Re: [secdir] Secdir review of draft-kucherawy-authres-spf-erratum-01
Catherine Meadows <meadows@itd.nrl.navy.mil> Thu, 12 January 2012 17:36 UTC
Return-Path: <meadows@itd.nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F027221F85B6; Thu, 12 Jan 2012 09:36:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rj4ivSmx6tTh; Thu, 12 Jan 2012 09:36:00 -0800 (PST)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 32A8021F859B; Thu, 12 Jan 2012 09:35:59 -0800 (PST)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q0CHZwmW010515; Thu, 12 Jan 2012 12:35:58 -0500 (EST)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q0CHZwgW022675; Thu, 12 Jan 2012 12:35:58 -0500 (EST)
Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012011212355729234 ; Thu, 12 Jan 2012 12:35:57 -0500
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-10-190842733"
From: Catherine Meadows <meadows@itd.nrl.navy.mil>
In-Reply-To: <F5833273385BB34F99288B3648C4F06F19C6C15848@EXCH-C2.corp.cloudmark.com>
Date: Thu, 12 Jan 2012 12:46:33 -0500
Message-Id: <A6C9F6AF-2957-4305-8A51-25B3FFA52426@itd.nrl.navy.mil>
References: <8991BA91-8252-4DCF-8FCA-DEF5C04632D6@itd.nrl.navy.mil> <F5833273385BB34F99288B3648C4F06F19C6C15848@EXCH-C2.corp.cloudmark.com>
To: "Murray S. Kucherawy" <msk@cloudmark.com>
X-Mailer: Apple Mail (2.1084)
Cc: "draft-kucherawy-authres-spf-erratum.all@tools.ietf.org" <draft-kucherawy-authres-spf-erratum.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, Catherine Meadows <meadows@itd.nrl.navy.mil>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] Secdir review of draft-kucherawy-authres-spf-erratum-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2012 17:36:01 -0000
OK, sounds good! Cathy Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil On Jan 12, 2012, at 12:24 PM, Murray S. Kucherawy wrote: > --> > Hi Catherine, thanks for your comments. > > > > The language chosen is basically acknowledgement that few if any implementations ever actually used “hardfail”. The error was pointed out not long after RFC5451 was published and all of the implementations I know of did it properly from the beginning. So the posture is really one of “In case anyone ever did do it the wrong way, ….” > > > > Also, the word “recommended” has specific meaning under RFC2119 and it’s my understanding that use of such normative language in Security Considerations ought to be avoided. > > > > Given all that, I’d be fine with saying “implementers are advised” versus “cautious implementers may wish”. I’ll add that to the -02 version. > > > > -MSK > > > > From: Catherine Meadows [mailto:meadows@itd.nrl.navy.mil] > Sent: Thursday, January 12, 2012 9:25 AM > To: iesg@ietf.org; secdir@ietf.org; draft-kucherawy-authres-spf-erratum.all@tools.ietf.org > Cc: Catherine Meadows > Subject: Secdir review of draft-kucherawy-authres-spf-erratum-01 > > > > This ID is definitely security relevant, as use of the wrong header could > > cause a failure to recognize a failed authorization. Thus in the Security Considerations > > section the authors say that "cautious implementers may wish to support both > > result strings for some period of time." > > > > One quibble: I believe that the above is good advice, but it seems a little hesitant. Why the use > > of the words "cautious" and "may"? Why not say that "we recommend that"? Even if failure > > to recognize a failed authorization doesn't lead to any immediate security problem, > > it could prevent recognition of a potential attack, or more benignly, of a possible > > misconfiguration. > > > > > > Catherine Meadows > Naval Research Laboratory > Code 5543 > 4555 Overlook Ave., S.W. > Washington DC, 20375 > phone: 202-767-3490 > fax: 202-404-7942 > email: catherine.meadows@nrl.navy.mil > > >
- [secdir] Secdir review of draft-kucherawy-authres… Catherine Meadows
- Re: [secdir] Secdir review of draft-kucherawy-aut… Catherine Meadows
- Re: [secdir] Secdir review of draft-kucherawy-aut… Murray S. Kucherawy