Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
"Hollenbeck, Scott" <shollenbeck@verisign.com> Tue, 07 July 2009 20:46 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D75CB3A6967; Tue, 7 Jul 2009 13:46:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BBDEhT3TBq73; Tue, 7 Jul 2009 13:46:08 -0700 (PDT)
Received: from peregrine.verisign.com (peregrine.verisign.com [216.168.239.74]) by core3.amsl.com (Postfix) with ESMTP id 7CE553A688C; Tue, 7 Jul 2009 13:46:08 -0700 (PDT)
Received: from dul1wnexcn02.vcorp.ad.vrsn.com (dul1wnexcn02.vcorp.ad.vrsn.com [10.170.12.139]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id n67Jek5h003019; Tue, 7 Jul 2009 15:41:26 -0400
Received: from dul1wnexmb01.vcorp.ad.vrsn.com ([10.170.12.134]) by dul1wnexcn02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 7 Jul 2009 15:52:05 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C9FF3C.66B71721"
Date: Tue, 07 Jul 2009 15:52:03 -0400
Message-ID: <046F43A8D79C794FA4733814869CDF0702B8DA2E@dul1wnexmb01.vcorp.ad.vrsn.com>
In-Reply-To: <897517DC-2F59-440A-BD63-BD71E1AF4421@nrl.navy.mil>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: review of draft-hollenbeck-rfc4933bis-02
Thread-Index: Acn+UgpuDYWKSgOJQuyUxQ2fFNSRxwA6Q7vg
References: <897517DC-2F59-440A-BD63-BD71E1AF4421@nrl.navy.mil>
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>, secdir@ietf.org, iesg@ietf.org
X-OriginalArrivalTime: 07 Jul 2009 19:52:05.0490 (UTC) FILETIME=[676A2520:01C9FF3C]
Subject: Re: [secdir] review of draft-hollenbeck-rfc4933bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2009 20:46:10 -0000
I made this statement in my response to Sandy: "I would need more specific information to know if there's something to be done with this comment. Reliance on security mechanisms provided at the transport layer has been part of this specification since day one. I am not aware of any implementation issues." There was no follow-up, so I remain a little unsure of how to address the comment. Similarly, I need a clarification to know if the text change suggested below is best made in 4933bis. There's a separate document that addresses EPP transport over TCP. If the channel binding issue is primarily an issue with TCP (is it?), I'd prefer to address it in the TCP mapping document (4934bis). If it's more focused on the application-layer exchange of authorization information I'm OK with making the text change suggested below in 4933bis. I should note that the same text exists in 4931bis so I'd need to change it there as well. So - where is the most appropriate place to add text? -Scott- ________________________________ From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil] Sent: Monday, July 06, 2009 11:53 AM To: secdir@ietf.org; iesg@ietf.org; Hollenbeck, Scott Cc: Catherine Meadows Subject: review of draft-hollenbeck-rfc4933bis-02 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Quote from last review: "The draft updates RFC 4933, the EPP Contacts Mapping spec. The updates listed are relatively minor - updates to references and a few minor updates to text." Version 1 has reviewed recently (June 10, by Sandy Murphy) and the author already made the changes that were agreed upon in following discussion. Everything mostly looks OK to me, but there is one issue that never got completely resolved as far as I can tell from what I saw online. This is the question of channel binding issues as described RFC 4953. I'm having trouble accessing that document right now, but apparently the issue is that low-level authentication mechanisms will not provide any distinction between channels at a higher level. This can make it possible for someone with access to the authentication mechanisms to spoof different channels. In particular, if the EPP authorization information is protected with lower-level authentication mechanisms this could be the case. Unless there is good reason to believe that this sort of attack is impossible (in which case it would be a good idea to say why) it might be good that Both client and server MUST ensure that authorization information is stored and exchanged with high-grade encryption mechanisms to provide privacy services. be changed to Both client and server MUST ensure that authorization information is stored and exchanged with high-grade encryption mechanisms to provide privacy and authentication services at the appropriate level of granularity. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil
- [secdir] review of draft-hollenbeck-rfc4933bis-02 Catherine Meadows
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Catherine Meadows
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Sandra Murphy
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Polk, William T.
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Alexey Melnikov
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Polk, William T.
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Polk, William T.
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Nicolas Williams
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Sandra Murphy
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Hollenbeck, Scott
- Re: [secdir] review of draft-hollenbeck-rfc4933bi… Nicolas Williams