IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02

Sandra Murphy <sandy@sparta.com> Wed, 15 July 2009 15:39 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 310B23A6AB0; Wed, 15 Jul 2009 08:39:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.537
X-Spam-Level:
X-Spam-Status: No, score=-2.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rpjch2JDARw; Wed, 15 Jul 2009 08:39:48 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id 4448C28C0FA; Wed, 15 Jul 2009 08:38:55 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id n6FFbSfp022936; Wed, 15 Jul 2009 10:37:28 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id n6FFbSNi004327; Wed, 15 Jul 2009 10:37:28 -0500
Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.81.126]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Jul 2009 11:37:28 -0400
Date: Wed, 15 Jul 2009 11:37:27 -0400
From: Sandra Murphy <sandy@sparta.com>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
In-Reply-To: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com>
Message-ID: <Pine.WNT.4.64.0907151127100.4872@SANDYM-LT.columbia.ads.sparta.com>
References: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 15 Jul 2009 15:37:28.0280 (UTC) FILETIME=[28CAE580:01CA0562]
Cc: secdir@ietf.org, iesg@ietf.org
Subject: Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 15:39:49 -0000

On Tue, 14 Jul 2009, Hollenbeck, Scott wrote:

> Doesn't TLS provide protections for this issue?
>
> -Scott-


(a) rfc4930 does not mandate use of TLS as a tranport connection, by 
design (so I don't know why you mention it):

    EPP is intended for use in diverse operating environments where
    transport and security requirements vary greatly.  It is unlikely
    that a single transport or security specification will meet the needs
    of all anticipated operators, so EPP was designed for use in a
    layered protocol environment.  Bindings to specific transport and
    security protocols are outside the scope of this specification.

(b) There are defined channel bindings for TLS.  See the recently 
published draft-altman-tls-channel-bindings-05.txt.  This isn't a free 
ride, however -- note the places where that draft mentions the need to 
modify firmware or software:

    Therefore 'tls-unique' is generally better than 'tls-server-end-
    point'.  However, 'tls-server-end-point' may be used with existing
    TLS server-side proxies ("concentrators") without modification to the
    proxies, whereas 'tls-unique' may require firmware or software
    updates to server-side proxies.  Therefore there may be cases where
    'tls-server-end-point' may interoperate but where 'tls-unique' may
    not.


--Sandy

v2.23.0 | Report a Bug | By Email