Re: [secdir] Security review of draft-ietf-tls-multiple-cert-status-extension-04

"Yngve N. Pettersen" <yngve@spec-work.net> Fri, 29 March 2013 21:30 UTC

Return-Path: <yngve@spec-work.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B310D21F8D26; Fri, 29 Mar 2013 14:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwtgdTjw4zkR; Fri, 29 Mar 2013 14:30:15 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id E826921F8C7D; Fri, 29 Mar 2013 14:30:08 -0700 (PDT)
Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:62399 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1ULgs7-0007O9-EE; Fri, 29 Mar 2013 22:30:03 +0100
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: iesg@ietf.org, secdir@ietf.org, "Hilarie Orman" <ho@alum.mit.edu>
References: <201303292034.r2TKYtu4025061@sylvester.rhmr.com>
Date: Fri, 29 Mar 2013 22:29:53 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.wup8n3pw3dfyax@killashandra.invalid.invalid>
In-Reply-To: <201303292034.r2TKYtu4025061@sylvester.rhmr.com>
User-Agent: Opera Mail/12.14 (Win32)
X-Mailman-Approved-At: Sat, 30 Mar 2013 08:01:52 -0700
Cc: draft-ietf-tls-multiple-cert-status-extension@tools.ietf.org
Subject: Re: [secdir] Security review of draft-ietf-tls-multiple-cert-status-extension-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 21:30:15 -0000

Hello Hilarie,

Thanks for the review.

On Fri, 29 Mar 2013 21:34:55 +0100, Hilarie Orman <ho@alum.mit.edu> wrote:

> Security review of draft-ietf-tls-multiple-cert-status-extension-04
>
> Do not be alarmed.  I have reviewed this document as part of the
> security directorate's ongoing effort to review all IETF documents
> being processed by the IESG.  These comments were written primarily
> for the benefit of the security area directors.  Document editors and
> WG chairs should treat these comments just like any other last call
> comments.
>
> The final paragraph in section 2.2 discusses using an unauthenticated
> session for the purpose of obtaining certificates in order to
> authenticate the session.  Sending usernames and passwords over the
> connection while unauthenticated is regarded as "inappropriate".  This
> seems to be a serious problem, deserving of at least a "MUST NOT".

I changed that to:

  "In this case, the client could continue with the handshake, but it MUST  
NOT disclose a username and password until it has fully validated the  
server certificate."

It will be included in the -06 version. I'll probably wait until next week  
with that one, since I released -05 earlier today.

> In section 2.2, "A server that receive a client hello" should be
> "A server that receives a client hello".  Later,

This has already been fixed in the -05 version.

> "require trust in the server, and the server certificate has not been"
> reads better without the comma.

I am not sure about this one. The original version was without the comma,  
but I asked a former colleague (a document writer/reviewer) to review that  
update, and she suggested the comma.

-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/