Re: [Curdle] Suresh Krishnan's No Objection on draft-ietf-curdle-gss-keyex-sha2-09: (with COMMENT)
Suresh Krishnan <Suresh@kaloom.com> Tue, 02 July 2019 01:50 UTC
Return-Path: <Suresh@kaloom.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A62812018F; Mon, 1 Jul 2019 18:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kaloom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2RH-0a5DvBT; Mon, 1 Jul 2019 18:50:26 -0700 (PDT)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660107.outbound.protection.outlook.com [40.107.66.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5F612018B; Mon, 1 Jul 2019 18:50:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaloom.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f7dZPnY6uxEM178aVs6gO+dEk1L6fIVg8jPRnPV/QBI=; b=A2EhpRqNRVNaqE+36HZiWQppmaczn31S90fDPyMQYu57EpwhY6oVeUkhjGEqRVL3Itlmlp5T0aF6/YO8CJwwIae95WKc4a9+HRxp/QZ21LNcabJcX3sUafywH0AT/RLmXGEdz4J6Wmohy5FbyA8/V395wATlyhttX70vomaWR1w=
Received: from YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM (52.132.45.144) by YTOPR0101MB1131.CANPRD01.PROD.OUTLOOK.COM (52.132.50.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.18; Tue, 2 Jul 2019 01:50:24 +0000
Received: from YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM ([fe80::20b6:a749:45f6:12ba]) by YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM ([fe80::20b6:a749:45f6:12ba%3]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019 01:50:24 +0000
From: Suresh Krishnan <Suresh@kaloom.com>
To: Simo Sorce <simo@redhat.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-curdle-gss-keyex-sha2@ietf.org" <draft-ietf-curdle-gss-keyex-sha2@ietf.org>, "daniel.migault@ericsson.com" <daniel.migault@ericsson.com>, "curdle-chairs@ietf.org" <curdle-chairs@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: [Curdle] Suresh Krishnan's No Objection on draft-ietf-curdle-gss-keyex-sha2-09: (with COMMENT)
Thread-Index: AQHVMDFbdVXQ/8QzE06ogg5wuEoX86a2kKCA
Date: Tue, 02 Jul 2019 01:50:23 +0000
Message-ID: <7B5F79CB-1A3B-4994-8597-D3B5FAE68ABB@kaloom.com>
References: <156139104143.17449.9632346081496014534.idtracker@ietfa.amsl.com> <541117c239df0a1624ef1ca7d25b36188b91c867.camel@redhat.com>
In-Reply-To: <541117c239df0a1624ef1ca7d25b36188b91c867.camel@redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Suresh@kaloom.com;
x-originating-ip: [172.58.27.251]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 08970550-cc7d-4bcd-aabe-08d6fe8fa61b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:YTOPR0101MB1131;
x-ms-traffictypediagnostic: YTOPR0101MB1131:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <YTOPR0101MB113109FB168FC450D6FE1231B4F80@YTOPR0101MB1131.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 008663486A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39850400004)(396003)(376002)(136003)(366004)(189003)(199004)(229853002)(508600001)(76176011)(66446008)(2906002)(33656002)(6306002)(4326008)(6486002)(36756003)(6512007)(6246003)(25786009)(68736007)(66066001)(26005)(486006)(316002)(71190400001)(71200400001)(81156014)(91956017)(8676002)(6436002)(14444005)(6116002)(7736002)(54906003)(305945005)(102836004)(76116006)(66946007)(99286004)(6916009)(73956011)(53936002)(80792005)(5660300002)(6506007)(53546011)(186003)(3846002)(11346002)(476003)(966005)(2616005)(446003)(72206003)(14454004)(66556008)(66476007)(64756008)(8936002)(86362001)(256004)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:YTOPR0101MB1131; H:YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: kaloom.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jCAi4MW+d99FVv6g4C5+EGoOGnsJpCEx2HBk9JaOJDvwyReiDqmola9MfO9m4nRfjMxr85nX0IEjfNLqQNNNbPB2l5z3wduMniQe4zfesnDk3otpcg4FtgSSt9dVQEscgeBlrKIi/s8GJXHG7U04G+wOv0UI/4faRtx/ZKdNfqhZ9yidlPm15qRGl6gaWeIDjMu/SHTBXMEbIyEow4ySDpKe52DiCoLnjlZ9Wukf3yuTfqIS9UklxmdzZeR+5H+oNnVyVVt6RLZ8lSJsTe7JnYY4kOCrE5zHLVR2//2JVbY5f564KguCSU41udTmCK0X/QW1QBDMgRMEcKtFporePukxrQZI1M3NCDCNQGCplIZUe+ERpPTqS7CgcjCje2+k4ubcNKKNwm3HPsMdOnDDK3xzgZIytSKRNj7XFEN512I=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <772917206798DD47814A91CDC822C732@CANPRD01.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: kaloom.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 08970550-cc7d-4bcd-aabe-08d6fe8fa61b
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 01:50:23.9833 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 47d58e26-f796-48e8-ac40-1c365c204513
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Suresh@kaloom.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTOPR0101MB1131
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/yTZWkI4N261lcq_t1pR0eUswgKc>
Subject: Re: [Curdle] Suresh Krishnan's No Objection on draft-ietf-curdle-gss-keyex-sha2-09: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 01:50:29 -0000
> On Jul 2, 2019, at 1:20 AM, Simo Sorce <simo@redhat.com> wrote: > > On Mon, 2019-06-24 at 08:44 -0700, Suresh Krishnan via Datatracker > wrote: >> Suresh Krishnan has entered the following ballot position for >> draft-ietf-curdle-gss-keyex-sha2-09: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-curdle-gss-keyex-sha2/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> * Section 8.3 >> >> I think a pointer to DNSSEC might be relevant here in the context of spoofed DNS responses. >> > Hi Suresh, > I intentionally kept away from providing solutions in the security > considerations around Delegation. Note that insecure DNS resolution is > not the only issue, using insecure NIS maps for hosts brings the same > issues, so I would rather you consider "DNS" here more as an example. > Given that focusing too much on specific solutions might give the > impression that DNS spoofing is the only issue and that DNSSEC the only > solution, I decided to let the reader decide by themselves how to deal > with these threats. > I consider the document's job done just by warning that there is > something to be aware of around name resolution. Thanks Simo. I understand your rationale now and my comment was non blocking. Regards Suresh
- [Curdle] Suresh Krishnan's No Objection on draft-… Suresh Krishnan via Datatracker
- Re: [Curdle] Suresh Krishnan's No Objection on dr… Simo Sorce
- Re: [Curdle] Suresh Krishnan's No Objection on dr… Suresh Krishnan