IETF Logo Mail Archive

Re: [secdir] review of draft-hollenbeck-rfc4933bis-02

Sandra Murphy <sandy@sparta.com> Wed, 15 July 2009 16:00 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5CCA13A6D56; Wed, 15 Jul 2009 09:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.545
X-Spam-Level:
X-Spam-Status: No, score=-2.545 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prcweMdde4BR; Wed, 15 Jul 2009 09:00:02 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id 868363A6947; Wed, 15 Jul 2009 09:00:02 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id n6FEplsr021966; Wed, 15 Jul 2009 09:51:47 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id n6FEpkBf001458; Wed, 15 Jul 2009 09:51:47 -0500
Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.81.126]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Jul 2009 10:51:46 -0400
Date: Wed, 15 Jul 2009 10:51:46 -0400
From: Sandra Murphy <sandy@sparta.com>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
In-Reply-To: <046F43A8D79C794FA4733814869CDF0702B8DA2E@dul1wnexmb01.vcorp.ad.vrsn.com>
Message-ID: <Pine.WNT.4.64.0907151047510.4872@SANDYM-LT.columbia.ads.sparta.com>
References: <897517DC-2F59-440A-BD63-BD71E1AF4421@nrl.navy.mil> <046F43A8D79C794FA4733814869CDF0702B8DA2E@dul1wnexmb01.vcorp.ad.vrsn.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 15 Jul 2009 14:51:46.0655 (UTC) FILETIME=[C6A81EF0:01CA055B]
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 16:00:04 -0000

(Note to all.  I sent multiple secdir related messages yesterday 
afternoon, and they all were mangled or ultimately not delivered.  So this 
is a repeat that some og the recipients may already have seen. 
Apologies for the technology failure.)



On Tue, 7 Jul 2009, Scott Hollenbeck said:


>There was no follow-up, so I remain a little unsure of how to address
>the comment.  Similarly, I need a clarification to know if the text
>change suggested below is best made in 4933bis.

Yes, I am guilty of not following up.  I was unsure of my understanding
of channel binding issues, none of the other reviewers of the rfc493*
suite made any notice of the issue, and, as you note here, the
issue is really in the base spec, not 4933.  I just had no idea
what the right process would be, if any.

Subsequent discussion and review of material make me more confident
that there is, indeed, a channel binding issue here.

The question is what to do about it.  This is an established protocol.
Would a security considerations section in 4930bis that pointed out
that there's a MITM attack possible here, because of the lack of
channel binding, be sufficient?  Or would pointing to the sasl-gs2
work as a protection be mentioned?  suggested?  mandated?

I sure would love to see AD or subject matter experts weigh in here
on the technical and process aspects of this.

--Sandy

v2.23.0 | Report a Bug | By Email