IETF Logo Mail Archive

[radext] #148: Review of dynamic-discovery by Jim Schaad

"radext issue tracker" <trac+radext@trac.tools.ietf.org> Mon, 25 February 2013 15:43 UTC

Return-Path: <trac+radext@trac.tools.ietf.org>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA15321F9488 for <radext@ietfa.amsl.com>; Mon, 25 Feb 2013 07:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.59
X-Spam-Level:
X-Spam-Status: No, score=-102.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-eLXCQRue30 for <radext@ietfa.amsl.com>; Mon, 25 Feb 2013 07:43:17 -0800 (PST)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id CD40E21F9480 for <radext@ietf.org>; Mon, 25 Feb 2013 07:43:16 -0800 (PST)
Received: from localhost ([127.0.0.1]:38346 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+radext@trac.tools.ietf.org>) id 1UA0Cx-0005Gj-ET; Mon, 25 Feb 2013 16:43:15 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: radext issue tracker <trac+radext@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-radext-dynamic-discovery@tools.ietf.org, stefan.winter@restena.lu
X-Trac-Project: radext
Date: Mon, 25 Feb 2013 15:43:15 -0000
X-URL: http://tools.ietf.org/radext/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/radext/trac/ticket/148
Message-ID: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org>
X-Trac-Ticket-ID: 148
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-radext-dynamic-discovery@tools.ietf.org, stefan.winter@restena.lu, radext@ietf.org
X-SA-Exim-Mail-From: trac+radext@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mikem@open.com.au, stefan.winter@restena.lu
Resent-Message-Id: <20130225154316.CD40E21F9480@ietfa.amsl.com>
Resent-Date: Mon, 25 Feb 2013 07:43:16 -0800
Resent-From: trac+radext@trac.tools.ietf.org
Cc: radext@ietf.org
Subject: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Reply-To: radext@ietf.org
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2013 15:43:17 -0000

#148: Review of dynamic-discovery by Jim Schaad

 1) In section 2.3.3, step 4 - what is to be considered an error at this
 point.  For example, there are a number of odd conditions that can be
 returned from DNSSEC, specifically the "indeterminate" state.

 2) In section 2.3.4 - Given that the above algorithm does not return a TTL
 value in the event of an empty set or define how to know the TTL value -
 what is the TTL value to be used in in paragraph 2 "negative TTL"?

 3) In section 2.3.5 - Does it make sense to return a result, but to
 continue the algorithm and store the result after the timeouts for later
 use?

 4) I find the security considerations to be completely inadequate for this
 document.
 Use of a certificate is only going to be valid if the original realm name
 that is the input the validation routine is what is found and matched in
 the certificate.  In this case I would not know where in the name or alt
 name fields of the certificate it would be found.  You cannot validate to
 the final DNS name as that is now an untrusted value.

 The suggestion of out-of-band validation methods ignores the existence of
 DANE.

 The NAI document suggests that the RADIUS peer is pre-configured with
 information about certificates or TLS validation data.  The suggested text
 works in the case that the table says do dynamic lookup and here is the
 TLS configuration data.  But in other cases it is completely unclear how a
 TLS-PSK would be found for a dynamic lookup.

-- 
-------------------------------------+-------------------------------------
 Reporter:                           |      Owner:  draft-ietf-radext-
  stefan.winter@restena.lu           |  dynamic-discovery@tools.ietf.org
     Type:  defect                   |     Status:  new
 Priority:  major                    |  Milestone:  milestone1
Component:  dynamic-discovery        |    Version:  1.0
 Severity:  -                        |   Keywords:
-------------------------------------+-------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/148>
radext <http://tools.ietf.org/radext/>

v2.23.0 | Report a Bug | By Email