IETF Logo Mail Archive

Re: [OPSEC] minutes part 2

"Glen Kent" <glen.kent@gmail.com> Thu, 18 December 2008 01:04 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A1B893A6B56; Wed, 17 Dec 2008 17:04:14 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 327443A6B56 for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 17:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u07KgGZup7i7 for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 17:04:12 -0800 (PST)
Received: from mail-bw0-f21.google.com (mail-bw0-f21.google.com [209.85.218.21]) by core3.amsl.com (Postfix) with ESMTP id F33EC3A6B4F for <opsec@ietf.org>; Wed, 17 Dec 2008 17:04:11 -0800 (PST)
Received: by bwz14 with SMTP id 14so694665bwz.13 for <opsec@ietf.org>; Wed, 17 Dec 2008 17:04:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=g6C3+nyGkyccLWqWuxMn5fq1pNzyDcIlTRvq1s0D7eo=; b=OB72D6gtQ2bOTDmDyfIsNzojdgPUwg7w/oePP1s9e/j+ob8Hw3YFgrOY1Ah3iSDg+n 0P4oUog/FrXTI6ZYzOCkEdEAcBIIbprGHFMrF26gFlF80btoLRUVS7pKdcn4vLw6F3sY DUGJnvPVHoTJigZ0fD3j0HvQQnSIv1kFz6yjY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Xy7oH/YLYArSktiK2tZTOt1gzJR8lvNARcRl6tWc6sjfCHf85ETafheb231G6DYQyG THutUox4s9hVnaR9jWltP7n3WtSWegoo+N4OYOw1Tz+m9GpYpcKtT+cGNpRt2qvKLN0O zd07rZxdGHs+OCsltttyJ4kQq9ICfr68Pa7I0=
Received: by 10.103.189.15 with SMTP id r15mr521248mup.126.1229562242786; Wed, 17 Dec 2008 17:04:02 -0800 (PST)
Received: by 10.103.160.12 with HTTP; Wed, 17 Dec 2008 17:04:02 -0800 (PST)
Message-ID: <92c950310812171704x76e374bbv1bd74d74f5ca755b@mail.gmail.com>
Date: Thu, 18 Dec 2008 06:34:02 +0530
From: Glen Kent <glen.kent@gmail.com>
To: R Atkinson <ran.atkinson@gmail.com>
In-Reply-To: <12201E12-8A0B-4FBE-95A9-5C8B23DA46EC@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com> <92c950310812161620j7d8aaa16m553940edadbe6d8f@mail.gmail.com> <12201E12-8A0B-4FBE-95A9-5C8B23DA46EC@gmail.com>
Cc: opsec@ietf.org
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

This does not address the point that i had raised.

> I have no concern with the WG documenting any issues, provided:
> - they really are technical issues rather than opinion,

So, you dont think the issues mentioned in the drafts are technical?
OK, how would you categorize those issues?

> - the analysis really is comprehensive, including a threat model,
> - the analysis also discusses existing mitigations,
> and
> - the analysis covers all such authentication mechanism,
>  including for example RFC-2154, not just some of them.

Its experimental. Lets leave it out of the discussion.

>
> (For an individual submission rather than a WG document, of course,
> none of the above caveats would apply, as individuals can say
> whatever they wish, true or not, in a personal informational RFC. :-)
>
> As my notes have tried (and perhaps failed, sigh) to make
> clear, the focus of my concerns are:
>
> 1) An apparent proposal, according to the WG minutes, to have
>   the OPsec WG recommend that users migrate to using SHA-based

Can you stop being vague and mention the precise proposal you are
arguing against?

>   mechanisms.  There are not solid technical grounds to
>   recommend/prefer SHA approaches over MD5 approaches
>   (or the reverse: it isn't obvious that MD5 is better either).

So, you dont think there is any value in moving over to SHA based
mechanisms, is it?

>
> 2) Erroneous claims in the meeting minutes that SHA-based approaches
>   are better than the existing MD5-based mechanisms.  The approaches
>   are very slightly different, but as the URLs I provided much earlier
>   today make clear, SHA has issues in the published literature just

You probably did not notice, but IESG has added a note, in the very
RFC (4822) where YOU have added support for SHA for RIP

"In the interests of encouraging rapid migration away from Keyed-MD5
and its known weakness, the IESG has approved this document even
though it does not meet the guidelines in BCP 107 (RFC 4107)."

Glen
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email