[radext] #148: Review of dynamic-discovery by Jim Schaad
"radext issue tracker" <trac+radext@trac.tools.ietf.org> Mon, 25 February 2013 15:43 UTC
Return-Path: <trac+radext@trac.tools.ietf.org>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA15321F9488 for <radext@ietfa.amsl.com>; Mon, 25 Feb 2013 07:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.59
X-Spam-Level:
X-Spam-Status: No, score=-102.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-eLXCQRue30 for <radext@ietfa.amsl.com>; Mon, 25 Feb 2013 07:43:17 -0800 (PST)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id CD40E21F9480 for <radext@ietf.org>; Mon, 25 Feb 2013 07:43:16 -0800 (PST)
Received: from localhost ([127.0.0.1]:38346 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+radext@trac.tools.ietf.org>) id 1UA0Cx-0005Gj-ET; Mon, 25 Feb 2013 16:43:15 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: radext issue tracker <trac+radext@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-radext-dynamic-discovery@tools.ietf.org, stefan.winter@restena.lu
X-Trac-Project: radext
Date: Mon, 25 Feb 2013 15:43:15 -0000
X-URL: http://tools.ietf.org/radext/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/radext/trac/ticket/148
Message-ID: <065.a122826c6d7c009295065142646863ee@trac.tools.ietf.org>
X-Trac-Ticket-ID: 148
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-radext-dynamic-discovery@tools.ietf.org, stefan.winter@restena.lu, radext@ietf.org
X-SA-Exim-Mail-From: trac+radext@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mikem@open.com.au, stefan.winter@restena.lu
Resent-Message-Id: <20130225154316.CD40E21F9480@ietfa.amsl.com>
Resent-Date: Mon, 25 Feb 2013 07:43:16 -0800
Resent-From: trac+radext@trac.tools.ietf.org
Cc: radext@ietf.org
Subject: [radext] #148: Review of dynamic-discovery by Jim Schaad
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Reply-To: radext@ietf.org
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2013 15:43:17 -0000
#148: Review of dynamic-discovery by Jim Schaad 1) In section 2.3.3, step 4 - what is to be considered an error at this point. For example, there are a number of odd conditions that can be returned from DNSSEC, specifically the "indeterminate" state. 2) In section 2.3.4 - Given that the above algorithm does not return a TTL value in the event of an empty set or define how to know the TTL value - what is the TTL value to be used in in paragraph 2 "negative TTL"? 3) In section 2.3.5 - Does it make sense to return a result, but to continue the algorithm and store the result after the timeouts for later use? 4) I find the security considerations to be completely inadequate for this document. Use of a certificate is only going to be valid if the original realm name that is the input the validation routine is what is found and matched in the certificate. In this case I would not know where in the name or alt name fields of the certificate it would be found. You cannot validate to the final DNS name as that is now an untrusted value. The suggestion of out-of-band validation methods ignores the existence of DANE. The NAI document suggests that the RADIUS peer is pre-configured with information about certificates or TLS validation data. The suggested text works in the case that the table says do dynamic lookup and here is the TLS configuration data. But in other cases it is completely unclear how a TLS-PSK would be found for a dynamic lookup. -- -------------------------------------+------------------------------------- Reporter: | Owner: draft-ietf-radext- stefan.winter@restena.lu | dynamic-discovery@tools.ietf.org Type: defect | Status: new Priority: major | Milestone: milestone1 Component: dynamic-discovery | Version: 1.0 Severity: - | Keywords: -------------------------------------+------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/radext/trac/ticket/148> radext <http://tools.ietf.org/radext/>
- [radext] #148: Review of dynamic-discovery by Jim… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jouni Korhonen
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Sam Hartman
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Jim Schaad
- Re: [radext] #148: Review of dynamic-discovery by… Stefan Winter
- Re: [radext] #148: Review of dynamic-discovery by… radext issue tracker