IETF Logo Mail Archive

Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - Respond by March 29th

Ted Lemon <mellon@fugue.com> Thu, 30 March 2017 15:00 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE6712952F for <dhcwg@ietfa.amsl.com>; Thu, 30 Mar 2017 08:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tkntmA3OsqTH for <dhcwg@ietfa.amsl.com>; Thu, 30 Mar 2017 08:00:41 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F08A129512 for <dhcwg@ietf.org>; Thu, 30 Mar 2017 08:00:39 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id y18so77859668itc.1 for <dhcwg@ietf.org>; Thu, 30 Mar 2017 08:00:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=1TaDDhiqtE8SeRrOzUbr1fF9pPMmIwS7AwGSK6AmdGQ=; b=MHhAEMuLyeeQLDsrAlG3wj6VUd9jM2ELxaLzsgM/KjVyY+LZM6Li4NQn1b0o17d1N2 ZePDrfg3ogopAokFBMU6zhx2L9wPAkOcfQ5x78IHLS1bBGG+iloJlSN7CU1vjMFAHr9N /KoB3RTBlTNV2z1dN2sJK3eX/+tQaguVgYPFaAf+QFL7dRRRBitYOOupWqx2+79+0+d8 5CM2EZ8477vONCXUh6XLgin9jMe9aUVIFQgHxAzpY+LsceFMhtSSDxNq5LMBFsek4nMf btF49yAFQBttHm+et4d9cUDCkhZhTbHNAUdSALkYJB5ERpOtfle1zmm/MiaTW5VzVHWk NwPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=1TaDDhiqtE8SeRrOzUbr1fF9pPMmIwS7AwGSK6AmdGQ=; b=dfhaikisy8ZWj2LrP3FyqJxaXoNa87wOp8l6FZkgL2a3USWkHAnQZH49garj0apxNg Mx1wwOzZO0qZpCkTCt7g9QZ/FoCHFR0w/xIzTG0D/TGB0xY73m9eD8Q5gaTS5nJ6EQvU 3d9nAi/RYJUPFVgq5VfDt386ptlzkQf3n45rjciTqpJPDskZkhODNQRYwjfWLwWMapsc GDk8lxtU3IHAeTSBI/aBDbCV+3qXWQiEHbMVMT4MAjLwkhmd/7I6qAk9b3W0lGXWYL0l Bm91PX/OAom0q+1tV7bZvkUFLSuZvtfvLo+WZD1TKfKVdP8ItWNyYDK/+aTVZzE4+GFO ycQg==
X-Gm-Message-State: AFeK/H2MtygfY0hS9jTHd5Phvz8UvpCnovOR6JmZeE/9V1x560QFd3nXy0XOuRZ4E7trIA==
X-Received: by 10.36.200.8 with SMTP id w8mr887568itf.112.1490886038617; Thu, 30 Mar 2017 08:00:38 -0700 (PDT)
Received: from t2001067c0370199861d1a9fa7f011c21.v6.meeting.ietf.org (t2001067c0370199861d1a9fa7f011c21.v6.meeting.ietf.org. [2001:67c:370:1998:61d1:a9fa:7f01:1c21]) by smtp.gmail.com with ESMTPSA id 89sm1460323ioj.17.2017.03.30.08.00.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Mar 2017 08:00:37 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <B84786D5-B633-4FB6-8EDF-5E6D64B2C806@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_786A39B7-7DD1-406C-8D13-EDEE63E130A9"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 30 Mar 2017 10:00:36 -0500
In-Reply-To: <F2E48544-A235-4AB9-AF4B-F20DFB8E1532@cisco.com>
Cc: Lishan Li <lilishan48@gmail.com>, dhcwg <dhcwg@ietf.org>, draft-ietf-dhc-sedhcpv6 authors <draft-ietf-dhc-sedhcpv6@ietf.org>
To: "Bernie Volz (volz)" <volz@cisco.com>
References: <e08be0f6-f1b4-4f57-6cdf-ddd546f8b793@gmail.com> <7db55e6f55e34408a1816887c22e28d3@XCH-ALN-003.cisco.com> <CAJ3w4NdN2jqJpQCeSgHLtHFkK3CLatN+BYFVGaFY=s5Qd_y6Gg@mail.gmail.com> <369C97B6-B6E7-46CE-B42E-18559BFB1E78@cisco.com> <CAJ3w4Nf_gVtiO2KeCPaNT=b30mK8uQ0Tri2=0Nq5m_WLRU1aoQ@mail.gmail.com> <F2E48544-A235-4AB9-AF4B-F20DFB8E1532@cisco.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/N2FFyR1uKIXSId6C9sv9S-3kf8o>
Subject: Re: [dhcwg] WGLC on draft-ietf-dhc-sedhcpv6-21 - Respond by March 29th
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 15:00:44 -0000

On Mar 30, 2017, at 9:34 AM, Bernie Volz (volz) <volz@cisco.com> wrote:
> - What about verifying the certificate's time? A client might not have current time and so may not be able to determine if certificate has expired? 

Clients that don't have the current time don't get very good security.   I don't know of a way to fix this.   At a minimum, a client with no clock and stable store should at least remember its last boot time every so often (maybe not every boot, to avoid flash wear, but maybe at least once a month).   This will make it difficult to replay really old certs.   But it's pretty thin.

v2.23.0 | Report a Bug | By Email