IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-murchison-nntp-compress-05

Julien ÉLIE <julien@trigofacile.com> Mon, 24 October 2016 20:10 UTC

Return-Path: <julien@trigofacile.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0725D129614 for <secdir@ietfa.amsl.com>; Mon, 24 Oct 2016 13:10:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjrk8795cN6D for <secdir@ietfa.amsl.com>; Mon, 24 Oct 2016 13:10:19 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) by ietfa.amsl.com (Postfix) with ESMTP id D4516128E18 for <secdir@ietf.org>; Mon, 24 Oct 2016 13:10:18 -0700 (PDT)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d08 with ME id zY2m1t00317Lgi403Y2mGH; Mon, 24 Oct 2016 22:02:47 +0200
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWU0ODdAd2FuYWRvby5mcg==
X-ME-Date: Mon, 24 Oct 2016 22:02:47 +0200
X-ME-IP: 92.170.5.52
To: Barry Leiba <barryleiba@computer.org>
References: <CALaySJ+mJdorTkygsZ==Bja+0ZmavTkq2kC33QJ67LeM34K=Ng@mail.gmail.com> <20981db3190142193043f1445abadaa3@trigofacile.com> <CALaySJKP3AEgb7=rRz=T0R4vKWOHE6AAHeg-k-h28KrtjXP64A@mail.gmail.com> <bf55ee7b-13ae-a162-ceb7-57ccedac1d35@trigofacile.com> <1b5edd03-675c-01b7-6d06-c2e155987929@trigofacile.com> <CALaySJJFAXPx8bOowYLcZ_=6W_OQWU3eSenSE1wg68mHWZ0nHA@mail.gmail.com>
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
Message-ID: <627dc143-362b-4ac9-299c-11007bc973ae@trigofacile.com>
Date: Mon, 24 Oct 2016 22:02:46 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CALaySJJFAXPx8bOowYLcZ_=6W_OQWU3eSenSE1wg68mHWZ0nHA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/3OBjgt2cGuD0ng-s7U4LAjiAQUk>
Cc: draft-murchison-nntp-compress.all@ietf.org, IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-murchison-nntp-compress-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 20:10:20 -0000

Hi Barry,

> I've been thinking on this since you mentioned it, and I have mixed
> feelings.  So let me spread them out here:
[...]
> And on the third hand (I'm Martian)
> On the fourth hand (and that's all that Martians have)

I like these two introductions of alternatives :)


> So, yes: in the end, I think it's worth putting in a few words about
> this, just to be clear that it's a common trap.

OK.
FYI, I've added the following paragraph at the end of the Security 
Considerations Section.  The wording is inspired by the one in RFC 3749.

    Last but not least, careful consideration should be given to
    protections against implementation errors that introduce security
    risks with regards to compression algorithms.  See for instance the
    part of Section 6 of [RFC3749] about compression algorithms that can
    occasionally expand, rather than compress, input data.

-- 
Julien ÉLIE

« Aut bibas aut abeas. »

v2.15.0 | Report a Bug | By Email