Re: [secdir] secdir review of draft-ietf-alto-protocol

"Dan Harkins" <dharkins@lounge.org> Mon, 03 February 2014 02:18 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B99F1A0155; Sun, 2 Feb 2014 18:18:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrNKMRAs090y; Sun, 2 Feb 2014 18:18:53 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 60A261A014F; Sun, 2 Feb 2014 18:18:53 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id E8F3A1022400A; Sun, 2 Feb 2014 18:18:48 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Sun, 2 Feb 2014 18:18:49 -0800 (PST)
Message-ID: <da73c71ef15cf9aab5d0a7c37bda1522.squirrel@www.trepanning.net>
In-Reply-To: <1391369584.4360.72.camel@destiny.pc.cs.cmu.edu>
References: <23845_1391280851_s11IsAD0008772_cd3fb9f2748d08183af6652c0d58f61a.squirrel@www.trepanning.net> <1391369584.4360.72.camel@destiny.pc.cs.cmu.edu>
Date: Sun, 2 Feb 2014 18:18:49 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Jeffrey Hutzelman" <jhutz@cmu.edu>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: iesg@ietf.org, draft-ietf-alto-protocol.all@tools.ietf.org, secdir@ietf.org, jhutz@cmu.edu
Subject: Re: [secdir] secdir review of draft-ietf-alto-protocol
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 02:18:54 -0000

On Sun, February 2, 2014 11:33 am, Jeffrey Hutzelman wrote:
> On Sat, 2014-02-01 at 10:54 -0800, Dan Harkins wrote:
>>   - 8.3.5, encryption and integrity protection go hand-in-hand,
>>      they cannot be "and/or".
>
> Huh?  That's not true.  Confidentiality and integrity are separable, and
> it is common to want one without the other.  As it turns out, neither
> TLS nor SSH generally gives you that option, but the and/or is about
> which features you need, not what is practical.

  They may be separable but you don't want to separate them. You
never want to do encryption without integrity protection. You can
do integrity protection without encryption though and there are
TLS ciphersuites to give you that-- TLS_RSA_WITH_NULL_SHA256--
but there are none that give you encryption without also giving you
integrity protection.

  You can address the comment by swapping terms, i.e. say "integrity
protection and/or encryption".

  Dan.