Re: [saag] Fwd: I-D Action: draft-iab-identifier-comparison-05.txt
Christian Huitema <huitema@microsoft.com> Tue, 23 October 2012 01:04 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3FB721F84CA for <saag@ietfa.amsl.com>; Mon, 22 Oct 2012 18:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GY0-hkw21H5P for <saag@ietfa.amsl.com>; Mon, 22 Oct 2012 18:04:26 -0700 (PDT)
Received: from NA01-BL2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.25]) by ietfa.amsl.com (Postfix) with ESMTP id DF3F621F84C5 for <saag@ietf.org>; Mon, 22 Oct 2012 18:04:25 -0700 (PDT)
Received: from BY2FFO11FD005.protection.gbl (10.1.15.202) by BY2FFO11HUB008.protection.gbl (10.1.14.58) with Microsoft SMTP Server (TLS) id 15.0.545.8; Sun, 21 Oct 2012 23:26:13 +0000
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD005.mail.protection.outlook.com (10.1.14.126) with Microsoft SMTP Server (TLS) id 15.0.545.8 via Frontend Transport; Sun, 21 Oct 2012 23:26:13 +0000
Received: from TK5EX14MBXC272.redmond.corp.microsoft.com ([169.254.2.52]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.02.0318.003; Sun, 21 Oct 2012 23:25:07 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Russ Housley <housley@vigilsec.com>, IETF SAAG <saag@ietf.org>
Thread-Topic: [saag] Fwd: I-D Action: draft-iab-identifier-comparison-05.txt
Thread-Index: AQHNr5mmGSEYCi/P50io9tugQ5V36ZfEZTH0
Date: Sun, 21 Oct 2012 23:25:07 +0000
Message-ID: <C91E67751B1EFF41B857DE2FE1F68ABA0BDEFAFB@tk5ex14mbxc272.redmond.corp.microsoft.com>
References: <20121020231931.10454.3134.idtracker@ietfa.amsl.com>, <A1C530C8-E346-4283-9528-F4D74D20932F@vigilsec.com>
In-Reply-To: <A1C530C8-E346-4283-9528-F4D74D20932F@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377424002)(377454001)(51704002)(2473001)(16406001)(4196001)(5343655001)(1076001)(20776001)(2666001)(53806001)(8716001)(3846001)(46102001)(49866001)(51856001)(50986001)(50466001)(33656001)(16826001)(47976001)(4396001)(15202345001)(74502001)(47736001)(48376001)(42186003)(44976002)(31966008)(47776002)(47446002)(74662001)(16696001)(550184003)(316001)(3556001)(3746001); DIR:OUT; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0641678E68
Subject: Re: [saag] Fwd: I-D Action: draft-iab-identifier-comparison-05.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 01:04:26 -0000
I read this document, and I am missing the issues around lifetime of identifiers. Arguably they do not affect the comparison procedures, but they do have an interesting impact on the choices of identifiers and their usage. The classic example is what happens when Bob Miller leaves the Example company, which then hires Bob Smith. Both, at different time, get control of the email address bob@example.com. Clearly they will get different certificates, public keys and the like. However, the new certificates will validate against old access control list, giving Bob Smith access to whatever was allocated previously to Bob Miller. There are of course similar issues with IPv4 addresses being reallocated via DHCP. ________________________________________ From: saag-bounces@ietf.org [saag-bounces@ietf.org] on behalf of Russ Housley [housley@vigilsec.com] Sent: Sunday, October 21, 2012 7:37 AM To: IETF SAAG Subject: [saag] Fwd: I-D Action: draft-iab-identifier-comparison-05.txt This document is in the final stages. If you have last minute comments, please send them to iab@iab.org very soon. Russ > From: internet-drafts@ietf.org > Date: October 20, 2012 7:19:31 PM EDT > To: i-d-announce@ietf.org > Cc: iab@iab.org > Subject: [IAB] I-D Action: draft-iab-identifier-comparison-05.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Internet Architecture Board Working Group of the IETF. > > Title : Issues in Identifier Comparison for Security Purposes > Author(s) : Dave Thaler > Filename : draft-iab-identifier-comparison-05.txt > Pages : 23 > Date : 2012-10-20 > > Abstract: > Identifiers such as hostnames, URIs, and email addresses are often > used in security contexts to identify security principals and > resources. In such contexts, an identifier supplied via some > protocol is often compared against some policy to make security > decisions such as whether the principal may access the resource, what > level of authentication or encryption is required, etc. If the > parties involved in a security decision use different algorithms to > compare identifiers, then failure scenarios ranging from denial of > service to elevation of privilege can result. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-iab-identifier-comparison > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-iab-identifier-comparison-05 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-iab-identifier-comparison-05 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [saag] Fwd: I-D Action: draft-iab-identifier-comp… Russ Housley
- Re: [saag] Fwd: I-D Action: draft-iab-identifier-… Christian Huitema