Re: [saag] Additions to RFC 3631?
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Tue, 29 May 2012 16:58 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB9F421F8655 for <saag@ietfa.amsl.com>; Tue, 29 May 2012 09:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.566
X-Spam-Level:
X-Spam-Status: No, score=-106.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wGJNcWA0hQQ4 for <saag@ietfa.amsl.com>; Tue, 29 May 2012 09:58:01 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id B515321F864C for <saag@ietf.org>; Tue, 29 May 2012 09:58:00 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q4TGvxmq017057 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 May 2012 18:57:59 +0200
Received: from DEMUEXC048.nsn-intra.net ([10.159.32.94]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q4TGvuoE023790; Tue, 29 May 2012 18:57:59 +0200
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by DEMUEXC048.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Tue, 29 May 2012 18:57:59 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 29 May 2012 19:59:56 +0300
Message-ID: <999913AB42CC9341B05A99BBF358718D017FDDE9@FIESEXC035.nsn-intra.net>
In-Reply-To: <1FD05DC1-A041-40B3-96B0-8C5EE944A108@shinkuro.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [saag] Additions to RFC 3631?
Thread-Index: Ac09uorQA842oDRqRQu2gYB9BeKxYQAAT12g
References: <300A2E9F-E99B-46FA-A101-E3611BD0D197@cs.columbia.edu><877gw69h81.fsf@latte.josefsson.org> <4FB9ECA4.3010904@gmail.com><D54BB652-9B1D-4A19-8F8F-AF288E4ADE24@cs.columbia.edu> <1FD05DC1-A041-40B3-96B0-8C5EE944A108@shinkuro.com>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Steve Crocker <steve@shinkuro.com>, IETF Security Area Advisory Group <saag@ietf.org>
X-OriginalArrivalTime: 29 May 2012 16:57:59.0087 (UTC) FILETIME=[33814BF0:01CD3DBC]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 4393
X-purgate-ID: 151667::1338310679-00001F01-1D2D4B5D/0-0/0-0
Subject: Re: [saag] Additions to RFC 3631?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2012 16:58:02 -0000
The transition from one security solution to another one was already mentioned at the Paris IAB technical plenary as a tough issue. (Looking at IPv6 it seems that transition is in general a problem -- not only for security.) What surprised me with the presentations of the panel members was that there are even new security problems introduced with the roll-out of new solution solutions that interfere badly with existing deployments. Chris Weber provided the example of CORS. Here is the pointer to the slides and the meeting minutes (in case someone wasn't listening to the plenary): http://www.ietf.org/proceedings/83/technical-plenary.html In a nutshell, I agree with what you state below, Steve. I would just extend it beyond cryptographic algorithms. > -----Original Message----- > From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf Of > ext Steve Crocker > Sent: Monday, May 21, 2012 5:12 PM > To: IETF Security Area Advisory Group > Cc: Steve Crocker > Subject: Re: [saag] Additions to RFC 3631? > > I've been lurking and only following loosely, so I apologize in advance > if the following is off the mark. > > I was pleased to see mention of RFC 4086 on proper implementation of > random number generation -- I am proud to be one of the co-authors -- > but I thought the issue at hand is transition of crypto algorithms when > current algorithms become obsolete. This is a problem that occurs in > all protocols that use crypto algorithms, and in my opinion we have > underplayed this in our designs. Every protocol that uses crypto should > be designed with transition mechanisms built in -- and tested! -- on the > assumption the protocol will outlive the current set of crypto > algorithms. > > Whether we adopt a generic way of doing this across protocols or a > specific way for each protocol is a matter of discussion. If we can't > come up with a way to do it in a uniform way, then it's ok with me to > have a separate way for each protocol. In any case, I think it's > important -- no, that's not strong enough -- essential to have a way of > transitioning from current algorithms to future algorithms without > disrupting service. These transitions will usually take a fairly long > time, five to ten years I think, so the process can be somewhat relaxed. > Relaxed does not mean undefined or vacuous. > > Steve > > On May 21, 2012, at 10:01 AM, Steven Bellovin wrote: > > > As noted by others, RFC 4086 covers that. It may also need improving; > I haven't reread it recently. However, even a pointer to it is out of > place in 3631bis. 3631 is about protocol mechanisms; 4086 is about > implementations. Mouse Mouse's suggestions are more in the domain of > 3365, which is security design philosophy. 3631 says "if you want to > put security into a protocol, here are the best choices we have today". > My question is whether or not that list should be changed. > > > > On May 21, 2012, at 3:20 04AM, Yaron Sheffer wrote: > > > >> And a short section on crypto-grade random number generation. I would > be glad to contribute it. > >> > >> Yaron > >> > >> On 05/21/2012 09:32 AM, Simon Josefsson wrote: > >>> Steven Bellovin<smb@cs.columbia.edu> writes: > >>> > >>>> Does anyone have any suggestions for additions or corrections to > RFC 3631? > >>>> It looks to me like it's held up pretty well, save for newer > versions of > >>>> some of the protocols. > >>> > >>> I think channel bindings ought to be discussed, as a simple way to > bind > >>> different layers together to avoid certain attacks. It could be > >>> discussed in the SASL or GSS-API section. Further, I think EAP as a > >>> protocol should be included in the list of standard security > mechanisms. > >>> > >>> /Simon > >>> _______________________________________________ > >>> saag mailing list > >>> saag@ietf.org > >>> https://www.ietf.org/mailman/listinfo/saag > >> > > > > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > > > > > > > _______________________________________________ > > saag mailing list > > saag@ietf.org > > https://www.ietf.org/mailman/listinfo/saag > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- Re: [saag] Additions to RFC 3631? Yaron Sheffer
- Re: [saag] Additions to RFC 3631? Eliot Lear
- Re: [saag] Additions to RFC 3631? Mouse
- Re: [saag] Additions to RFC 3631? Simon Josefsson
- [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Mouse
- Re: [saag] Additions to RFC 3631? Simon Josefsson
- Re: [saag] Additions to RFC 3631? Stephen Farrell
- Re: [saag] Additions to RFC 3631? Yaron Sheffer
- Re: [saag] Additions to RFC 3631? Eliot Lear
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Paul Hoffman
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Joe Touch
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Yaron Sheffer
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Jeffrey Hutzelman
- Re: [saag] Additions to RFC 3631? Joe Touch
- Re: [saag] Additions to RFC 3631? Hannes Tschofenig
- Re: [saag] Additions to RFC 3631? Nico Williams
- Re: [saag] Additions to RFC 3631? Steven Bellovin
- Re: [saag] Additions to RFC 3631? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [saag] Additions to RFC 3631? Steve Crocker
- Re: [saag] Additions to RFC 3631? Tschofenig, Hannes (NSN - FI/Espoo)