[saag] Sean's 1st AD Notes for 2010-04
Sean Turner <turners@ieca.com> Fri, 07 May 2010 02:23 UTC
Return-Path: <turners@ieca.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7AE763A68C8 for <saag@core3.amsl.com>; Thu, 6 May 2010 19:23:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.726
X-Spam-Level:
X-Spam-Status: No, score=-0.726 tagged_above=-999 required=5 tests=[AWL=-0.728, BAYES_50=0.001, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULSMTbNLXbfV for <saag@core3.amsl.com>; Thu, 6 May 2010 19:23:25 -0700 (PDT)
Received: from smtp114.biz.mail.re2.yahoo.com (smtp114.biz.mail.re2.yahoo.com [66.196.116.99]) by core3.amsl.com (Postfix) with SMTP id 2585B3A68FA for <saag@ietf.org>; Thu, 6 May 2010 19:23:19 -0700 (PDT)
Received: (qmail 81638 invoked from network); 7 May 2010 02:23:03 -0000
Received: from thunderfish.local (turners@96.241.7.90 with plain) by smtp114.biz.mail.re2.yahoo.com with SMTP; 06 May 2010 19:23:03 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: NaFv894VM1n8fHXaUTHmUSkzCh.nd2RWQnBeL1oJMYEq8hn5MUvuxyAf2wuov1P6X4Nanv__bOM7kJkpBnNdFJ0ELR_og.OSTB9HKyLZzMq3hHOneAOufKzPm5_9qN7TZ.v7sQwIwqHsRm2fnAG3NMQsUq8Gy8ddKdPNRU9VJ9vizPVxr8Pzo9N_o3lRaLPYSxRuycT10QVPQrv1TD0573XTKmC2Fr0oNa6J_XS97WNKXIiCMvs0aiM4CSRQ6whOAIXz1ovUPK5WsYHnqW6bZLGxBKW64.mTYZbeAP_1d_7WL0vxp915Lpp_J9gSlgWhK8bXoGqCcmEjJVL_zmODhn8dZjFNYeOdlif5QpHTkoUYMvC2Dyb1U0LSIeygbH7KLiut3g1Uqy91uyDqW0k8hgTP0.TpSIwe.mR7PhxI4HbwKKm0avxV2XgInJ0AKgU5fI_.X1SmdtY-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4BE37986.70908@ieca.com>
Date: Thu, 06 May 2010 22:23:02 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: saag@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [saag] Sean's 1st AD Notes for 2010-04
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 02:23:36 -0000
Here's my 1st attempt at continuing Pasi's much liked monthly AD notes. It's a short status update about what things are going on from my point-of-view. If you notice anything that doesn't look right, let me know -- miscommunication and mix-ups do happen. Pasi had a clock going on many of these. I'm going to restart the clock. Oh and the date format is YYYY-MM-DD. Also these were written as of 2010-05-01 and things have happened since then. Cheers, spt MISC NOTES - Reviewed SAAG meeting minutes (Thanks Tero for the draft). - IETF 78 planning with Tim: SAAG presentations. - Arranged weekly call with Tim. - Learning just how much I'm going to rely on SECDIR reviews. - Reviewed draft-iab-auth-mech and provided lots of comments. - ~100 errata received from Constantin Hagemeier on RFC 3447, RFC 4301 RFC 4302, RFC 4306, and RFC 4880. Will rely on authors to help resolve these. - Errata 762, 1609, 1620, 1840, 2090, 2089, 2090, 2089, 2088, 2087, Held for Document Update (HFDU). - Errata 1886, 1812, 1676, 1839, and 1886 verified. - Errata 1480 rejected. WORKING GROUPS DKIM - draft-ietf-dkim-deployment: In AUTH48. RFC editor is waiting for authors to respond to questions. 2010-04-30. - A ton of email that I haven't gotten all the way through. - Errata 1532 and 1596: Awaiting WG chairs proposal for new text and recommended status. 2010-05-05. EMU - WG chairs submitted/delivered response to ITU-T X.1034 liaison. - draft-ietf-emu-eaptunnel-req: Joe proposed some text for the mandatory attributes section and text to address Dan's comments. Joe was going to publish new I-D. 2010-04-25. IPSECME - RFC 5480 published (was draft-ietf-ipsecme-traffic-visibility). - draft-ietf-ipsecme-aes-ctr-ikev2 completed last call and is on the 2010-05-06 IESG telechat. - draft-ietf-ipsecme-ikev2bis: On 2010-05-06 IESG telechat. - draft-ietf-ipsecme-roadmap: Authors told me they're almost done with their edits. Will post new version in early 2010-05. Expecting to IETF LC the document in 2010-05. - draft-ietf-ipsecme-ipsec-ha: Revised. - draft-ietf-ipsecme-eap-mutual: Revised. - (not a WG item and it happened in 2010-03) draftdraft-sheffer-ipsecme-pake-criteria-02.txt: Fair amount of discussion about definition of gateway. ISMS - draft-ietf-isms-dtls-tm: Added to 2010-05-06 IESG telechat. - draft-ietf-isms-radius-vacm: Need to get this one moving again. KEYPROV (I know it's Tim's but I am following it closely) - draft-ietf-keyprov-dskpp: Completed IETF LC. Dealt with GEN-Art comments. Placed on 2010-05-06 IESG telechat. Began dealing with AD DISCUSS/COMMENT positions. - draft-ietf-keyprov-pskc: Completed IETF LC. Placed on 2010-05-06 IESG telechat. - draft-ietf-keyprov-symmetrickeyformat: Completed IETF LC. Placed on 2010-05-06 IESG telechat. Began dealing with AD DISCUSS/COMMENT positions. SASL - draft-ietf-sasl-gs2 and draft-ietf-sasl-scram: in RFC editor queue, waiting for draft-altman-tls-channel-bindings. - (not WG item) draft-altman-tls-channel-bindings: Entered COMMENT position. Authors extremenly responsive and all were resolved a week before the 2010-05-06 IESG telechat. SYSLOG - draft-ietf-syslog-sign: RFC editor is waiting for J. Kelsey to respond. I have also pinged him via email. Next step is a phone call. 2010-05-05. - draft-ietf-syslog-dtls: Provided AD comments. Awaiting new version before issuing IETF LC. TLS - draft-ietf-tls-rfc4366-bis: Need to get this one moving. Still waiting on WG chairs/editor to drive discussion/propose text about the following topics (same as from Pasi's last email): 1) The "server_name" extension contains a list of domain names. Apparently, existing clients only send one, and some servers ignore everything except the first one. Since it seems nobody is using multiple names (and there are some unclear aspects about their exact semantics), perhaps the spec should just forbid more than one name of same "name_type"? 2) The document probably should be clearer about how "server_name" and session resumption interact (or do not interact). In particular, are Session IDs scoped by "server_name"? (If they are, the client MUST send the same "server_name" when resuming a session.) If they are not, does the server ignore the "server_name" when it resumes the session (in case the "server_name" in the original session was different) or not? IMHO RFC 4366 is quite clear that "server_name" is completely ignored when the server resumes a session (so Session IDs are not scoped by "server_name", and the server does not check it against the original session), but perhaps it doesn't hurt to clarify this with some new text. 3) As noted in Stephen Farrell's SecDir review (http://www.ietf.org/mail-archive/web/secdir/current/msg01195.html), the document probably should explain why SHA-1 is OK and algorithm agility is not needed. Tim and I have agreed with the WG that this use of SHA-1 (without algorithm agility) is acceptable. "trusted_ca_keys" clearly does not need a cryptographic function, and client_certificate_url does not seem to be affected by collisions either (and this extension is rarely used, so creating a new extension with agility is not really useful work). 4) Joe thought the WG should also consider whether the renegotiation fix has any effect on the "server_name" extension. I don't think it necessarily does (beyond the one sentence that's already in RFC 5746). - draft-ietf-tls-cached-info: New version posted. OTHER DOCUMENTS - draft-hoffman-tls-additional-random-ext: Initiated IETF LC. Lots of discussion. - draft-hoffman-tls-master-secret-input: Initiated IETF LC. Some discussion, but not nearly as much as draft-hoffman-tls-additional-random-ext. DISCUSSES - draft-ietf-avt-register-srtp: Awaiting response from Robert wrt his discussions with Cullen. 2010-04-22. - draft-ietf-bmwg-ipsec-meth: I picked up Pasi's DISCUSS. 2010-04-08. - draft-ietf-bmwg-ipsec-term: I picked up Pasi's DISCUSS. 2010-03-31. - draft-ietf-csi-hash-threat: I picked up Pasi's DISCUSS. 2010-04-08. - draft-ietf-geopriv-lis-discovery: Tim picked up Pasi's DISCUSS, but we're both working with the authors and the AD to resolve this one. - draft-ietf-sipping-config-framework: Waiting for revised I-D. 2010-04-22. - draft-cheshire-dnsext-nbp: I picked up part of Pasi's DISCUSS and Russ picked up the rest.
- [saag] Sean's 1st AD Notes for 2010-04 Sean Turner