Re: [secdir] Recurring issues found during sec review

Alan DeKok <> Tue, 23 July 2019 15:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E308E120193 for <>; Tue, 23 Jul 2019 08:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZlMrHNgpbuWk for <>; Tue, 23 Jul 2019 08:51:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 138681202D1 for <>; Tue, 23 Jul 2019 08:51:13 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id E291B7A2; Tue, 23 Jul 2019 15:51:10 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Alan DeKok <>
In-Reply-To: <>
Date: Tue, 23 Jul 2019 11:51:08 -0400
Cc: Paul Wouters <>, secdir <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <359EC4B99E040048A7131E0F4E113AFC01B33E17EA@marchand> <> <> <> <>
To: "Salz, Rich" <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [secdir] Recurring issues found during sec review
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jul 2019 15:51:16 -0000

On Jul 23, 2019, at 11:15 AM, Salz, Rich <> wrote:
>> That is, every MUST should have an obvious action for when it is
>> violated.
>      That's a good phrasing.
> I strongly disagree.  It turns every MUST into something that only the recipient must act on.

  If one party MUST send X, then there's not really any benefit to saying "or else...".  That party sends X, or it's not compliant.  If that party ignores the MUST, then there isn't any point in having an extra clause that says "or else MUST do ...".  They'll just ignore that, too.

  The issue is with the other party.  If the other side MUST send X, then what does the recipient do when it doesn't receive X?  That should be stated clearly.

>  The burden of the protocol should be on both sides to act correctly, and one side should not be constrained to behave a particular way if the counter-party misbehaves.

  If it's about security, then absolutely one party should be constrained to do something *safe* if the other party misbehaves.

  Another example is sending packetized data over TCP.  i.e. sequences of "header, length, data".  What happens if the recipient can't decode a particular message?  I've seen long arguments where people say "the recipient should try to continue".

  OK... HOW?  If the header / length is malformed, then we have absolutely no clue how to decode the next set of octets we receive.  The only safe thing to do is to close the connection, and start over.  Hence phrases like "the recipient MUST close the connection if the message is malformed"

  I think the "else MUST" phrases really only apply to recipients.  They're not in control of the data that they receive.  And they must do *something* with that data.

  Perhaps the phrasing could be "if the sender MUST do X, then the recipient MUST be able to deal with situations where that doesn't happen".

> Another reason against this is that it tends to result in naïve behavior such as oracles or "name not found" being distinguished from "wrong password"

  I'm not clear how that applies.

  Alan DeKok.