Re: [Pearg] [Secdispatch] Numeric IDs: Update to RFC3552
Fernando Gont <fgont@si6networks.com> Thu, 18 April 2019 23:40 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D49BE1201BA for <pearg@ietfa.amsl.com>; Thu, 18 Apr 2019 16:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3F5wYBhKecEA for <pearg@ietfa.amsl.com>; Thu, 18 Apr 2019 16:40:19 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC5541201B2 for <pearg@irtf.org>; Thu, 18 Apr 2019 16:40:18 -0700 (PDT)
Received: from [192.168.3.138] (unknown [186.138.212.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 5A22E8493B; Fri, 19 Apr 2019 01:40:10 +0200 (CEST)
To: Eric Rescorla <ekr@rtfm.com>
Cc: "Iván Arce (Quarkslab)" <iarce@quarkslab.com>, IETF SecDispatch <secdispatch@ietf.org>, pearg@irtf.org, secdispatch-chairs@ietf.org
References: <4ac730a6-73ca-74cd-e848-4a6645bd0403@si6networks.com> <CABcZeBOy6MB0OG2cs=EE6hWB4pXBuNzW=LcQ+1dKmJzHBOUR-g@mail.gmail.com> <bc733114-6f97-532b-02d5-2730e834340a@si6networks.com> <CABcZeBPr2rfVkib684Gz4uCPWtFc4trwusJxNRJ6EPPpA=d0QA@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Openpgp: preference=signencrypt
Autocrypt: addr=fgont@si6networks.com; prefer-encrypt=mutual; keydata= mQINBE5so2gBEACzBQBLUy8nzgAzSZn6ViXT6TmZBFNYNqTpPRvTVtUqF6+tkI+IEd9N2E8p pXUXCd0W4dkxz6o7pagnK63m4QSueggvp881RVVHOF8oTSHOdnGxLfLeLNJFKE1FOutU3vod GK/wG/Fwzkv9MebdXpMlLV8nnJuAt66XGl/lU1JrNfrKO4SoYQi4TsB/waUQcygh7OR/PEO0 EttiU8kZUbZNv58WH+PAj/rdZCrgUSiGXiWUQQKShqKnJxLuAcTcg5YRwL8se/V6ciW0QR9i /sr52gSmLLbW5N3hAoO+nv1V/9SjJAUvzXu43k8sua/XlCXkqU7uLj41CRR72JeUZ4DQsYfP LfNPC98ZGTVxbWbFtLXxpzzDDT8i3uo7w1LJ2Ij/d5ezcARqw01HGljWWxnidUrjbTpxkJ9X EllcsH94mer728j/HKzC9OcTuz6WUBP3Crgl6Q47gY5ZIiF0lsmd9/wxbaq5NiJ+lGuBRZrD v0dQx9KmyI0/pH2AF8cW897/6ypvcyD/1/11CJcN+uAGIrklwJlVpRSbKbFtGC6In592lhu7 wnK8cgyP5cTU+vva9+g6P1wehi4bylXdlKc6mMphbtSA+T3WBNP557+mh3L62l4pGaEGidcZ DLYT2Ud18eAJmxU3HnM8P3iZZgeoK7oqgb53/eg96vkONXNIOwARAQABtCVGZXJuYW5kbyBH b250IDxmZ29udEBzaTZuZXR3b3Jrcy5jb20+iQJBBBMBAgArAhsjBQkSzAMABgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAUCTmylpQIZAQAKCRCuJQ1VHU50kv7wD/9fuNtTfxSLk3B3Hs3p ixTy8YXVjdkVwWlnJjFd7BOWmg7sI+LDhpjGfT6+ddOiwkumnvUZpObodj4ysH0i8c7P4C5t F9yu7WjklSlrB5Rth2CGChg5bKt541z2WHkFFxys9qBLmCSYDeKQkzLqhCjIUJizY2kOJ2GI MnSFDzJjhSFEh//oW830Y8fel1xnf/NVF+lBVtRMtMOfoWUqDjvP3sJ1G4zgkDCnF0CfncLx +hq2Mv26Uq9OTzvLH9aSQQ/f067BOkKAJKsfHdborX4E96ISTz57/4xECRSMr5dVsKVm4Y// uVIsb+L5z+a32FaiBZIAKDgnJO7Z8j6CV5e5yfuBTtX52Yi9HjYYqnYJGSDxYd6igD4bWu+7 xmJPHjkdqZgGV6dQIgiUfqkU+s5Cv350vK48CMaT/ZLo2BdsMhWsmaHmb+waePUMyq6E4E9x 9Js+EJb9ZiCfxS9exgieZQpet1L36IvhiwByvkQM009ywfa30JeMOltUtfLi5V06WQWsTzPL 5C+4cpkguSuAJVDTctjCA0moIeVDOpJ8WH9voQ4IeWapQnX35OIoj1jGJqqYdx65gc1ygbyx b8vw+pJ9E5GLse5TQnYifOWpXzX9053dtbwp/2OVhU4KLlzfCPCEsoTyfu9nIZxdI2PMwiL5 M85BfjX4NmwBLmPGoLkCDQRObKNoARAAqqXCkr250BchRDmi+05F5UQFgylUh10XTAJxBeaQ UNtdxZiZRm6jgomSrqeYtricM9t9K0qb4X2ZXmAMW8o8AYW3RrQHTjcBwMnAKzUIEXXWaLfG cid/ygmvWzIHgMDQKP+MUq1AGQrnvt/MRLvZLyczAV1RTXS58qNaxtaSpc3K/yrDozh/a4pu WcUsVvIkzyx43sqcwamDSBb6U8JFoZizuLXiARLLASgyHrrCedNIZdWSx0z0iHEpZIelA2ih AGLiSMtmtikVEyrJICgO81DkKNCbBbPg+7fi23V6M24+3syHk3IdQibTtBMxinIPyLFF0byJ aGm0fmjefhnmVJyCIl/FDkCHprVhTme57G2/WdoGnUvnT7mcwDRb8XY5nNRkOJsqqLPemKjz kx8mXdQbunXtX9bKyVgd1gIl+LLsxbdzRCch773UBVoortPdK3kMyLtZ4uMeDX3comjx+6VL bztUdJ1Zc9/njwVG8fgmQ+0Kj5+bzQfUY+MmX0HTXIx3B4R1I1a8QoOwi1N+iZNdewV5Zfq+ 29NlQLnVPjCRCKbaz9k6RJ2oIti55YUI6zSsL3lmlOXsRbXN5bRswFczkNSCJxJMlDiyAUIC WOay7ymzvgzPa+BY/mYn94vRaurDQ4/ljOfj6oqgfjts+dJev4Jj89vp8MQI3KJpZPEAEQEA AYkCJQQYAQIADwUCTmyjaAIbDAUJEswDAAAKCRCuJQ1VHU50km4xEACho45PZrUjY4Zl2opR DFNo5a6roTOPpgwO9PcBb3I5F8yX2Dnew+9OhgWXbBhAFq4DCx+9Gjs43Bn60qbZTDbLGJ/m 8N4PwEiq0e5MKceYcbetEdEUWhm5L6psU9ZZ82GR3UGxPXYe+oifEoJjOXQ39avf9S8p3yKP Diil0E79rn7LbJjMcgMLyjFg9SDoJ6pHLtniJoDhEAaSSgeV7Y745+gyMIdtQmrFHfqrFdjq D6G0HE+Z68ywc5KN67YxhvhBmSycs1ZSKAXv1zLDlXdmjHDHkU3xMcB+RkuiTba8yRFYwb/n j62CC4NhFTuIKOc4ta3dJsyXTGh/hO9UjWUnmAGfd0fnzTBZF8Qlnw/8ftx5lt4/O+eqY1EN RITScnPzXE/wMOlTtdkddQ+QN6xt6jyR2XtAIi7aAFHypIqA3lLI9hF9x+lj4UQ2yA9LqpoX 6URpPOd13JhAyDe47cwsP1u9Y+OBvQTVLSvw7Liu2b4KjqL4lx++VdBi7dXsjJ6kjIRjI6Lb WVpxe8LumMCuVDepTafBZ49gr7Fgc4F9ZSCo6ChgQNLn6WDzIkqFX+42KuHz90AHWhuW+KZR 1aJylERWeTcMCGUSBptd48KniWmD6kPKpzwoMkJtEXTuO2lVuborxzwuqOTNuYg9lWDl7zKt wPI9brGzquUHy4qRrA==
Message-ID: <f3607e4f-c805-3cb5-110b-f09cb8748577@si6networks.com>
Date: Fri, 19 Apr 2019 01:39:56 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBPr2rfVkib684Gz4uCPWtFc4trwusJxNRJ6EPPpA=d0QA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/VIIT5xYQvfDTihNed55TtU6Ymiw>
Subject: Re: [Pearg] [Secdispatch] Numeric IDs: Update to RFC3552
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 23:40:22 -0000
On 19/4/19 01:09, Eric Rescorla wrote: > > > On Thu, Apr 18, 2019 at 3:03 PM Fernando Gont <fgont@si6networks.com > <mailto:fgont@si6networks.com>> wrote: > > On 18/4/19 15:45, Eric Rescorla wrote: > > > > > > On Tue, Apr 16, 2019 at 2:07 AM Fernando Gont > <fgont@si6networks.com <mailto:fgont@si6networks.com> > > <mailto:fgont@si6networks.com <mailto:fgont@si6networks.com>>> wrote: > > > > Folks, > > > > At the last secdispatch meeting I presented our I-D > > draft-gont-predictable-numeric-ids. > > > > >From the meeting discussion, it would seem to me that there > is support > > for this work. > > > > It would also seem to me that part of this work is to be > pursued in an > > appropriate IRTF rg, while the update to RFC3552 > > (draft-gont-numeric-ids-sec-considerations) should be pursued > as an > > AD-sponsored document. > > > > > > I'm somewhat skeptical on an update to 3552; the proposed set of > things > > to be improved seems unclear. > > Can you please state what's unclear? > > > I understand the list of things in your document. However, there have > been proposals for a larger revision to 3552. There was an effort to revise RFC3552. It just didn't happen. Looks like trying to boil the ocean wasn't the best idea. > > I don't think that the material in this document should be added to > > 3552, as the purpose of 3552 is not really to go into that kind of > > detail about any specific topic. > > What I would expect is that RFC3552 helps prevent us from coming up with > vulnerable implementations. > > > This is not the purpose of 3552. Rather, it is to document what is > required in a security considerations section in general (the threat > model, an overview of common issues, etc.) rather than to go into > detail about a specific kind of attack. Otherwise, the amount of detail > would become impractical. Indeed, just covering the space of attacks on > cryptographic protocols would be impractical. One might imagine that if > there were a revision it would contain a paragraph or three on this > topic, but nowhere near the 30-odd pages of material that is in this > document, and I don't think it's independently a reason to do a 3552 > revision. You seem to be looking at the wrong document. The document in question is this one: https://tools.ietf.org/html/draft-gont-numeric-ids-sec-considerations-03 It's a total of 9 pages. If you remove abstract, boilerplate, and references, you end up with ~4 pages. In fact, the update (and indispensable text) is that in Section 5, and boils down to: ---- cut here ---- 5. Security and Privacy Requirements for Identifiers Protocol specifications that specify transient numeric identifiers MUST: 1. Clearly specify the interoperability requirements for the aforementioned identifiers. 2. Provide a security and privacy analysis of the aforementioned identifiers. 3. Recommend an algorithm for generating the aforementioned identifiers that mitigates security and privacy issues, such as those discussed in [I-D.gont-predictable-numeric-ids]. ---- cut here ---- > That said, this document is *updating* RFC3552, rather than a revision > of RFC3552. Therefore, the content in this document wouldn't become part > of RFC3552, necessarily. > > > Well, the semantics of "Updates" would be somewhat confusing here. > Certainly I don't think that this document is something we need to > transitively incorporate into 3552, but I care a lot less about the > contents of this header than I do about whether 3552 should be updated > to include this material. I do think RFC3552 should be updated as indicated (this stuff is general enough to be covered there). That said, the high-order bit here is to do something to prevent the bad history we have wrt numeric ids from repeating itself. If the whole point is that you'd like the "Updates: 3552 (if approved)" header to be removed (along with references to "updating RFC3552"), please say so. What we care about is to produce a change in what specifications do with respect to numeric ids, rather than that what specific document we are updating. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Eric Rescorla
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Fernando Gont
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Fernando Gont
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Eric Rescorla
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Fernando Gont
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Benjamin Kaduk
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Hannes Tschofenig
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Fernando Gont
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Fernando Gont
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Eric Rescorla
- Re: [Pearg] [Secdispatch] Numeric IDs: Update to … Fernando Gont