[Gen-art] Gen-ART Last Call review of draft-ietf-csi-hash-threat-10
"McCann Peter-A001034" <pete.mccann@motorola.com> Thu, 23 September 2010 15:30 UTC
Return-Path: <pete.mccann@motorola.com>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79CF83A6AE8 for <gen-art@core3.amsl.com>; Thu, 23 Sep 2010 08:30:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.482
X-Spam-Level:
X-Spam-Status: No, score=-106.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RwG97SrLtaf7 for <gen-art@core3.amsl.com>; Thu, 23 Sep 2010 08:30:23 -0700 (PDT)
Received: from mail128.messagelabs.com (mail128.messagelabs.com [216.82.250.131]) by core3.amsl.com (Postfix) with ESMTP id 2B4233A6AD6 for <gen-art@ietf.org>; Thu, 23 Sep 2010 08:30:23 -0700 (PDT)
X-VirusChecked: Checked
X-Env-Sender: pete.mccann@motorola.com
X-Msg-Ref: server-15.tower-128.messagelabs.com!1285255851!10898582!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [136.182.1.13]
Received: (qmail 27207 invoked from network); 23 Sep 2010 15:30:52 -0000
Received: from motgate3.mot.com (HELO motgate3.mot.com) (136.182.1.13) by server-15.tower-128.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 23 Sep 2010 15:30:52 -0000
Received: from il27exr03.cig.mot.com (il27exr03.mot.com [10.17.196.72]) by motgate3.mot.com (8.14.3/8.14.3) with ESMTP id o8NFUpSf009297 for <gen-art@ietf.org>; Thu, 23 Sep 2010 08:30:51 -0700 (MST)
Received: from az10vts04.mot.com (il27vts04.cig.mot.com [10.17.196.88]) by il27exr03.cig.mot.com (8.13.1/Vontu) with SMTP id o8NFUlko003611 for <gen-art@ietf.org>; Thu, 23 Sep 2010 10:30:47 -0500 (CDT)
Received: from de01exm70.ds.mot.com (de01exm70.am.mot.com [10.176.8.26]) by il27exr03.cig.mot.com (8.13.1/8.13.0) with ESMTP id o8NFUliS003599 for <gen-art@ietf.org>; Thu, 23 Sep 2010 10:30:47 -0500 (CDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 23 Sep 2010 11:30:25 -0400
Message-ID: <274D46DDEB9F2244B2F1EA66B3FF54BC078E14F6@de01exm70.ds.mot.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Gen-ART Last Call review of draft-ietf-csi-hash-threat-10
Thread-Index: ActbND5I5xG1/aO/TPWsSqy++s4wLQ==
From: McCann Peter-A001034 <pete.mccann@motorola.com>
To: gen-art@ietf.org, draft-ietf-csi-hash-threat.all@tools.ietf.org
X-CFilter-Loop: Reflected
Subject: [Gen-art] Gen-ART Last Call review of draft-ietf-csi-hash-threat-10
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 15:30:25 -0000
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-csi-hash-threat-10 Reviewer: Pete McCann Review Date: 23 September 2010 IETF LC End Date: 27 September 2010 IESG Telechat date: unknown Summary: Not quite ready Major issues: Section 3.2: For this attack to succeed the attacker needs to predict the content of all fields (some of them are human-readable) appearing before the public key including the serial number and validity periods. Even though a relying party cannot verify the content of these fields, the CA can identify the forged certificate, if necessary. This section omits a lot of discussion that was in the previous version of the draft. It seems like a forged certificate, even with falsified serial numbers and validity periods, could still do damage. Detecting the forgery after-the-fact by the CA doesn't really help. Or are you saying that the client should use OCSP to check the current validity of the signature? How does it run OCSP before it gets Internet connectivity? Section 3.3: Since the structure of the Neighbor Discovery messages is well defined, it is not possible to use this vulnerability in real world attacks. Need a little more discussion here justifying this statement. Are you saying that the attacker does not have enough flexibility in choosing the message contents to carry out the collision attack? Minor issues: Nits/editorial comments: Section 1 Introduction: Discovery(ADD) SHOULD BE: Discovery (ADD) The document SHOULD BE: This document Section 3: theaforementioned SHOULD BE: the aforementioned protocols . SHOULD BE: protocols. Section 3.1: Since CGAs do not provide non-repudiation features anyway. SHOULD BE: CGAs do not provide non-repudiation features anyway. Section 3.2: an certificate SHOULD BE: a certificate
- [Gen-art] Gen-ART Last Call review of draft-ietf-… McCann Peter-A001034
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Suresh Krishnan