Re: [secdir] Recurring issues found during sec review

Russ Housley <housley@vigilsec.com> Tue, 23 July 2019 14:24 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D96F312024E for <secdir@ietfa.amsl.com>; Tue, 23 Jul 2019 07:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QISxztOHlB7g for <secdir@ietfa.amsl.com>; Tue, 23 Jul 2019 07:24:29 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66C61120298 for <secdir@ietf.org>; Tue, 23 Jul 2019 07:24:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 600A4300AEA for <secdir@ietf.org>; Tue, 23 Jul 2019 10:04:52 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rBYB690zkN89 for <secdir@ietf.org>; Tue, 23 Jul 2019 10:04:51 -0400 (EDT)
Received: from dhcp-88d0.meeting.ietf.org (dhcp-88d0.meeting.ietf.org [31.133.136.208]) by mail.smeinc.net (Postfix) with ESMTPSA id E5DAB300AB4; Tue, 23 Jul 2019 10:04:50 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33E17EA@marchand>
Date: Tue, 23 Jul 2019 10:24:07 -0400
Cc: IETF SecDir <secdir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <746B874F-2293-4F8D-9812-C81A94CF1ED2@vigilsec.com>
References: <359EC4B99E040048A7131E0F4E113AFC01B33E17EA@marchand>
To: "Roman D. Danyliw" <rdd@cert.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vo0FENgfiZrIAQEFaG98QTq0ZNk>
Subject: Re: [secdir] Recurring issues found during sec review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 14:24:31 -0000

Please add "Do not make up your own cryptography".  I have not seen it in a while, but when I see it, it is poorly done.

Russ


> On Jul 23, 2019, at 9:46 AM, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi!
> 
> As an IESG initiatives, each of the areas is pulling together a list of "recurring issues" found by their areas during area review (e.g., secdir, iotdir, genart, opsdir, tsvart) and IESG review.  The intent is to provide informal, but not comprehensive, guidance to draft authors and their WG chairs with the intent to find issues earlier.  Ben and I made the following initial list:
> 
> https://trac.ietf.org/trac/sec/wiki/TypicalSECAreaIssues
> 
> Welcome feedback and refinement!
> 
> Regards,
> Roman and Ben
> 
> 
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview