Re: Security for various IETF services

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 07 April 2014 11:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3BF01A06E8; Mon, 7 Apr 2014 04:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ru6vYAOzsGgF; Mon, 7 Apr 2014 04:01:49 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 7759D1A06CE; Mon, 7 Apr 2014 04:01:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E3DFBBE49; Mon, 7 Apr 2014 12:01:38 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l11Vy4zuZaBD; Mon, 7 Apr 2014 12:01:38 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id AAF4BBE47; Mon, 7 Apr 2014 12:01:38 +0100 (IST)
Message-ID: <53428593.3020707@cs.tcd.ie>
Date: Mon, 07 Apr 2014 12:01:39 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Brian Trammell <ietf@trammell.ch>, stbryant@cisco.com
Subject: Re: Security for various IETF services
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <27993A73-491B-4590-9F37-0C0D369B4C6F@cisco.com> <CAHBU6iuX8Y8VCgkY1Qk+DEPEgN2=DWbNEWVffyVmmP_3qmmmig@mail.gmail.com> <53427277.30707@cisco.com> <B275762E-3A1A-44A3-80BE-67F4C8B115B2@trammell.ch>
In-Reply-To: <B275762E-3A1A-44A3-80BE-67F4C8B115B2@trammell.ch>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/89CLAL47qDbKP4s_DoGKlaQKJzc
Cc: Tim Bray <tbray@textuality.com>, The IESG <iesg@ietf.org>, IETF-Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 11:01:54 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Brian's response covers the issues very well I think. (Thanks.)

Just one thing to add...

On 04/07/2014 11:09 AM, Brian Trammell wrote:
> I think the practical risk here is only of vandalism, creating a
> mess in the datatracker that it would take a fair amount of work to
> clean up. Any impersonation materially impacting the process would 
> presumably (hopefully) be detected by the impersonated themselves. 
> And the possibility of someone actually doing this certainly seems 
> far-fetched, but so do so many of the things one reads in the
> press these days on this subject.

Given that password re-use over many services is common, there is
also the not at all insignificant risk that any credentials captured
could be abused elsewhere with more impact.

Yes, we ought move away from passwords if/when we ever find an
acceptably better solution, and yes, people ought manage their
passwords well, but neither are today's reality more's the pity.

S.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJTQoWPAAoJEC88hzaAX42iAZ0H/AherdQFB54RMS/Puiwmk+qb
VzA+CbYotJKKrt6NHcQt9wi0SxkC9e9zIhtxUAMdHxxOd0X2KOu00tSJsYPEhoaz
CC7s3woqCiQp8vQj2FqE7fEKFIxohModpUlbKidLq/JdkJ3zW9/9tMGeffoGoFLg
j/B9tNr9vlCW3I+ZqyaKMUneEKwYB/YYyli/iEIzztsuGoWFu6xfSnOYQG1+Bdre
27ec95FMAkBNTF2x/KOZ+FN8o1i92XzzXUNRCwTmWn3iqmp9rJ3OQAst0lkDOzzv
k36rQx2r9uU1lpJProty2dQOTOf2GTmlE+QZ7BJC4g9O3Dn/Y+eMvHnWF1OwS8s=
=MXlA
-----END PGP SIGNATURE-----