Re: [secdir] Security review of draft-ietf-tls-multiple-cert-status-extension-04
"Yngve N. Pettersen" <yngve@spec-work.net> Fri, 29 March 2013 21:30 UTC
Return-Path: <yngve@spec-work.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B310D21F8D26; Fri, 29 Mar 2013 14:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwtgdTjw4zkR; Fri, 29 Mar 2013 14:30:15 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id E826921F8C7D; Fri, 29 Mar 2013 14:30:08 -0700 (PDT)
Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:62399 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1ULgs7-0007O9-EE; Fri, 29 Mar 2013 22:30:03 +0100
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: iesg@ietf.org, secdir@ietf.org, Hilarie Orman <ho@alum.mit.edu>
References: <201303292034.r2TKYtu4025061@sylvester.rhmr.com>
Date: Fri, 29 Mar 2013 22:29:53 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.wup8n3pw3dfyax@killashandra.invalid.invalid>
In-Reply-To: <201303292034.r2TKYtu4025061@sylvester.rhmr.com>
User-Agent: Opera Mail/12.14 (Win32)
X-Mailman-Approved-At: Sat, 30 Mar 2013 08:01:52 -0700
Cc: draft-ietf-tls-multiple-cert-status-extension@tools.ietf.org
Subject: Re: [secdir] Security review of draft-ietf-tls-multiple-cert-status-extension-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 21:30:15 -0000
Hello Hilarie, Thanks for the review. On Fri, 29 Mar 2013 21:34:55 +0100, Hilarie Orman <ho@alum.mit.edu> wrote: > Security review of draft-ietf-tls-multiple-cert-status-extension-04 > > Do not be alarmed. I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. > > The final paragraph in section 2.2 discusses using an unauthenticated > session for the purpose of obtaining certificates in order to > authenticate the session. Sending usernames and passwords over the > connection while unauthenticated is regarded as "inappropriate". This > seems to be a serious problem, deserving of at least a "MUST NOT". I changed that to: "In this case, the client could continue with the handshake, but it MUST NOT disclose a username and password until it has fully validated the server certificate." It will be included in the -06 version. I'll probably wait until next week with that one, since I released -05 earlier today. > In section 2.2, "A server that receive a client hello" should be > "A server that receives a client hello". Later, This has already been fixed in the -05 version. > "require trust in the server, and the server certificate has not been" > reads better without the comma. I am not sure about this one. The original version was without the comma, but I asked a former colleague (a document writer/reviewer) to review that update, and she suggested the comma. -- Sincerely, Yngve N. Pettersen Using Opera's mail client: http://www.opera.com/mail/
- [secdir] Security review of draft-ietf-tls-multip… Hilarie Orman
- Re: [secdir] Security review of draft-ietf-tls-mu… Yngve N. Pettersen