[secdir] Secdir last call review of draft-ietf-capport-rfc7710bis-04

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Fri, 15 May 2020 12:47 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BBB513A09BB for <secdir@ietfa.amsl.com>; Fri, 15 May 2020 05:47:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id wMHdn1Q2Huah for <secdir@ietfa.amsl.com>; Fri, 15 May 2020 05:47:50 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0FEF3A09BA for <secdir@ietf.org>; Fri, 15 May 2020 05:47:49 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id y3so3446932wrt.1 for <secdir@ietf.org>; Fri, 15 May 2020 05:47:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ldSjzE6+Dsd2nJ/8CBkA7P2kfg4JEv/ZNiQ2LAgt3Ws=; b=tfSENlAHMFKWuyjYzRCLounfbLsKoH6ThBYuS2JlrRI1GTZuv7D0m/K1/mY+0fkXa7 oaIWcelM2kUOaRfdhs3JL6OBpBYGuQNiHfxmDbgEj2BhNg4BKR64mjMA6qmoCqrqal8u YhZKt74PQIeXm5rilVHL+qX4KySOrnpK/+8IjWWGrxTSuLLC4z84mbhWMGuDrZAtGVku BMffh9byBo4mu5YC1t0uO6DFayouU7VljbM21LQXMKVMhDwTVSPpBuKHfiufTBUCouDU Zc+ZokBb2av/HvD0x+h+YMZFc2g7RJpFWJ/xXo/gJD9xL5bVMpV9WRnoN8ShSaRDYNpn mPvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ldSjzE6+Dsd2nJ/8CBkA7P2kfg4JEv/ZNiQ2LAgt3Ws=; b=gR+nub6FuHhHjIGbzKsK+1E6XctdmWwEwGyUMQXw3XgSKxQtKldsEEzVt5olqmnFnt WJjFUKxElKY3JdNxy6gib8eHixA5tyGxahO+bSGRzpwzOUqoY4+fSEFsPE4ARxNE0P2j yqgTkl5AFRcIcqzhJasbdUBvY6WfWIaZZKJ7fvXWyss9g2d2cj7E8ckeNLcwPd4cOOr/ +XeFeNnQQPQUuJSSuCqqZrahjxHeODuXLboV948NMhNMA5Th0vyttMe+1aZah9r9JZ4q WYQZwAdTytr3u9dMbewwbDvh+6LHgVSiSS9CoPYf0W9ahYCyb4RLdX4rZh2nGOwYUnAl lAEw==
X-Gm-Message-State: AOAM5301KYMyHhIJDecgC3mtTD4oK47XbFnCFxXs49hzWODW+//sOJkS sZ/XKLVUoX7tzT2uhyJr+Xcnu+3M0jjXNJyxo41f7WwjuLw=
X-Google-Smtp-Source: ABdhPJz0HR74OCKKOvVBO3py0Jgmf2rOrJO4FpNkTgk1JLiNT1XtO8v7l043QuZjitVp94RrsVLURipPSQrflgF8FkY=
X-Received: by 2002:adf:dc89:: with SMTP id r9mr3909112wrj.138.1589546867686; Fri, 15 May 2020 05:47:47 -0700 (PDT)
MIME-Version: 1.0
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Fri, 15 May 2020 08:47:37 -0400
Message-ID: <CADNypP8o+d4ivAacHQiXUk96F0gDqFe2Qa6rPQsCBgDr_=wHrQ@mail.gmail.com>
To: secdir@ietf.org
Content-Type: multipart/alternative; boundary="00000000000067022305a5af38f6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/uzYemiOBpw5DlLghpkQU1dJlJDs>
Subject: [secdir] Secdir last call review of draft-ietf-capport-rfc7710bis-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 12:47:52 -0000

Hi  Martin,

Sorry, I missed this message as I changed email address because some
spammers have been sending spams with my email address as a sender, and as
a result I would get angry emails from the spam targets.

Here is a quote form the API document:
"The hostname of the API SHOULD be displayed to the user in order to
indicate the entity which is providing the API service."

This seems to suggest that the user is expected to inspect the displayed
name and make sure it is make sense in the context of whoever is providing
that service.

Here is a quote from this document:
"An attacker with the ability to inject DHCP messages or RAs could

   include an option from this document to force users to contact an
   address of his choosing.  As an attacker with this capability could
   simply list himself as the default gateway (and so intercept all the
   victim's traffic); this does not provide them with significantly more
   capabilities, *but because this document removes the need for
   interception, the attacker may have an easier time performing the

Since this would be an easier attack compared to the interception attack,
and IP address is still permitted, then an attacker might force the use of
IP address to make it harder for the user to make sense of the displayed


[adding back some lists]


On Wed, May 06, 2020 at 02:37:39PM +1000, Martin Thomson wrote:
> What does "extra cautious" mean?  I assume that this is intended to apply to what a human might do, further implying that there is a role for a human decision.
> None of this architecture requires the involvement of a human in this way. Nor do I think that there is any meaningful distinction between an opaque string of characters (that might include confusables) and an opaque string of digits.
> I appreciate the sentiment here, but the fundamental problem is that once you decide that this information is not from the network, it is useless. If it is from the network, it is only of limited use. That use cannot depend on the identity of the server, so there is no value in any sort of caution.
> On Wed, May 6, 2020, at 13:36, Benjamin Kaduk wrote:
> > [My unicast reminder got a unicast reply; forwarding to someplace at least
> > vaguely useful.]
> >
> > -Ben
> >
> > On Tue, May 05, 2020 at 07:57:14PM -0400, Rifaat Shekh-Yusef wrote:
> > > Thanks for the reminder Ben.
> > >
> > > Erik,
> > >
> > > Since this document allows the use of IP address to represent the portal
> > > URI, I think it would important to add some text that explicitly states
> > > that the user might be presented with an IP address instead of the hostname
> > > of the API, and in that case the user should be extra cautious when this
> > > happens.
> > >
> > > Regards,
> > >  Rifaat