Re: [proxies] [IETF Proxy] Next Steps
<Bernard_Aboba@hotmail.com> Sat, 03 May 2008 06:07 UTC
Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F2393A6A36; Fri, 2 May 2008 23:07:43 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C2EE3A69C1 for <proxies@core3.amsl.com>; Fri, 2 May 2008 23:07:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.066
X-Spam-Level:
X-Spam-Status: No, score=-1.066 tagged_above=-999 required=5 tests=[AWL=-0.134, BAYES_00=-2.599, SARE_HEAD_XUNSENT=1.666, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDyFnMqxMoSr for <proxies@core3.amsl.com>; Fri, 2 May 2008 23:07:42 -0700 (PDT)
Received: from blu0-omc2-s21.blu0.hotmail.com (blu0-omc2-s21.blu0.hotmail.com [65.55.111.96]) by core3.amsl.com (Postfix) with ESMTP id 5AE453A68CB for <proxies@ietf.org>; Fri, 2 May 2008 23:07:42 -0700 (PDT)
Received: from BLU137-DS6 ([65.55.111.73]) by blu0-omc2-s21.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 2 May 2008 23:07:43 -0700
X-Originating-IP: [24.18.147.115]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU137-DS6C89AAEC0FCF9AC99747E93D50@phx.gbl>
From: Bernard_Aboba@hotmail.com
In-Reply-To: <7.0.1.0.2.20080416172531.02401228@nist.gov><200804171550.48931.stefan.winter@restena.lu> <273c5c8bff26c3c057519da2b038e1ba.squirrel@www.trepanning.net>
To: Dan Harkins <dharkins@lounge.org>, Stefan Winter <stefan.winter@restena.lu>
References: <7.0.1.0.2.20080416172531.02401228@nist.gov><200804171550.48931.stefan.winter@restena.lu> <273c5c8bff26c3c057519da2b038e1ba.squirrel@www.trepanning.net>
X-Unsent: 1
Date: Fri, 02 May 2008 23:08:01 -0700
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 12.0.1606
X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
X-OriginalArrivalTime: 03 May 2008 06:07:43.0944 (UTC) FILETIME=[0068AC80:01C8ACE4]
Cc: proxies@ietf.org
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org
> These are not things that I think we _have_ to deal with especially in > a technical forum. I would agree. In years of previous discussion, including published RFCs dealing with the proxy threat model, the assumption has always been that the IETF's goal is to enable the deployment of secure systems. The goal of enabling surveillance, information gathering, or unlawful intercept has not previously been a goal. The point of this is I think, that one cannot have a rational discussion of security measures, if in fact, the goal is actually to enable backdoors. A system that is engineered to provide a backdoor will inevitably (surprise!) be found to have a security vulnerability. So I think we need to be very explicit about what we are trying to achieve -- and also, we need to be very clear about the actual extent of the problem today. > I have heard many other reasons why AAA proxies must exist. The functions of proxies are described in some detail in RFC 2607, Section 4.1. > This does highlight threats though. It's not just that proxies can > listen to AAA exchanges, they can glean information out of AAA exchanges, > and they can constrain or deny service that should otherwise be > unconstrained or allowed. It is also possible that proxies can allow service that might otherwise be denied (even though this is forbidden by RFC 2607 Section 5.1). However, as described in RFC 2607 Section 5.2, the implementation of "policy" typically applies to authentication/authorization, but not to accounting. _______________________________________________ Proxies mailing list Proxies@ietf.org https://www.ietf.org/mailman/listinfo/proxies
- [proxies] [IETF Proxy] Next Steps Katrin Hoeper
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Alan DeKok
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Katrin Hoeper
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Bernard Aboba
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Alan DeKok
- Re: [proxies] [IETF Proxy] Next Steps Bernard_Aboba
- Re: [proxies] [IETF Proxy] Next Steps Bernard_Aboba
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Dan Harkins
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga
- Re: [proxies] [IETF Proxy] Next Steps Glen Zorn
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga
- Re: [proxies] [IETF Proxy] Next Steps Stefan Winter
- Re: [proxies] [IETF Proxy] Next Steps Klaas Wierenga