Re: [secdir] [taugh.com-standards] Security review of draft-levine-herkula-oneclick-05
Ben Laurie <benl@google.com> Sun, 18 September 2016 17:05 UTC
Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4119212B140 for <secdir@ietfa.amsl.com>; Sun, 18 Sep 2016 10:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.317
X-Spam-Level:
X-Spam-Status: No, score=-4.317 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcuabaPWATd1 for <secdir@ietfa.amsl.com>; Sun, 18 Sep 2016 10:05:53 -0700 (PDT)
Received: from mail-yb0-x232.google.com (mail-yb0-x232.google.com [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B52D912B142 for <secdir@ietf.org>; Sun, 18 Sep 2016 10:05:52 -0700 (PDT)
Received: by mail-yb0-x232.google.com with SMTP id i66so69287840yba.0 for <secdir@ietf.org>; Sun, 18 Sep 2016 10:05:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mHuW8uh/Q2Cnolzx366iceqjLaZtGLLUDHT/wWL9kek=; b=VFsb6usGPNxpWlE8e8uduKnxeGEXyTnrMjXe58I9tHPeJ7gyiZDAWP2TDjzfoF7EYE EwPzmhx0peLoRuXCCK5F0mRYvSfDZ1cJoAL3jrSvf7pOyOd5ppNBmbcQqHHWkZwsfMPH s8fGieCbdUTMoxdg14f9ibLEMFISAgeOwQtuPqyd5+rcVztAoPpP8oL4yjkYfBpOEbLp +W0qQevZ8t/+QBrY/RIx1EJ2AB9B5nD1D0BWJJC+9PZc23SS5qqHGcQwp1MyDfu61tuE H25waJFNBZIlOiCoiz3A/DvS+qFQ7EVhZ9vt2O15cbqGbuAhoyDvtSfSjcy9ejKWd4iw 5AwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mHuW8uh/Q2Cnolzx366iceqjLaZtGLLUDHT/wWL9kek=; b=BrphsDOZaPWpfqK6De0VyXxrn+z1eOjiqv4rmBzby1XfN9kz+kPDaMyj0BJmxQAOrv YFw3YPNj/VpY0lgn1DC1uOfpOL12qmorDPpkjhArxRuZ24ycfkp+7Jn+ls5nOjrf+0aY vBbCG6XzlLF3ngfbxLvK+zRvtW5/wxBGRNM/ZTlAXeRC0io+o8Pm+RP2xmdHVnKxyVSh +eFo0ePEmR2b0QgUbzfbDc1hd9f7PWblE1cXNIse/lyewha1AUoo6AwdyL+3ydXPYZjA svSF+jUenXTTPX+mmR4mCEP1fjbQTnHvPMh6qmU4ik+GeAEZ+AVOxmsDUB539nILfGrC uWAw==
X-Gm-Message-State: AE9vXwNhpTbCNfxOdyahot7uvbrXCUfLnILd5N3V6nB+gEeRvJ5dpmWSY4woEeulsJrbVDemEY754SP/AkRlac2s
X-Received: by 10.37.44.23 with SMTP id s23mr21051054ybs.18.1474218351840; Sun, 18 Sep 2016 10:05:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.148.11 with HTTP; Sun, 18 Sep 2016 10:05:51 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.11.1609181216340.4398@ary.lan>
References: <CABrd9SQt9K+78WOm9aO_fObrvThKCVKyXAVF6WVmm=bN8c9bvw@mail.gmail.com> <alpine.OSX.2.11.1609181216340.4398@ary.lan>
From: Ben Laurie <benl@google.com>
Date: Sun, 18 Sep 2016 18:05:51 +0100
Message-ID: <CABrd9SSFCb7XdVFmLW6-OAtoo_7d-=Uivq0ax2v6iJKx=TusUg@mail.gmail.com>
To: "John R. Levine" <johnl@iecc.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Xllc8Y2fFTJV4_8_Spldqk1mUJ0>
Cc: draft-levine-herkula-oneclick.all@ietf.org, Paul Kincaid-Smith <paulkincaidsmith@gmail.com>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] [taugh.com-standards] Security review of draft-levine-herkula-oneclick-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Sep 2016 17:05:54 -0000
On 18 September 2016 at 17:18, John R. Levine <johnl@iecc.com> wrote: >> "The URI and POST arguments SHOULD include a hard to forge component >> such as an HMAC (RFC 2104) of the other components, using a secret >> key, in addition to or instead of the plain-text names of the list and >> the subscriber." >> >> Although its kinda obvious, you should probably also say that the >> server SHOULD verify this HMAC. > > > It couldn't hurt, I'll put it into the -06. > >> Finally, since the URI argument is the subject of an existing RFC >> (2369) that RFC should probably be updated to include this advice. > > > I don't think that's right. The usual way to verify a 2369 unsubscribe is > to ask for confirmation, either in a web page if the URI is an http or > https, or by writing back if it's mailto:. That doesn't change for the > current GET syntax of 2369. If the goal is to prevent spoofed mails leading to unsubscription, then it applies in either case.
- [secdir] Security review of draft-levine-herkula-… Ben Laurie
- Re: [secdir] [taugh.com-standards] Security revie… John R. Levine
- Re: [secdir] [taugh.com-standards] Security revie… Ben Laurie
- Re: [secdir] [taugh.com-standards] Security revie… Ben Laurie
- Re: [secdir] [taugh.com-standards] Security revie… John R. Levine
- Re: [secdir] [taugh.com-standards] Re:Security re… John R. Levine
- Re: [secdir] [taugh.com-standards] Re:Security re… John R. Levine
- Re: [secdir] [taugh.com-standards] Re:Security re… Ben Laurie