Re: [Gen-art] review of draft-ietf-curdle-gss-keyex-sha2-08.txt (details)

Benjamin Kaduk <kaduk@mit.edu> Wed, 09 January 2019 15:26 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5B6D130DE3; Wed, 9 Jan 2019 07:26:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83KzdnWez5Zm; Wed, 9 Jan 2019 07:26:19 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-eopbgr760117.outbound.protection.outlook.com [40.107.76.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83506130E58; Wed, 9 Jan 2019 07:26:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xauuvz+YFvqbq5MS72eVZKOXl3OADAvvGspwjAZeeFo=; b=PIUvVeUFqVLxa6sE9GfBo/eSys51TusX9uQgR1CpdLYVExdXVrjOJXvP++CKdCQc4Wvz4QSCRuJWxHQdQu+4fFXePR08uOZtzeEnB6Pl9gl/PY2qnW/dNYDHNGQpenjr+7u9f4jJ8Udo1VEQmq/6YCgSoioluMHj+CDX398O78k=
Received: from BYAPR01CA0031.prod.exchangelabs.com (2603:10b6:a02:80::44) by DM6PR01MB3691.prod.exchangelabs.com (2603:10b6:5:81::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.14; Wed, 9 Jan 2019 15:26:18 +0000
Received: from DM3NAM03FT026.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::201) by BYAPR01CA0031.outlook.office365.com (2603:10b6:a02:80::44) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1495.7 via Frontend Transport; Wed, 9 Jan 2019 15:26:17 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT026.mail.protection.outlook.com (10.152.82.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Wed, 9 Jan 2019 15:26:15 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x09FQAwo008995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 9 Jan 2019 10:26:14 -0500
Date: Wed, 9 Jan 2019 09:26:10 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
CC: <gen-art@ietf.org>, <draft-ietf-curdle-gss-keyex-sha2.all@ietf.org>
Message-ID: <20190109152609.GG28515@kduck.mit.edu>
References: <201901091434.x09EYtsE086115@givry.fdupont.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201901091434.x09EYtsE086115@givry.fdupont.fr>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(39860400002)(396003)(346002)(136003)(376002)(2980300002)(189003)(199004)(33656002)(14444005)(5660300001)(186003)(86362001)(36906005)(88552002)(75432002)(486006)(26005)(316002)(26826003)(786003)(104016004)(54906003)(106002)(561944003)(336012)(4326008)(58126008)(53416004)(16586007)(1076003)(6306002)(106466001)(356004)(6666004)(76176011)(478600001)(426003)(7696005)(6246003)(476003)(126002)(97756001)(305945005)(11346002)(229853002)(956004)(50466002)(55016002)(47776003)(23726003)(6916009)(446003)(46406003)(246002)(8936002)(8676002)(2906002)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR01MB3691; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; DM3NAM03FT026; 1:ophcuTQgwkSdTDQlw6uI+VPdF+FVAkWKtcy7wWVVzueR0/JxTnSIc6USYMl93LPSE9DGb9bOO9vB0fy78SoDif7sTlWRosPxDM5huD3X2rzMVdi15Iq2xIGjuuhD1Kwp
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6f4d067f-0b84-41b2-b69e-08d67646ccd0
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4608076)(4709027)(2017052603328)(7153060); SRVR:DM6PR01MB3691;
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB3691; 3:XynN/k6V7oZerngBcVA505sMpX812qUiDE7SuAWshsAt2wc01TZ/XDQk8bzdbjxCcejkXgeC5GMGRI6WOr11GhRwlioqny9Px5Ey0KK0UjJZ/ral/ut0ZK75HMIN/fvTs/gfBvomye/xTZ1WFO6eQql/vdP5iCyuuelnox2InYjUsseOFojC7R9dkcC+Hy9Enr5zLbMilBF4i8LPLjjh6j04UywGLXiKGYm8tOrD8mrjAp/nN+A+L/YOtbsX6dBvUAI9QfHlt/JIuq7xkd9QwzZyPv41DM6e4W+WtFw0XEeijiLOsc49e9C5bBy6qfTmBV3jrEU0DQqFMzmSe3k1QBQEXrS4Rlqp371/KgD6SYXGLpca51v374PHKJU3/6ge; 25:zxTgAobQAzUi+7lEi505z+ynZfMNZqnEkJ/4ofDkoenh0XiLoc4RFWZPBJbQMLO1cH/tMWBGy1Tgqruv0/TB0u8nXEKMF2Hay4vZpe5KfSBNJu8Z2IXClZ+aM1COQX1Jv5haZAsW4Z1zsnNPs9sODDfY1krvZFWdS4/OoYOuhF12KrnrArbdqTLwc2vy7gVTPE/KGKlIAGcHikJB3cDNoJGvAEah1GZ+20rWOD9l1eB/ZcXbzNNmjr7huwDblzDXfjjaHDF297B2w+HpM3oWWcm7zgVyMDNTDqsbJ7+hSDyN0rpfjyCGnoMeseN3hwjmsvWhkFILv7w/x5qj8+XJVA==
X-MS-TrafficTypeDiagnostic: DM6PR01MB3691:
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB3691; 31:aJBpVNY+j8Em5XrQXiGN/vWGAR/BoTT3nLfhoyHWNBCF8MeyP711eAHzmi9XH8asNF622YOpraB81dTgr0iC5SLt/hzcmI1GxVQdiQzE0Ih7JhCeogmmmTpfBtf0wan0X+Wp1FqUGtqVwKoq3usqDlFRIDc2ivJ42juJLsmjptKmh053iLWa9Pha2ZTIQ9amwEki2q2MxphxcTLXljXyKX0+4NgHenE3oraNCaUY4T4=; 20:lLHuxW6P7J8a90IKpbtA0WsJcZ3gZuKu5cnLmUuHLcV6hW/c5sFaCevx5BgxK2oPKI9LrS0Il2VS/cEJQ5bSaj+4LxuECVxYV+cJ0jYspp501KNjLQf10F1WJu6x3DCEVrQHxGOJcajskM8x9PPXm3lZRC7VhWws6wx/buBSZbF+1aPwZmlRDqqW6MshRgeKoIl6kaRDuEH9vaDTde+K27opFwDtnhSjYs2cgOvjYjvLDz+bRfOgNqvYaJjBhhe8TUs/WzibwVSt+otTxmatSlEap/mKbInJKV7vY1LjkMXjKisHyg6eCdGoGC8gYzvY4+0wRSnbrASo/4OSENoE8WjA6E0OpT39XpQ4s36dXo6LIHkibY21kZjrkUHzpqQ4FLvZrUJ4EfJdk6/qwPnY2Vrra3ko3CGBDVEzNrYdAuCa5pvIAzfNEV2/oGSUArj/PUf5lh6igFR1AoeW2a7H0eRabDYl1BXVE5UUC7+/nKfYa6U1XQW1zg53XiRLuRS0
X-Microsoft-Antispam-PRVS: <DM6PR01MB3691D31FEA669B59E603DD6CA08B0@DM6PR01MB3691.prod.exchangelabs.com>
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB3691; 4:4CUBSgLohpl1IoP4NJz+6LR+7vOMm+s0gK/FlBU7P0/B0cxHEJezW0BIbHZ5UWNTbXXauIquSUVnzDSDJiHyQcSR8eFttp3pcNLoiMUOsD1AseU8ryfZKOAV0B/JqXW0IIe/dBCAqZ2H2vyAd4JvVO2pkfqPNK0g3/ueffhHktS0MJvxebyrx7lU4Y39lZfdX40bAwJ/agBsNC7rEtHRCo3YXDK6j8RxgeSeg7K6jFQPpk03rV7jKQtIfi/JxFBaOwEe5zOcFhMHBCHx2m+kxpNleUElCq3xLiMi0db9zqM=
X-Forefront-PRVS: 0912297777
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM6PR01MB3691; 23:0Y3+NnsmMyXm1JdGfb9f82kd1LB9zbMjsNTmyBwXu?= =?us-ascii?Q?2IaoNmKSSwKqLyuleCESOOImIMEf98bEgV1TpPy4Oa2oj47euv7c33Qi6R/A?= =?us-ascii?Q?JoiWeeFNnpVwrY/y7X0tPCOZsGdObIuyCeSYOwWurXen2Ljf0A7rczcmYVaO?= =?us-ascii?Q?8jebqPbAc4W1IUu0gUfuGOV5RTzYAIl/TtYo+TENQkbq8dhPkvyoMKsOQr6d?= =?us-ascii?Q?PB4l2ChszB+ovaiVwSUqOG1gh3b3EOmh3povcDwW96wpNBpeKgKAnMKSsMxC?= =?us-ascii?Q?VzBUF1yk/5u3rfN77HPC+Fqj5v5Yan4uOOJbLO4U887Pzkc1opxr0hO1IiMz?= =?us-ascii?Q?pD/ltuQ69HSFxTs4pD83FSvv+sWPXybuStvWxx8cMKTSaid7sfwhYnpkahYr?= =?us-ascii?Q?MYrHnEA0U3RJdGGyvxZ41k0kZNmHx1IBsnLZuOFV76KoB67Y01ll3+XtpNyh?= =?us-ascii?Q?fWVyGgpUiMPMW0Ve5ORih4+Hj44d4tqM3GYfmdbGYJQWqHIi5nYuQTGC6G46?= =?us-ascii?Q?sadRg9qcsLuUPQeVSJ8mD8WKgW8AvZqnt2TJCYMsVje65Ej71lz2ODVZ5ZKd?= =?us-ascii?Q?RJMskObFGCGr9z8qEsQvSxpzC6ZAjLSItQ4BjjK2EKpSXTVeObqzMrFxikuh?= =?us-ascii?Q?rf+WkOyKDPASlOqLw5uDurZqDacd6Tgfmjlt/Ac+T836YpCsSRIcar9u0yaG?= =?us-ascii?Q?+aj21QVUkSeo6/82MeXN3OOsabv3/eSgSVMrCNYxaAFXI/Tk9wLTp9VkDnt9?= =?us-ascii?Q?O+wI0NzRl5uqGOnv/ewpoG9EJRT1Jilc3KrSFWN4KteacJRx8GHTImc54zaw?= =?us-ascii?Q?3PfKlFLrFmMe+iajJoPef5l7sVhh3WZ7LCONt5gfD5K+Okq1DZAWzGwQYLf/?= =?us-ascii?Q?4gjBRO7knIww0vwhbi2u8umHhZegH4bzFEnUpVhOBt3G6kheaN6ifW2efjQU?= =?us-ascii?Q?WDROee9OwUuV3D/Vp54QEUR1camYYK8+WTmHOE24r0BcptqgUvQSyjN0TAEY?= =?us-ascii?Q?kw4CVgyxK/eOw8EubehY+OflOHu5XT6AnrEJYr5aFPD1Ruu6nqSM/wDyMg72?= =?us-ascii?Q?/34/aMr1wguLNGJMu2S0M3RiggbQ86qnr8J0LOqSxV3K3XHCnxDwobf+I7HA?= =?us-ascii?Q?yUdNOaeDZcC16gQ4b8xCoT5TB4/ByWa58CsyahwhP6CmnV04LmoUU8anNtiJ?= =?us-ascii?Q?DPuIOSM8MIqnK0KoBttstVRHK6In5IrLcFc66c1BwEcBZ1poQqCJDHX1HzsM?= =?us-ascii?Q?sSGSGqGVGhT346LIZH2o6eO/wSaGrkDq+F/cyAfb8ct/4udw03sMlMBbKI4H?= =?us-ascii?B?dz09?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: aaoYnNOGynR8emFQCnrVfyvbh/HA8AL/mroZ558ppvh3fKkfL9kvo4MhuxpujvlqS/72DGb7KuhxPFlcvEETku+5sNnLefCVLgd1ZXJkQIXn8FGOMlrA3LUDGOIx9KrwEbqPinMV7SU2TwBTW5TvwJE2gs3SdI30h5HJVaY+4QzZRJkXIeTPMnnVzsiCglDX8UB6vubvlDuCUc580fBZMeWs7SVoznw1nC6exmfTIoGL8L8iV1HKRtOgHjv9gHWAo2J+zuWqVIZFA820QVVLgDAYWAAKWou37PXK35IdNt9Qn7cpb7HzXBhKUUL9nQWx
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB3691; 6:vYjuGpQ4K8AEJ638Hd/AwjdnwWkyoA+F3kVIXSUgkx9beXIyPr63mLiJHLog6MtC3Ov+rFIJW8rX4kBQChFBOXwUZa5mqgBLsK9ISh6OXr+jkCY9rI8v5ZxpIW4GD6wdd1bV0KacJ9WJJAVtkRTZPtb5VRl94le18BVgx/2RlcR5MS9cTtAxQF3wvncoEO7o/rjUiEbVeCYuTbxsnn7DenPAPr8vpZpYNph/BlZCO0/kmqcQzfHt8zjZCtErrf1GQ27ER5HgC+F8aPPgXzqUZjPnM+ygWxiMJoOG+fOrchyGqixEqtWXMyM256kH6kjPvHXy8WLSpdY/hVTrcx48wVdyKP2tSFsWIHKMAg32VnZoVt8svYmQNme4ImRgDWebNesEUVpav9KXlrXfRQO9O3EuvedZW0JxGu1zzcY3kQ6tyTRGrMEw3TOgzm8QFIDWyWFb/aWwub67CqDlDiH4bg==; 5:Y2S+Xw72GcsbSH+ZJDz+mS4v30nlCtLzdz5diUuovtxePueKZZPybcg4eHoNC3lyUb5m7UCP9cIpngM/NTBNTmvLQxyHym4KibX7WDANWZGeK72wu43+X/22eUyawwslYUQizUc35Rw1HbqbbiKPpqp5JsQpBmohr1RQcMktwCXdGMRcj/458hZoh//Cfj29p+wtlWo4HbN9t895V9O0UA==; 7:wVn5vBYrdyYfhsmtacRejCffLl2qe1kanZgKwD3gH7hfuk1XX2o2Y4wi8zh99I1bKhW5aAo4nRMRezvk7vpz32aabon0p82WHy91S2UcxhCQbxGraHMfxhTuvTOz0udPMVWt394nV/402VhOdYYkSg==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jan 2019 15:26:15.8178 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6f4d067f-0b84-41b2-b69e-08d67646ccd0
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB3691
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/LFyoqHN-SkrGC27Vk0E_AMeha5o>
Subject: Re: [Gen-art] review of draft-ietf-curdle-gss-keyex-sha2-08.txt (details)
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 15:26:27 -0000

On Wed, Jan 09, 2019 at 03:34:55PM +0100, Francis Dupont wrote:
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>;.
> 
> Document: draft-ietf-curdle-gss-keyex-sha2-08
> Reviewer: Francis Dupont
> Review Date: 2019-01-08
> IETF LC End Date: 2019-01-08
> IESG Telechat date: Not scheduled for a telechat
> 
> Summary: Ready
> 
> Major issues: None
> 
> Minor issues: None
> 
> Nits/editorial comments:
>  - section 2 page 2: please add RFC 8174 with RFC 2119
>   (note this can (should?) be done by the RFC Editor)
> 
>  - 7.3 page 10: I have a mixed feeling about the "must". As the problem
>  is real some could want a MUST but the attack is both an example (so
>  the defense too) and against a feature which is not the subjet of
>  the document. I have no good proposal so I leave this to the security
>  directorate.

This is a critical security consideration relating to the core 4462 key
exchange mechanism that was omitted from that document's security
considerations.  It may be most natural to treat this entire section as an
Update to the security considerations of 4462 (and accordingly mention that
update in the introduction), since we already have an Updates: relationship
with 4462.

-Ben