Re: [Secdispatch] Numeric IDs: Update to RFC3552

Eric Rescorla <ekr@rtfm.com> Thu, 18 April 2019 23:10 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 436E6120112 for <secdispatch@ietfa.amsl.com>; Thu, 18 Apr 2019 16:10:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4hPOWmovheWD for <secdispatch@ietfa.amsl.com>; Thu, 18 Apr 2019 16:10:00 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89525120136 for <secdispatch@ietf.org>; Thu, 18 Apr 2019 16:09:59 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id v13so3267540ljk.4 for <secdispatch@ietf.org>; Thu, 18 Apr 2019 16:09:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sEYEMm84h3igtMKzB2xfgQJ7xJpK71RGldxJmcFuIrY=; b=S0qrAxahJ1UElm1B1fGO795GD7bos3Dunf/0eJkwpIHGjovFe3K6OBR6RQiUS7rNhu 9Nm8yxa0hZSnhaoHzhqQhmkjPww1+iI+APnCO6kVa2poYLevpO29f4D2CSKIdI9CvBkN 0cJDkqEYWk14iFyBRJ6uYProg2vFkGsAXAulWhAtuTOmkk6GiZ7j41dMFS0CCbP1laRo /v5aPm50TPZi97n+Ey5T/Trq3s65M66KZtwFgiZLFK+h8DGvU5x8I3QEsCKFpZru/HJX TC/kV/iIWgXOnbSKN7fQ3ZvHS411kPHhANMMEKMh5En+MrHsYYkubsSpy35iG4eni9gA rj9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sEYEMm84h3igtMKzB2xfgQJ7xJpK71RGldxJmcFuIrY=; b=fglxnL0PxnM0iovavqE5t77LCI0Z9DjY5Sh/ty81ifZr3i0vEHe+Kz8j2WJWX+75j0 PkfyPMoraeJe0S2HcIxB2nUEMh1/R7/RvRN+1kbz0rh1RXaWBylUc9XTVns+/mknWV8Y 6vOkUsUK0ZL4ffzMKOZjyBopoWdBCNWIGlzNmBbiyF5MwnK7EY2byYmffYMj/xU4PtEh Y7taIYAjHhCe1kERNJ5YMhmaZSr2RVdUsDGJY3gf3J/cImHvGh+Psb1fiVd6uB9ukeA7 wPZ4itLkRW5sBtwYqnuqxjOzdJpDZJi3aA7Kux4RXkaEW+Cl0bTxm5C2kpsgsPMjSDM7 uJpQ==
X-Gm-Message-State: APjAAAWoPPGKaSwflYfi7H2H8bv7gJIg7OAH4IUov7FrLKppbiCJVeEO Wa/AKy8dVtmyWqNYbBO3Z0+RNPgzEP+HGR9o+5z5kSgA
X-Google-Smtp-Source: APXvYqzNFDLi4dRO5mmwNGyb8V2r6trFjdT3xd7sRSHMsEkiIJkIf22+qBo7yeeTAgn6vltMkWJ5n2vcBn4swO3h/0Q=
X-Received: by 2002:a2e:81da:: with SMTP id s26mr426236ljg.86.1555628997590; Thu, 18 Apr 2019 16:09:57 -0700 (PDT)
MIME-Version: 1.0
References: <4ac730a6-73ca-74cd-e848-4a6645bd0403@si6networks.com> <CABcZeBOy6MB0OG2cs=EE6hWB4pXBuNzW=LcQ+1dKmJzHBOUR-g@mail.gmail.com> <bc733114-6f97-532b-02d5-2730e834340a@si6networks.com>
In-Reply-To: <bc733114-6f97-532b-02d5-2730e834340a@si6networks.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 18 Apr 2019 16:09:19 -0700
Message-ID: <CABcZeBPr2rfVkib684Gz4uCPWtFc4trwusJxNRJ6EPPpA=d0QA@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: =?UTF-8?Q?Iv=C3=A1n_Arce_=28Quarkslab=29?= <iarce@quarkslab.com>, IETF SecDispatch <secdispatch@ietf.org>, pearg@irtf.org, secdispatch-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cdd5860586d619db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/y4lNCtICx4KQq00zeUujoATovko>
Subject: Re: [Secdispatch] Numeric IDs: Update to RFC3552
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 23:10:02 -0000

On Thu, Apr 18, 2019 at 3:03 PM Fernando Gont <fgont@si6networks.com> wrote:

> On 18/4/19 15:45, Eric Rescorla wrote:
> >
> >
> > On Tue, Apr 16, 2019 at 2:07 AM Fernando Gont <fgont@si6networks.com
> > <mailto:fgont@si6networks.com>> wrote:
> >
> >     Folks,
> >
> >     At the last secdispatch meeting I presented our I-D
> >     draft-gont-predictable-numeric-ids.
> >
> >     >From the meeting discussion, it would seem to me that there is
> support
> >     for this work.
> >
> >     It would also seem to me that part of this work is to be pursued in
> an
> >     appropriate IRTF rg, while the update to RFC3552
> >     (draft-gont-numeric-ids-sec-considerations) should be pursued as an
> >     AD-sponsored document.
> >
> >
> > I'm somewhat skeptical on an update to 3552; the proposed set of things
> > to be improved seems unclear.
>
> Can you please state what's unclear?
>

I understand the list of things in your document. However, there have been
proposals for a larger revision to 3552. The proposed set of such revisions
is unclear, and it's not clear to me why your document fits into such a
revision.



> > I don't think that the material in this document should be added to
> > 3552, as the purpose of 3552 is not really to go into that kind of
> > detail about any specific topic.
>
> What I would expect is that RFC3552 helps prevent us from coming up with
> vulnerable implementations.


This is not the purpose of 3552. Rather, it is to document what is required
in a security considerations section in general (the threat model, an
overview of common issues, etc.)  rather than to go into detail about a
specific kind of attack. Otherwise, the amount of detail would become
impractical. Indeed, just covering the space of attacks on cryptographic
protocols would be impractical. One might imagine that if there were a
revision it would contain a paragraph or three on this topic, but nowhere
near the 30-odd pages of material that is in this document, and I don't
think it's independently a reason to do a 3552 revision.


That said, this document is *updating* RFC3552, rather than a revision
> of RFC3552. Therefore, the content in this document wouldn't become part
> of RFC3552, necessarily.
>

Well, the semantics of "Updates" would be somewhat confusing here.
Certainly I don't think that this document is something we need to
transitively incorporate into 3552, but I care a lot less about the
contents of this header than I do about whether 3552 should be updated to
include this material.

-Ekr



Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>