IETF Logo Mail Archive

Re: [secdir] review of draft-hollenbeck-rfc4933bis-02

"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 16 July 2009 00:41 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6BA23A685B; Wed, 15 Jul 2009 17:41:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5lB7l-sWyEU; Wed, 15 Jul 2009 17:40:54 -0700 (PDT)
Received: from peregrine.verisign.com (peregrine.verisign.com [216.168.239.74]) by core3.amsl.com (Postfix) with ESMTP id 3A2E13A69B6; Wed, 15 Jul 2009 17:40:54 -0700 (PDT)
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id n6FJc9Ln013232; Wed, 15 Jul 2009 15:38:09 -0400
Received: from dul1wnexmb01.vcorp.ad.vrsn.com ([10.170.12.134]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Jul 2009 20:49:14 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA0585.54A630B6"
Date: Wed, 15 Jul 2009 15:49:13 -0400
Message-ID: <046F43A8D79C794FA4733814869CDF0702B8DE7B@dul1wnexmb01.vcorp.ad.vrsn.com>
In-Reply-To: <C6839129.119DC%william.polk@nist.gov>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [secdir] review of draft-hollenbeck-rfc4933bis-02
Thread-Index: AcoFZXnEUGL5r6YURci2FQADJAXtMgAEHd0kAAOyU5A=
References: <Pine.WNT.4.64.0907151047510.4872@SANDYM-LT.columbia.ads.sparta.com> <C6839129.119DC%william.polk@nist.gov>
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "Polk, William T." <william.polk@nist.gov>, Sandra Murphy <sandy@sparta.com>
X-OriginalArrivalTime: 15 Jul 2009 19:49:14.0589 (UTC) FILETIME=[54DAB8D0:01CA0585]
Cc: iesg@ietf.org, Nicolas Williams <Nicolas.Williams@sun.com>, secdir@ietf.org
Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2009 00:41:01 -0000

I don't have an issue with adding appropriate text to 4934bis.  Help in
coming up with something that's appropriate would be appreciated.
 
I'm a little concerned about adding text to 4930bis unless the text is
generic enough to apply to all potential transport protocols.  A
specific addition proposal would be very helpful.
 
-Scott-


________________________________

	From: Polk, William T. [mailto:william.polk@nist.gov] 
	Sent: Wednesday, July 15, 2009 1:59 PM
	To: Sandra Murphy; Hollenbeck, Scott
	Cc: Catherine Meadows; iesg@ietf.org; secdir@ietf.org; Nicolas
Williams
	Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
	
	
	I'm a little late to the party, but I have been quietly mulling
over this problem as well.  Now that Sandy has explicitly asked for an
AD to step in, I figured I should participate more actively.  I have
also added Nico Williams to the CC list (my apologies, Nico) since
channel bindings is really his area of expertise.
	
	I think there is a real need for channel bindings with some
applications of EPP, but may not always be strictly necessary in other
cases.  For example, the e-Automation project for the administration of
DNS root zone uses EPP but if I recall correctly most of the objects
that are transferred are digitally signed objects.  In this case,
channel bindings are perhaps less important since we aren't relying
solely on the EPP authentication mechanism.  So, in my opinion we should
encourage their use but should not require channel bindings.  
	
	However, if the application is relying on EPP in combination
with transport for security, channel bindings would provide
significantly enhanced security.  That says channel bindings deserves to
be mentioned and a little guidance on (1) implementing channel bindings
and (2) determining when channel bindings is required.  That begs a new
question of course - where does this information go?
	
	I am starting to believe that the security considerations
section of 4930bis should note that enhanced security SHOULD be achieved
through channel bindings unless the application involves digitally
signed objects, and that the TLS usage section of 4934bis (section 9)
should include a pointer to techniques for implementing channel bindings
with TLS.  I am still mulling this over, and will probably not enter any
discuss until tomorrow, but this seems the best approach.  (Hopefully
Nico will weigh in before then and keep me straight on this one...)
	
	Tim Polk
	
	
	On 7/15/09 10:51 AM, "Sandra Murphy" <sandy@sparta.com> wrote:
	
	

		(Note to all.  I sent multiple secdir related messages
yesterday
		afternoon, and they all were mangled or ultimately not
delivered.  So this
		is a repeat that some og the recipients may already have
seen.
		Apologies for the technology failure.)
		
		
		
		On Tue, 7 Jul 2009, Scott Hollenbeck said:
		
		
		>There was no follow-up, so I remain a little unsure of
how to address
		>the comment.  Similarly, I need a clarification to know
if the text
		>change suggested below is best made in 4933bis.
		
		Yes, I am guilty of not following up.  I was unsure of
my understanding
		of channel binding issues, none of the other reviewers
of the rfc493*
		suite made any notice of the issue, and, as you note
here, the
		issue is really in the base spec, not 4933.  I just had
no idea
		what the right process would be, if any.
		
		Subsequent discussion and review of material make me
more confident
		that there is, indeed, a channel binding issue here.
		
		The question is what to do about it.  This is an
established protocol.
		Would a security considerations section in 4930bis that
pointed out
		that there's a MITM attack possible here, because of the
lack of
		channel binding, be sufficient?  Or would pointing to
the sasl-gs2
		work as a protection be mentioned?  suggested?
mandated?
		
		I sure would love to see AD or subject matter experts
weigh in here
		on the technical and process aspects of this.
		
		--Sandy

v2.23.0 | Report a Bug | By Email