Re: [DNSOP] Working Group Last Call - draft-ietf-dnsop-rfc5011-security-considerations
Warren Kumari <warren@kumari.net> Thu, 26 October 2017 15:12 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39B1E13F1EB for <dnsop@ietfa.amsl.com>; Thu, 26 Oct 2017 08:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pt2AFk-6vjTq for <dnsop@ietfa.amsl.com>; Thu, 26 Oct 2017 08:12:22 -0700 (PDT)
Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949D813F0A8 for <dnsop@ietf.org>; Thu, 26 Oct 2017 08:12:22 -0700 (PDT)
Received: by mail-wr0-x22d.google.com with SMTP id r79so3486631wrb.13 for <dnsop@ietf.org>; Thu, 26 Oct 2017 08:12:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nEryVILhK8ITDqTRGgXorhplG+1e5LjJAjQrikNmSw4=; b=urKJFcoWOCuRnPEhwmcFX+XpLURcUSjmRhaTf79gkOs+3/+zCenUiIr5soQot1R5bx d+cHdid9+9nTuzOUDdmFQlEkEWywSSt+vfbCREKXJTVsoKSs+GdvB8tNAt3HRSn6+ZoJ k62/qNpCg73lEV0idw7X5ADjNTFL4SU2TDZpUTYpStSTHIOozi4miHHR3PDTOwTlzpLH Rro6E7auLZdh01/5fSPcJRWXuxI1gQNaYXjnvV8ePyfEJrNfCy+Cr+mTFFD+H2og9gIp cwL8pEslT+RstevUYxqGaUu/OcqDHLWa0eGez+C8RddWA78OzY2S3bFMs0c8X0Pm1yhe h1pA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nEryVILhK8ITDqTRGgXorhplG+1e5LjJAjQrikNmSw4=; b=HGZi7RZ1H3IcfL3MxUcXRqdvl6cotX2u33R/2mPTXBeoHyXvT3oBANEWVQJyy/bnqP 5EZGfILDKmvSK/L2mdY+Ywn7fAFFZQ/DdOznyEUFp/HoUUrPFDpgLwMlwy/kp3bwo4bI sEVD7+/52mFG4gyik1dN4K+2Vujx6hmUljYzJAfLFE9tHAr461r1Ul3bIrLr6750x3HZ lmHwKAEgtX/ms2ShwcPccU6xhqQ4h10mUXDP7AnWZ/7rZydFSSGJehOt4BqWk4Q51V4A E+317h/VKf+B/rOCye1pjKHA9Q2zXJb6RqkPxuakkGB2DoIVxCGrT/6gNwuV3xYAG175 rjaw==
X-Gm-Message-State: AMCzsaXl0ajCGRNe5KIf90Z8mx616ViiejIAYT/fRF5ewe+KfUgD1HoU 0TJ2RL/sT9IiRuqT4ONVIneSlytuVAnc++AFe/JjxO7P
X-Google-Smtp-Source: ABhQp+TBQekppxN5KpQehk/0mcvwXIAJMea1IeypvCBi9udIJI3K7tzXCZPxPxgNG7udJwwI+V9tzz3YyQcmR98bCUQ=
X-Received: by 10.223.151.198 with SMTP id t6mr5849705wrb.2.1509030737630; Thu, 26 Oct 2017 08:12:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.187.12 with HTTP; Thu, 26 Oct 2017 08:11:35 -0700 (PDT)
In-Reply-To: <04C3E53E-985F-49DD-A731-A2DE0911538B@vpnc.org>
References: <CADyWQ+FUOwrK5Qr0DRGopyqxu1ivsJqs3a0KVfrb8yf4-B_OBg@mail.gmail.com> <04C3E53E-985F-49DD-A731-A2DE0911538B@vpnc.org>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 26 Oct 2017 11:11:35 -0400
Message-ID: <CAHw9_iLkLUWDVC_M6Not+Z4AqaEbTNreX4JksaBpYpJa5E+gYg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/a2ZSDqAnnF6JK3boP3a3eXQcGas>
Subject: Re: [DNSOP] Working Group Last Call - draft-ietf-dnsop-rfc5011-security-considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 15:12:24 -0000
On Wed, Oct 25, 2017 at 4:16 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > On 18 Oct 2017, at 4:16, tjw ietf wrote: > >> This starts a Working Group Last Call for: >> draft-ietf-dnsop-rfc5011-security-considerations > > > I support the publication of > draft-ietf-dnsop-rfc5011-security-considerations either as-is or with an > additional section on looking at timing from a second perspective (as > detailed by Mike StJohns). Thank you, Paul. Dear WG - I know that this document has a limited audience, is kind of an annoying read, and is filled with maths (gasp!). Wes and I do believe that this is an important document - getting these timers wrong potentially has really bad security implications; there was intended to be a companion document to RFC5011, but seeing as that wasn't created, I think it is really importantt that we address this. So, pretty please, review this document and send feedback. We've tried hard to make it readable, but the topic is unfortunately complex and can only be simplified so far - it is also really hard to talk about sliding windows of time. So, again, please review and comment, W > > --Paul Hoffman > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] Working Group Last Call - draft-ietf-dnso… tjw ietf
- Re: [DNSOP] Working Group Last Call - draft-ietf-… Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call - draft… Edward Lewis
- Re: [DNSOP] Working Group Last Call - draft-ietf-… Paul Hoffman
- Re: [DNSOP] Working Group Last Call - draft-ietf-… Warren Kumari
- Re: [DNSOP] Working Group Last Call - draft-ietf-… Michael StJohns
- Re: [DNSOP] Working Group Last Call - draft-ietf-… tjw ietf