Re: [secdir] Review of draft-ietf-repute-query-http-09
Shawn M Emery <shawn.emery@oracle.com> Sun, 25 August 2013 04:56 UTC
Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 7EF5411E8203 for <secdir@ietfa.amsl.com>;
Sat, 24 Aug 2013 21:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3EFZCShF-wkx for
<secdir@ietfa.amsl.com>; Sat, 24 Aug 2013 21:56:21 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by
ietfa.amsl.com (Postfix) with ESMTP id 0304A11E81FF for <secdir@ietf.org>;
Sat, 24 Aug 2013 21:56:20 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by
aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id
r7P4u9B7012081 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=OK); Sun, 25 Aug 2013 04:56:10 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by
ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7P4u83c002585
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Sun, 25 Aug 2013 04:56:09 GMT
Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by
userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7P4u721002580;
Sun, 25 Aug 2013 04:56:08 GMT
Received: from shawn-emerys-computer.local (/174.29.22.102) by default (Oracle
Beehive Gateway v4.0) with ESMTP ; Sat, 24 Aug 2013 21:56:07 -0700
Message-ID: <52198E83.7050406@oracle.com>
Date: Sat, 24 Aug 2013 22:56:35 -0600
From: Shawn M Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: dcrocker@bbiw.net
References: <51CAA254.6040303@oracle.com> <52158CF5.4050001@oracle.com>
<521591FA.20601@dcrocker.net>
In-Reply-To: <521591FA.20601@dcrocker.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: draft-ietf-repute-query-http.all@tools.ietf.org,
Dave Crocker <dhc@dcrocker.net>, secdir@ietf.org
Subject: Re: [secdir] Review of draft-ietf-repute-query-http-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>,
<mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Aug 2013 04:56:28 -0000
On 08/21/13 10:22 PM, Dave Crocker wrote: > On 8/21/2013 9:00 PM, Shawn M Emery wrote: >> However, none of the >> referenced RFCs and draft directly talk about the various attacks and >> how to mitigate against said attacks. > > > Shawn, some clarification please: > > This is a simple query protocol, ableit yes one where the data is > making trust assertions. > > A possible implication of your above comment is that all IETF > protocols should carry a threat analysis. Have I misunderstood? Hi Dave, Sorry for not being specific. I will try to clarify my concerns: This draft references the reputation considerations draft when providing or using reputation services, I assume in a security context given that it is referenced in the security considerations section. When I looked at the referenced draft's security considerations section it stated that there are threats discussed in the operation text above. I think that these types of discussions deserve a separate section. If the topic is mostly security it would be helpful to have a summary of the various threats and how to mitigate. In any case, when looking through the entire draft I do see some suggestions for clients and their RSPs. Shawn. --
- [secdir] Review of draft-ietf-mpls-tp-identifie... Shawn Emery
- [secdir] Review of draft-ietf-sidr-ghostbusters-14 Shawn Emery
- [secdir] Review of draft-ietf-rtgwg-lfa-applica... Shawn Emery
- Re: [secdir] Review of draft-ietf-rtgwg-lfa-app... Stewart Bryant
- [secdir] Review of draft-ietf-manet-smf-13 Shawn Emery
- Re: [secdir] Review of draft-ietf-manet-smf-13 Joe Macker
- [secdir] Review of draft-ietf-conex-concepts-us... Shawn Emery
- [secdir] Review of draft-melnikov-smtp-priority... Shawn Emery
- Re: [secdir] Review of draft-melnikov-smtp-prio... Alexey Melnikov
- [secdir] Review of draft-ietf-dnsop-rfc4641bis-12 Shawn Emery
- Re: [secdir] Review of draft-ietf-dnsop-rfc4641... Matthijs Mekking
- Re: [secdir] Review of draft-ietf-dnsop-rfc4641... Shawn Emery
- [secdir] Review of draft-ietf-karp-ospf-analysi... Shawn Emery
- [secdir] Review of draft-ietf-oauth-assertions-09 Shawn Emery
- Re: [secdir] Review of draft-ietf-oauth-asserti... Shawn Emery
- [secdir] Review of draft-ietf-dhc-dhcpv6-client... Shawn Emery
- Re: [secdir] Review of draft-ietf-dhc-dhcpv6-cl... Gaurav Halwasia (ghalwasi)
- [secdir] Review of draft-ietf-netmod-interfaces... Shawn Emery
- Re: [secdir] Review of draft-ietf-netmod-interf... Martin Bjorklund
- Re: [secdir] Review of draft-ietf-netmod-interf... Benoit Claise
- Re: [secdir] Review of draft-ietf-netmod-interf... Shawn Emery
- [secdir] Review of draft-ietf-xrblock-rtcp-xr-j... Shawn M Emery
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-... Qin Wu
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-... Gonzalo Camarillo
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-... Donald Eastlake
- Re: [secdir] Review of draft-ietf-xrblock-rtcp-... Gonzalo Camarillo
- [secdir] Review of draft-ietf-repute-query-http-09 Shawn M Emery
- Re: [secdir] Review of draft-ietf-repute-query-... Shawn M Emery
- Re: [secdir] Review of draft-ietf-repute-query-... Uri Blumenthal
- Re: [secdir] Review of draft-ietf-repute-query-... Dave Crocker
- Re: [secdir] Review of draft-ietf-repute-query-... Murray S. Kucherawy
- Re: [secdir] Review of draft-ietf-repute-query-... Shawn M Emery
- [secdir] Review of draft-ietf-tictoc-security-r... Shawn M Emery
- Re: [secdir] Review of draft-ietf-tictoc-securi... Tal Mizrahi
- [secdir] Review of draft-ietf-cdni-requirements-13 Shawn M Emery
- Re: [secdir] Review of draft-ietf-cdni-requirem... Kent Leung (kleung)
- [secdir] Review of draft-ietf-isis-rfc6326bis-01 Shawn M Emery
- [secdir] Review of draft-ietf-tcpm-fastopen-08 Shawn M Emery
- Re: [secdir] Review of draft-ietf-tcpm-fastopen-08 Scharf, Michael (Michael)
- [secdir] Review of draft-ietf-hip-rfc5202-bis-05 Shawn M Emery