IETF Logo Mail Archive

[sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03

Benjamin Kaduk <kaduk@mit.edu> Mon, 23 July 2018 18:01 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B85130DD3 for <sacm@ietfa.amsl.com>; Mon, 23 Jul 2018 11:01:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id icnhgPOgHEuy for <sacm@ietfa.amsl.com>; Mon, 23 Jul 2018 11:01:07 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F704130DEA for <sacm@ietf.org>; Mon, 23 Jul 2018 11:01:06 -0700 (PDT)
X-AuditID: 1209190e-9a1ff70000002ff0-a3-5b5617e18ed8
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id D5.98.12272.1E7165B5; Mon, 23 Jul 2018 14:01:05 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w6NI14Lx026628 for <sacm@ietf.org>; Mon, 23 Jul 2018 14:01:05 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6NI11T4010897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <sacm@ietf.org>; Mon, 23 Jul 2018 14:01:03 -0400
Date: Mon, 23 Jul 2018 13:01:01 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: sacm@ietf.org
Message-ID: <20180723180058.GX92448@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrCIsWRmVeSWpSXmKPExsUixCmqrPtQPCza4NR1S4sXS7sYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVMXF9H2NBO1fFz92dTA2Mczm6GDk4JARMJOas0+1i5OIQEljM JPHm5wxWCOcoo8TJ079ZIJyXTBIN/WfYuhg5OVgEVCXun9zKDmKzCahINHRfZgaxRQQEJRpO HGACsYUFXCVu/PjCCmLzAm3Yeuo7C4QtKHFy5hMwm1lAS+LGv5dMIFcwC0hLLP/HARIWFVCW 2Nt3iH0CI+8sJB2zkHTMQuhYwMi8ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdYLzezRC81pXQT IziQJPl2ME5q8D7EKMDBqMTDe+FbaLQQa2JZcWXuIUZJDiYlUd4KhrBoIb6k/JTKjMTijPii 0pzU4kOMEhzMSiK8l9iAynlTEiurUovyYVLSHCxK4rzZixijhQTSE0tSs1NTC1KLYLIyHBxK ErxzxYCGChalpqdWpGXmlCCkmTg4QYbzAA0vEAWq4S0uSMwtzkyHyJ9itOQ4dW/KJGaOP++n Asl93dMmMQux5OXnpUqJ814CGSoA0pBRmgc3E5QYJLL317xiFAd6UZi3C6SKB5hU4Ka+AlrI BLRQNBnkm+KSRISUVANjgOAnxrvP/3xX0RNYZZolaqjAU3e15W79sXYTfZs9BxTXrvBccJ2R /ygXZ4fyrf+z/9z82toWmHuNacZi7SvdsxomrNjz/cq8q4ZxLssW3Xr7R6fXtT8id6HGTIad 83Z+836rNUnkAdOfnPZ5FkHNP3YbfHl9ZFXrPNaT6YIagi/z0wx+7ZTgV2Ipzkg01GIuKk4E AIDlUWLnAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/BvTXnt69S6BhgAhCopi55KL-U8c>
Subject: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2018 18:01:09 -0000

During Jessica's talk I noticed a couple things I wanted to mention, but
that didn't seem to merit getting up to the mic:

There's a container for 'telnet' admin access; my understanding is that
there are not any applications out there that could be called "telnet" and
are actually secure these days (but maybe I'm missing some!); e.g.,
kerberized telnet mostly only uses single-DES and a lousy cipher mode, with
a vendor-specific option for triple-DES, which is deprecated as of my
document that's currently at the RFC Editor.  So we may want to have some
text clarifying the situation and disrecommending its use (or even remove
it entirely, if that's feasible).

Similarly, there's a pwd-sec-policy container that describes password
security policies.  While it's definitely true that password policies and
mandatory change intervals are currently widely deployed, it's less clear
whether their usage should still be considered useful or a best current
practice -- I think I've seen some research go by that suggests that not
requiring character classes or frequency of change can be just as secure
(and, of course, if passwords can be avoided entirely that can also help).
So, perhaps there is room for some qualifying text here as well.

-Ben
(with no hats)

v2.23.0 | Report a Bug | By Email