IETF Logo Mail Archive

Re: [secdir] review of draft-hollenbeck-rfc4933bis-02

"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 16 July 2009 16:07 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C58F53A6930; Thu, 16 Jul 2009 09:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id est7esOJmn4H; Thu, 16 Jul 2009 09:07:05 -0700 (PDT)
Received: from osprey.verisign.com (osprey.verisign.com [216.168.239.75]) by core3.amsl.com (Postfix) with ESMTP id B40903A6DB9; Thu, 16 Jul 2009 09:07:05 -0700 (PDT)
Received: from dul1wnexcn02.vcorp.ad.vrsn.com (dul1wnexcn02.vcorp.ad.vrsn.com [10.170.12.139]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id n6GFsa2c003771; Thu, 16 Jul 2009 11:54:36 -0400
Received: from dul1wnexmb01.vcorp.ad.vrsn.com ([10.170.12.134]) by dul1wnexcn02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 16 Jul 2009 12:06:52 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 16 Jul 2009 12:06:51 -0400
Message-ID: <046F43A8D79C794FA4733814869CDF0702B8DF05@dul1wnexmb01.vcorp.ad.vrsn.com>
In-Reply-To: <Pine.WNT.4.64.0907161151370.4816@SANDYM-LT.columbia.ads.sparta.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [secdir] review of draft-hollenbeck-rfc4933bis-02
Thread-Index: AcoGLuISCQv7N5l1ThuUAr1OH9enpwAADFhA
References: <C684B760.11AC5%tim.polk@nist.gov> <Pine.WNT.4.64.0907161151370.4816@SANDYM-LT.columbia.ads.sparta.com>
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: Sandra Murphy <sandy@sparta.com>, "Polk, William T." <william.polk@nist.gov>
X-OriginalArrivalTime: 16 Jul 2009 16:06:52.0767 (UTC) FILETIME=[6EEBFEF0:01CA062F]
Cc: iesg@ietf.org, Nicolas Williams <Nicolas.Williams@sun.com>, secdir@ietf.org
Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2009 16:07:06 -0000

> -----Original Message-----
> From: Sandra Murphy [mailto:sandy@sparta.com] 
> Sent: Thursday, July 16, 2009 12:01 PM
> To: Polk, William T.
> Cc: Alexey Melnikov; Hollenbeck, Scott; Catherine Meadows; 
> iesg@ietf.org; Nicolas Williams; secdir@ietf.org
> Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
> 
> 
> On Thu, 16 Jul 2009, Polk, William T. wrote:
> 
> > Hi Alexey,
> >
> >
> > On 7/16/09 7:18 AM, "Alexey Melnikov" 
> <alexey.melnikov@isode.com> wrote:
> >
> >> Hi Tim,
> >>
> >> Polk, William T. wrote:
> >>
> >>> I¹m a little late to the party, but I have been quietly 
> mulling over 
> >>> this problem as well. Now that Sandy has explicitly asked 
> for an AD 
> >>> to step in, I figured I should participate more actively. I have 
> >>> also added Nico Williams to the CC list (my apologies, 
> Nico) since 
> >>> channel bindings is really his area of expertise.
> >>>
> >>> I think there is a real need for channel bindings with some 
> >>> applications of EPP, but may not always be strictly necessary in 
> >>> other cases. For example, the e-Automation project for the 
> >>> administration of DNS root zone uses EPP but if I recall 
> correctly 
> >>> most of the objects that are transferred are digitally signed 
> >>> objects. In this case, channel bindings are perhaps less 
> important 
> >>> since we aren¹t relying solely on the EPP authentication 
> mechanism. 
> >>> So, in my opinion we should encourage their use but 
> should not require channel bindings.
> >>
> >>>
> >>> However, if the application is relying on EPP in combination with 
> >>> transport for security, channel bindings would provide 
> significantly 
> >>> enhanced security. That says channel bindings deserves to be 
> >>> mentioned and a little guidance on (1) implementing 
> channel bindings 
> >>> and (2) determining when channel bindings is required. 
> That begs a 
> >>> new question of course ­ where does this information go?
> >>
> >> Nico's response confirmed what I was thinking about this 
> myself: for 
> >> EPP running over TLS over TCP (4934bis), channel bindings are not 
> >> required, because TLS authentication is mandatory and because TLS 
> >> server certificate verification procedure is also mandatory.
> >> So I don't think there is an issue with 4934bis document.
> >>
> >
> > I'm not so sure... TLS server certificate verification protects the 
> > client against a MITM attack.  The server has no way of knowing 
> > whether this procedure has been implemented.  So, the 
> server does not 
> > have all the protection it needs unless the TLS connection 
> uses client 
> > certificate authentication as well.
> >
> > Channel bindings would extend the level of assurance for the server.
> > Alternatively, mutual authentication using certificates 
> would resolve 
> > the problem as well.
> >
> >>> I am starting to believe that the security considerations 
> section of 
> >>> 4930bis should note that enhanced security SHOULD be achieved 
> >>> through channel bindings unless the application involves 
> digitally 
> >>> signed objects,
> >>
> >> I think another alternative can be to require mutual TLS 
> >> authentication in a transport protocol mapping document.
> >
> > I think that would be a great solution, and it wouldn't 
> need to tamper 
> > with EPP or 4934bis.  Any new EPP transport protocol 
> mappings in the works?
> 
> rfc4930bis mentions a couple of others in sect 2.1 Transport 
> Mapping Considerations
> 
>     -  The transport mapping MUST be onto a transport such as TCP
>        [RFC0793] or Stream Control Transmission Protocol 
> (SCTP) [RFC4960]
>        that provides congestion avoidance that follows RFC 2914
>        [RFC2914], or if it maps onto a protocol such as SMTP 
> [RFC5321] or
>        Blocks Extensible Exchange Protocol (BEEP) [RFC3080], then the
>        performance issues need to take into account issues of 
> overload,
>        server availability, and so forth.
> 
> I don't know how close to "in the works" those other 
> suggested examples are.
> 
> Later it says that EPP can be carried over both 
> connection-less and connection oriented transports.
> 
> And the security considerations section says that
> 
>                           EPP instances MUST be protected using
>     a transport mechanism or application protocol that provides
>     integrity, confidentiality, and mutual strong client-server
>     authentication.

I'm not aware of any other IETF work to develop a standards-track transport mapping for EPP.  I have heard that other transports are being used by ccTLDs (they often "roll their own" when it comes to how they operate), but I don't have specific info on-hand.

-Scott-

v2.23.0 | Report a Bug | By Email