IETF Logo Mail Archive

Re: [saag] Additions to RFC 3631?

Mouse <mouse@Rodents-Montreal.ORG> Sat, 19 May 2012 03:32 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A5CE9E802A for <saag@ietfa.amsl.com>; Fri, 18 May 2012 20:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.388
X-Spam-Level:
X-Spam-Status: No, score=-7.388 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FO3M6cMCWUuY for <saag@ietfa.amsl.com>; Fri, 18 May 2012 20:32:00 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG [216.46.5.7]) by ietfa.amsl.com (Postfix) with ESMTP id 3889B9E8025 for <saag@ietf.org>; Fri, 18 May 2012 20:32:00 -0700 (PDT)
Received: from localhost (localhost [[UNIX: localhost]]) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id XAA28531; Fri, 18 May 2012 23:31:58 -0400 (EDT)
Date: Fri, 18 May 2012 23:31:58 -0400
From: Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <201205190331.XAA28531@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
X-Composition-Start-Date: Fri, 18 May 2012 22:52:03 -0400 (EDT)
To: saag@ietf.org
In-Reply-To: <300A2E9F-E99B-46FA-A101-E3611BD0D197@cs.columbia.edu>
References: <300A2E9F-E99B-46FA-A101-E3611BD0D197@cs.columbia.edu>
Subject: Re: [saag] Additions to RFC 3631?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 May 2012 03:32:01 -0000

> Does anyone have any suggestions for additions or corrections to RFC
> 3631?

Yes.  I, at least, do.

> 2.2.  A Word about Mandatory Mechanisms

>    We have evolved in the IETF the notion of "mandatory to implement"
>    mechanisms.  [...blather about interoperability...]

>    It is important to understand that mandatory mechanisms are mandatory
>    to *implement*.  [...]

>                                              Particularly with security
>    mechanisms, just because a mechanism is mandatory to implement does
>    not imply that it should be the default mechanism or that it may not
>    be disabled by configuration.  If a mandatory to implement algorithm
>    is old and weak, it is better to disable it when a stronger algorithm
>    is available.

If the point of a mandatory-to-implement mechanism is interoperability,
allowing it to be disabled is a bad idea; it has pretty much the same
effect on interoperability as not having it there in the first place:
peers cannot count on its availability when speaking with peers they
have no particular knowledge of.

> 3.1.  One-Time Passwords

>    One-time password schemes, such as that described in [RFC2289], are
>    very much stronger than conventional passwords.  The host need not
>    store a copy of the user's password,

This is true of only some OTP schemes (and those schemes are the weaker
for it; any algorithmic relation between the passwords at all is a
potential point of attack).  Other OTP schemes require the host to
store the user's password to exactly the same extent that reusable
password schemes require the host to store their passwords.

>    nor is it ever transmitted over the network.

Again, this depends on the OTP scheme; indeed, most OTP schemes I am
aware of do indeed transmit the passwords used for authentication.

If this discussion is really supposed to be restricted to RFC2289
designs, the punctuation in the introductory sentence is misleading; as
quoted above, it says it's talking about OTP schemes in general, with
RFC2289-style schemes cited as an illustrative example, not as a
restrictive narrowing of the set of schemes being described.

> 3.3.  IPsec

>    The key management for IPsec can use either certificates or shared
>    secrets.  For all the obvious reasons, certificates are preferred;
>    however, they may present more of a headache for the system manager.

The statement that certificates "are preferred" is either false or
incomplete, because certs are preferred only for certain classes of
uses.  For others, a shared secret is better - different uses,
different tradeoffs.

> 3.4.  TLS

>                                                     It's an unfortunate
>    reality that even server side authentication it not as secure in
>    practice as the cryptography would imply because most implementations
>    allow users to ignore authentication failures [...]

If you want to cite "unfortunate realit[ies]", how about the one that
it really is not all that difficult to get a cert for someone else's
domain?  I recall, for example, hearing about the number of certs for
microsoft.com that had been issued to entities having nothing to do
with Microsoft.

> 3.8.  Security/Multipart

>    Security/Multiparts [RFC1847] are the preferred mechanism for
>    protecting email.

Again, asserting that a particular alternative is preferred is either
false or incomplete.  I, for example, have various reasons for
preferring other tools for securing email in many cases.

>    The Digital Signature Standard [DSS] and RSA [RSA] are both good
>    choices; each has its advantages.  [...]
>        [...].  DSS has much better performance than RSA for generating
>    new private keys,

This runs counter to my experience with them within the context of ssh,
for what little that may be worth.

> 4.1.  Plaintext Passwords

>    Plaintext passwords are the most common security mechanism in use
>    today.  Unfortunately, they are also the weakest.  When not protected
>    by an encryption layer, they are completely unacceptable.

Again, this is either false or incomplete.  There is a system I have
been using since early 1992, and co-adminning since late 1992, that
routinely uses reusable plaintext passwords over unsecured TCP
connections over the open Internet (indeed, I don't think we have any
other authentication mechanism available).  For our purposes, that's
entirely suitable, and I don't think it is for the IETF to tell us
otherwise.

Perhaps 3631 is writing strictly from the perspective of security
mechanisms in new protocols being considered for IETF approval; my
comments on 3.3, 3.8, and 4.1 do not apply then, but in that case I
think the introductory text needs to be a good deal clearer.  It's
titled "Security Mechanisms for the Internet", not "Security Mechanisms
for New IETF Protocols", after all.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse@rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

v2.23.0 | Report a Bug | By Email