IETF Logo Mail Archive

Re: [Insipid] Addressing security-related comments / requirements spec

Paul Kyzivat <pkyzivat@alum.mit.edu> Thu, 26 September 2013 15:23 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: insipid@ietfa.amsl.com
Delivered-To: insipid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5F921F9B07 for <insipid@ietfa.amsl.com>; Thu, 26 Sep 2013 08:23:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.432
X-Spam-Level:
X-Spam-Status: No, score=-0.432 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ospb4UFLnSYB for <insipid@ietfa.amsl.com>; Thu, 26 Sep 2013 08:23:51 -0700 (PDT)
Received: from qmta03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:32]) by ietfa.amsl.com (Postfix) with ESMTP id 46A4821F99F4 for <insipid@ietf.org>; Thu, 26 Sep 2013 08:23:09 -0700 (PDT)
Received: from omta22.westchester.pa.mail.comcast.net ([76.96.62.73]) by qmta03.westchester.pa.mail.comcast.net with comcast id VobY1m0021ap0As53rP8Mr; Thu, 26 Sep 2013 15:23:08 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([50.138.229.164]) by omta22.westchester.pa.mail.comcast.net with comcast id VrP81m00C3ZTu2S3irP8AG; Thu, 26 Sep 2013 15:23:08 +0000
Message-ID: <5244515B.4060207@alum.mit.edu>
Date: Thu, 26 Sep 2013 11:23:07 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: insipid@ietf.org
References: <emd25832c2-3229-4f1f-8803-9007610947e4@sydney>
In-Reply-To: <emd25832c2-3229-4f1f-8803-9007610947e4@sydney>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1380208988; bh=S7OIwk41EYcqjW3NTf1xFYuOzS2nRmSyYWR/DrWj4WM=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=Ms52OeoAYsSlwRFHK7tOS+d9FW9auBw8zvQCFAEFkCGgT25mc27DsAQDdYrz3W06s QB92dZ0HCuRv73htH1zMq7+Zesxi1oSRTW6TAqGrf1Fg6HRsiKHSF4jIXZ/gah2T8s L37/Xn/ojJcEzTiqqJ8Ae1NFIBRjV9oA8LwZDolLSy1gB3TP5jQaY76awYC3mZkNN2 1IRMU+ztcA4tYfVY7Ei/aPnKoNzvtouClDqsomik5hOEQNrAKNvm7/dcDYb2RYpMCo 9lKRCy7K2duO6p1qIXD4vesWpiFqnucr931UFn3f6Xm0W8FhBjyTE7Dou5famIG2Ig CHdv3CkLCqQ3Q==
Subject: Re: [Insipid] Addressing security-related comments / requirements spec
X-BeenThere: insipid@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Session-ID discussion list <insipid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/insipid>, <mailto:insipid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/insipid>
List-Post: <mailto:insipid@ietf.org>
List-Help: <mailto:insipid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/insipid>, <mailto:insipid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 15:23:59 -0000

ISTM that what is lacking is a threat analysis. What bad things could 
happen if an adversary was able to change/remove/add a Session-ID header 
in a malicious way? Maybe nothing sufficiently bad can happen to justify 
anyone bothering to do so.

	Thanks,
	Paul K

On 9/25/13 9:58 PM, Paul E. Jones wrote:
> Folks,
> Vijay Gurbani provided feedback suggesting some improvements might be
> needed in the requirements document.  See this message:
> http://www.ietf.org/mail-archive/web/apps-discuss/current/msg10419.html.  I'm
> referring specifically to his comment on Section 7.
> We had a couple of follow-up messages that you should probably also read:
> http://www.ietf.org/mail-archive/web/apps-discuss/current/msg10437.html
> http://www.ietf.org/mail-archive/web/apps-discuss/current/msg10507.html
> After reviewing his comments, I would like to ask the group what, if
> any, changes the group feels we should make to the requirements document.
> Thanks!
> Paul
>
>
> _______________________________________________
> insipid mailing list
> insipid@ietf.org
> https://www.ietf.org/mailman/listinfo/insipid
>

v2.23.0 | Report a Bug | By Email