[secdir] Re: [Ext] Secdir last call review of draft-ietf-dnsop-rfc7958bis-03
Paul Hoffman <paul.hoffman@icann.org> Fri, 02 August 2024 00:15 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E41CC1D52FD; Thu, 1 Aug 2024 17:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xej8x1V7UrKl; Thu, 1 Aug 2024 17:15:50 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) by ietfa.amsl.com (Postfix) with ESMTP id AD441C1D5309; Thu, 1 Aug 2024 17:15:50 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa3.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 4720Fn2x000528 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 2 Aug 2024 00:15:49 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 1 Aug 2024 17:15:48 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1544.011; Thu, 1 Aug 2024 17:15:48 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Klaas Wierenga <klaas@wierenga.net>
Thread-Topic: [Ext] Secdir last call review of draft-ietf-dnsop-rfc7958bis-03
Thread-Index: AQHa5EFJgtWXJ7oLRUWtMOWo9l4/hLITjxSA
Date: Fri, 02 Aug 2024 00:15:48 +0000
Message-ID: <9D1C45BB-9DFE-4072-BCB8-8E0254D13A47@icann.org>
References: <172253719755.2383132.16085097683731517707@dt-datatracker-659f84ff76-9wqgv>
In-Reply-To: <172253719755.2383132.16085097683731517707@dt-datatracker-659f84ff76-9wqgv>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2EF7C5F769928E4E871487F8AA84A150@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-01_22,2024-08-01_01,2024-05-17_01
Message-ID-Hash: PQQRVVFKJKLHHHU6HPWKHNO7JPD7JRK6
X-Message-ID-Hash: PQQRVVFKJKLHHHU6HPWKHNO7JPD7JRK6
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir <secdir@ietf.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, "draft-ietf-dnsop-rfc7958bis.all@ietf.org" <draft-ietf-dnsop-rfc7958bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: [Ext] Secdir last call review of draft-ietf-dnsop-rfc7958bis-03
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ALkY8Ms1WpBkemZQBk4JguFBm3U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Thank you for the review. On Aug 1, 2024, at 11:33, Klaas Wierenga via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Klaas Wierenga > Review result: Has Nits > > The draft reads well and is clear. I have one question that is maybe worth > answering in the security considerations. What is the impact of retrieving the > trust anchors over http instead of https? Does that lead to a risk of ending up > with an invalid set of trust anchors? I agree with Joe that we can't really list all the possible attacks and mitigations. To that end, I propose the following text be added to the Security Considerations: Some of the methods described (such as accessing over the web with or without verifying the signature on the file) have different security properties; users of the trust anchor file need to consider these when choosing whether to load the set of trust anchors. --Paul Hoffman
- [secdir] Re: Secdir last call review of draft-iet… Klaas Wierenga
- [secdir] Secdir last call review of draft-ietf-dn… Klaas Wierenga via Datatracker
- [secdir] Re: Secdir last call review of draft-iet… Joe Abley
- [secdir] Re: [Ext] Secdir last call review of dra… Paul Hoffman