RE: Security for various IETF services
Eric Gray <eric.gray@ericsson.com> Tue, 08 April 2014 09:21 UTC
Return-Path: <eric.gray@ericsson.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE96F1A01CE; Tue, 8 Apr 2014 02:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RbOCSpimqaZb; Tue, 8 Apr 2014 02:21:07 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) by ietfa.amsl.com (Postfix) with ESMTP id C62C81A01E1; Tue, 8 Apr 2014 02:20:56 -0700 (PDT)
X-AuditID: c6180641-b7f638e000005a82-2a-5343bc8b6732
Received: from EUSAAHC008.ericsson.se (Unknown_Domain [147.117.188.96]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 3A.43.23170.B8CB3435; Tue, 8 Apr 2014 11:08:27 +0200 (CEST)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC008.ericsson.se ([147.117.188.96]) with mapi id 14.03.0174.001; Tue, 8 Apr 2014 05:20:49 -0400
From: Eric Gray <eric.gray@ericsson.com>
To: "mrex@sap.com" <mrex@sap.com>, John C Klensin <john-ietf@jck.com>
Subject: RE: Security for various IETF services
Thread-Topic: Security for various IETF services
Thread-Index: AQHPT1jaUgQIQyDGsUaNKSIZ0ommd5sB/xWAgAD9boCAAJD7gIACoZaAgAAIKACAAA6ggIAAIe8AgAAQjwCAAHmFAIAAhs/A
Date: Tue, 08 Apr 2014 09:20:48 +0000
Message-ID: <48E1A67CB9CA044EADFEAB87D814BFF632A52848@eusaamb107.ericsson.se>
References: <DC23F34E807E77F8C4C095C3@JcK-HP8200.jck.com> <20140407211718.60C021ACAA@ld9781.wdf.sap.corp>
In-Reply-To: <20140407211718.60C021ACAA@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.9]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHLMWRmVeSWpSXmKPExsUyuXRPgm73Hudgg7k/DCxm/JnIbPFs43wW i9ZLf9gsen/vYLY493QOo8XSP/NZHNg8pvzeyOqxZMlPJo/LK18ze0z5vJXR49LSycwBrFFc NimpOZllqUX6dglcGbM+n2Qv2CJaMf3qJPYGxg2CXYycHBICJhIt/9ayQdhiEhfurQeyuTiE BI4ySkzc1MME4SxjlGj9N5cJpIpNQEPi2J21jCC2iICrxJOvv5lBipgFWhklrsxZyt7FyMEh LKAvcbI7FqLGQGLJlp+sEHaexKJP7xlBSlgEVCQmbfIGMXkFfCU2zK4FMYUEsiWezBIBKeYU sJH4cGQ12CJGoNO+n1oDdgCzgLjErSfzmSBOFpBYsuc8M4QtKvHy8T9WCFtRYl//dHaIeh2J Bbs/sUHY2hLLFr4Gq+cVEJQ4OfMJywRGsVlIxs5C0jILScssJC0LGFlWMXKUFqeW5aYbGW5i BMbZMQk2xx2MCz5ZHmKU5mBREuf98tY5SEggPbEkNTs1tSC1KL6oNCe1+BAjEwenVAMj850C xV8f7ry8+iOnZua1wI5Xr2IfscluP7LX9llq0lrpKd29VVZc3ULrzjVuZNEX/KudE/tCovGM JXcQ1xux/GksPseuXi73Ozp3Af+lu8KMzLmp9kzv2H6k2/Nerg3wc1IUm5SyX4lj5+row3+e HDZeEnbULZZlr/2CNxfDK04mFs8VkKtXYinOSDTUYi4qTgQAWDr5L4ECAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/rhGFLdOqI1uYmC_0vWdhK-ydcBQ
Cc: Stewart Bryant <stbryant@cisco.com>, Tim Bray <tbray@textuality.com>, IETF-Discussion <ietf@ietf.org>, The IESG <iesg@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 09:21:12 -0000
Martin, You say "_the_real_TLS_protocol_characteristics_" like they are written down somewhere. Would you care to provide a pointer? -- Eric -----Original Message----- From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Martin Rex Sent: Monday, April 07, 2014 5:17 PM To: John C Klensin Cc: IETF-Discussion; Tim Bray; The IESG; Stewart Bryant Subject: Re: Security for various IETF services John C Klensin wrote: > > Ted Lemon <ted.lemon@nominum.com> wrote: >> >> Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >>> >>> Yes, we ought move away from passwords if/when we ever find an >>> acceptably better solution, and yes, people ought manage their >>> passwords well, but neither are today's reality more's the >>> pity. >> >> Perhaps it would be worth setting up support for client certs >> as a way to log in to IETF services. If we won't start, why >> would someone else? > > If we are really serious about promoting/ encouraging security, > I'd really like to see this as an option. Not only would it be > responsive to Ted's question, but, if we made it available and > almost no one used it, it would give us a lot of information > about the course we are on. TLS _client_ certificates are typically used in closed groups, where a single CA is issuing all these certs. TLS client cert authentication has a few small issues. The TLS server needs to explicitly request the client cert (unsolicited client certs are not possible/not allowed), and when the server asks for them in the initial handshake, the client certificates will travel the network _in_the_clear_. Requesting client certificates only in the renegotiation handshake has it own set of problems, besides twice the full handshake crypto overhead. For TLS renego problems and fixes see rfc5746 and https://secure-resumption.com/ I also think that discontinuing the _public_ services of the IETF over traditional, insecure channels (HTTP, anon-FTP, plain SMTP, whatever) should require a threat analysis. Different to what a lot of folks believe, TLS is neither a panacea nor magic pixie dust. In order to determine whether doing X-over-TLS really provides the desired security characteristics, it is necessary to know what security properties one is looking for. The reason why there was an issue with TLS renegotiation is that applications boldly assumed properties which never existed in the first place -- and that problem would have been obvious if anyone of those abusing TLS renegotiation for delayed authentication would have actually cared to check for _the_real_TLS_protocol_characteristics_ instead of believing in TLS magic pixie dust. -Martin
- Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Fred Baker (fred)
- RE: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Douglas Otis
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Brian E Carpenter
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Scott Brim
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Martin Rex
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Martin Thomson
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Stewart Bryant (stbryant)
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Hector Santos
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services David Morris
- RE: Security for various IETF services Christian Huitema
- RE: Security for various IETF services l.wood
- Re[2]: Security for various IETF services mohammed serrhini
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Randy Bush
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services S Moonesamy
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Brian Trammell
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Spencer Dawkins
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Ted Lemon
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Matthew Kaufman (SKYPE)
- RE: Security for various IETF services Eric Gray
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services Scott Brim
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Phillip Hallam-Baker
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Noel Chiappa
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Steve Crocker
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Phillip Hallam-Baker
- Web of trust at Internet Scale Sam Hartman
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Mark Andrews
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Jelte Jansen
- Re: Security for various IETF services Stephen Kent