.gmail.com> <047701d1eda6$4af5c5b0$e0e15110$@augustcellars.com>
In-Reply-To: <047701d1eda6$4af5c5b0$e0e15110$@augustcellars.com>
Date: Wed, 14 Sep 2016 15:21:15 +0800
Organization: BUPT
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/_YcANIXCJ8gAi0dedjSCjmvbISQ>
Cc: draft-hartke-core-e2e-security-reqs@tools.ietf.org, core@ietf.org
Subject: Re: [core] Review of draft-hartke-core-e2e-security-reqs-01
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2016 07:21:18 -0000
Hi, Just one question. Is it required to refer to documentations on threats of HTTP proxies? Regards, Gengyu WEI Network Technology Center School of Computer Beijing University of Posts and Telecommunications -----原始邮件----- From: Jim Schaad Sent: Thursday, August 04, 2016 12:44 AM To: 'Klaus Hartke' Cc: draft-hartke-core-e2e-security-reqs@tools.ietf.org ; core@ietf.org Subject: Re: [core] Review of draft-hartke-core-e2e-security-reqs-01 > -----Original Message----- > From: Klaus Hartke [mailto:hartke@tzi.org] > Sent: Wednesday, August 03, 2016 8:23 AM > To: Jim Schaad <ietf@augustcellars.com> > Cc: draft-hartke-core-e2e-security-reqs@tools.ietf.org; core@ietf.org WG > <core@ietf.org> > Subject: Re: [core] Review of draft-hartke-core-e2e-security-reqs-01 > > Hi Jim, > > thanks a lot for your review. Comments inline below. > > Klaus > > > Jim Schaad wrote: > > > 2. Section 2.1.1 - Should "client receives a response" include > > > > * (Threat ?) The proxy returns a stale or outdated response based > > on data it previously obtained from the origin server or some fourth > > party. > > > > I'm thinking of both out of date caches and poisoned > > caches. > > Note that these are valid from a security point of view, but not 'fresh' > > This is a part of (Threat 1:) The proxy spoofs a response. > > In the mitigation section (2.1.1.1.) we define that a response is valid > from a > security point of view only if it is fresh. > > (We use the term "authentic" instead of "valid" though, because "valid" is > already used in the context of cache validation.) > > I've expanded the text with your suggestion: > > * (Threat 1:) The proxy spoofs a response. For example, the > proxy could return a stale or outdated response based on data > it previously obtained from the server or some fourth party, or > could craft an illicit response itself. > My problem with this is that I view a spoof as different. To me a spoof implies the attempt to create a new message that will pass muster as oppose to doing something like a replay. It would probably be better to use a different term. I'll try and remember to ponder on this. Jim _______________________________________________ core mailing list core@ietf.org https://www.ietf.org/mailman/listinfo/core
- Re: [core] Review of draft-hartke-core-e2e-securi… Jim Schaad
- Re: [core] Review of draft-hartke-core-e2e-securi… Klaus Hartke
- [core] Review of draft-hartke-core-e2e-security-r… Jim Schaad
- Re: [core] Review of draft-hartke-core-e2e-securi… weigengyu
- Re: [core] Review of draft-hartke-core-e2e-securi… Jim Schaad