Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt
Mark O <Mark.O@ncsc.gov.uk> Tue, 23 July 2019 22:32 UTC
Return-Path: <Mark.O@ncsc.gov.uk>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314A3120352 for <smart@ietfa.amsl.com>; Tue, 23 Jul 2019 15:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TKGAfYc0Jxp for <smart@ietfa.amsl.com>; Tue, 23 Jul 2019 15:32:24 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100125.outbound.protection.outlook.com [40.107.10.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9877C1203C2 for <smart@irtf.org>; Tue, 23 Jul 2019 15:32:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WQkNeC8rI2KP+8i+NyGsmkru92b2gMm8SGG23u/+mngBOFjS9XN3p/IhneYJvNnUpBzMIk/vlGtcTZUcWeRh99EYSZSAwLyI/Z7phSdCqgfgWK4BjlIAia/iDCXzRnY+TS4THrtncQcR2h+OW3O08iuOyJXqSsWuVX7s56jd6xr9dzSORKInIDNiNRuKm1jdtqAqUPplLPG4WVyznjqlBcPQfQXyy5wMiUEuYWCXN2Augou6IXw78HMFKd/S9Fgv709ZYjYgStEaWe943LMHtlAtPAIk8XZOJbVWd9LT7mbyoVYfbAOLq7meSmG1gurqoGjGmCIA/G6FU6HSYZwsgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lMen621WF/oqoAv3aHIqwQck/8jcxXwVNptyygEMps=; b=eBoUWE47za2oTGN0FpWnGjVBi7onb3hjNq85Bk+zjYm9skiYLviYEz5fseufPe+zUiqMByipnGhRqf4EcFNhRCU8gzPyN8+u48wley5bOM8xVChTVQ9JjTYszCcY05d/QQ8ao+f1RJKuDsMye1m4Jmg8AaD9affj7FrXVLAIHMW8KQ+eI9A8zKwaY8QVJ1cJ0PUXfbd0YVym6nxMtAUY7y9b3oGpe0JggquDY3Ce3NU0NOLgfFiocKA3LlFM242c5FgMOXZeLb6Kjj7Ql9xCLwqUIV/h6i5x3qJIaUdB7O/tdLJAZnRxqBzDXPkNRi50i84hSLr80wqCNjgbI8g4KQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ncsc.gov.uk;dmarc=pass action=none header.from=ncsc.gov.uk;dkim=pass header.d=ncsc.gov.uk;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lMen621WF/oqoAv3aHIqwQck/8jcxXwVNptyygEMps=; b=GasmMTz0FBd5Cx30FApbYZIsewPRVe0NK1bVvtKkRjB0/a94/33+0ri0NfTJlUAp0R+9KUFyRaf+FwMg7rjUrtfVCTMqhVjxT42ZyVVIw3kRxpS/v8tSw2UIBQeWlT3z8ujZEOPTt/QKd88txKjD95sJH1hqmDyQnTD+UHu6B9Q=
Received: from LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM (20.176.159.147) by LNXP123MB2250.GBRP123.PROD.OUTLOOK.COM (20.176.159.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.16; Tue, 23 Jul 2019 22:32:20 +0000
Received: from LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM ([fe80::36:e9a5:cb51:4859]) by LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM ([fe80::36:e9a5:cb51:4859%5]) with mapi id 15.20.2094.013; Tue, 23 Jul 2019 22:32:20 +0000
From: Mark O <Mark.O@ncsc.gov.uk>
To: "smart@irtf.org" <smart@irtf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt
Thread-Index: AdVBpXaIHMgcNuHoTa6WtdnBmIdnnw==
Date: Tue, 23 Jul 2019 22:32:20 +0000
Message-ID: <LNXP123MB257091D6FEE0D59AFD577BE1D3C70@LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mark.O@ncsc.gov.uk;
x-originating-ip: [51.141.26.231]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b1729b0b-59a7-4433-30d7-08d70fbda01e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LNXP123MB2250;
x-ms-traffictypediagnostic: LNXP123MB2250:
x-microsoft-antispam-prvs: <LNXP123MB225025F1656C8D8DD2F25372D3C70@LNXP123MB2250.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 0107098B6C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(376002)(39850400004)(396003)(346002)(366004)(189003)(199004)(51444003)(54896002)(9686003)(6306002)(53936002)(55016002)(486006)(2420400007)(45080400002)(6116002)(66574012)(3846002)(33656002)(2906002)(478600001)(7736002)(8936002)(26005)(25786009)(74316002)(476003)(81156014)(790700001)(6436002)(15650500001)(71200400001)(8676002)(186003)(66066001)(7110500001)(102836004)(53546011)(71190400001)(55236004)(966005)(99286004)(316002)(110136005)(81166006)(6506007)(14454004)(575854001)(14444005)(256004)(2501003)(6246003)(229853002)(68736007)(30864003)(64756008)(52536014)(66946007)(86362001)(66446008)(66556008)(7696005)(66476007)(5660300002)(76116006); DIR:OUT; SFP:1102; SCL:1; SRVR:LNXP123MB2250; H:LNXP123MB2570.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: uuahvh1gd90dMCwie3n5JfLUl8j7avKSk5BRoI3CKCDfsmYYJ1ysvUxSaVgs/YQqz1u4lowFfJDaYYFTrc+oXdYt0QIga9AzGG8K1UqiHqxBhoc0zM2jfPB7EUKmW304s2VggFTyLED6SSnsSp1GtvaJxNOtRGHVWCni13P9Qkr0kwuTFiEhpsBhdscmtN7QNQjBWDfoh91Xwr8tGhISC15pvtWwTjukcf2bHFHO+TfFcmgUdNmJZSfW5vEkcHjQI4VBtxyVHJafsY2n9BYED2cbaikgjXdsfORdz3bYc4NEPBoJMbt8PX/3tbkgPxleB01YTxkCbaAdbo8hEcuLX9wD+DDCjctHUVUgCoSTcUsaKghWd0TiXbW6KVlIlzgVgUxs/n+2FgTkn5woeDvkAsPuBbNmXBzzEANmu2ZOfEg=
Content-Type: multipart/alternative; boundary="_000_LNXP123MB257091D6FEE0D59AFD577BE1D3C70LNXP123MB2570GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: b1729b0b-59a7-4433-30d7-08d70fbda01e
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2019 22:32:20.5323 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Mark38706@ncsc.gov.uk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP123MB2250
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/VfMYIOgLCpgYcwg9P_nwM9BVd-c>
Subject: Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 22:32:34 -0000
Thanks, Dominique, for bringing this draft to the list. It's not a complete survey of all the threats facing users and systems on the Internet but it does highlight some omissions from the current threat model. I attended the tutorial session on how to write security considerations on 20 July. Something I heard Yoav say was that the IETF mostly focuses on ComSec issues, and as a result there's not usually any discussion in the security considerations of how to protect the host so that private information doesn't leak out; also that the security considerations all too often ignore operational considerations. This reflects what I have seen in Internet drafts but does seem to be ignoring a class of attacks that arguably ought to be in scope. Checking RFC 3552 to see what's actually in scope for the security considerations, it says (Section 2: The Goals of Security): We can loosely divide security goals into those related to protecting communications (COMMUNICATION SECURITY, also known as COMSEC) and those relating to protecting systems (ADMINISTRATIVE SECURITY or SYSTEM SECURITY). Since communications are carried out by systems and access to systems is through communications channels, these goals obviously interlock, but they can also be independently provided. So System Security and the protection of systems is apparently in scope. Section 3 specifies the Internet threat model - and we can classify the attacks here according to whether they are Communications Security or System Security: 3.2.1 Confidentiality violation - COMSEC 3.2.2 Password sniffing - COMSEC 3.2.3 Offline cryptographic attacks - COMSEC (capturing challenge-response); SYSTEM SECURITY (stealing password file) 3.3.1 Replay attacks - COMSEC 3.3.2 Message insertion - COMSEC 3.3.3 Message deletion - COMSEC 3.3.4 Message modification - COMSEC 3.3.5 Man-in-the-middle - COMSEC 3.5 On-path versus off-path - COMSEC 3.6 Link-local - COMSEC Then Section 5 describes the mandatory components of the security considerations: Authors MUST describe 1. which attacks are out of scope (and why!) 2. which attacks are in-scope 2.1 and the protocol is susceptible to 2.2 and the protocol protects against At least the following forms of attack MUST be considered: eavesdropping, replay, message insertion, deletion, modification, and man-in-the-middle. Potential denial of service attacks MUST be identified as well. So although System Security is recognised as a security goal, there's no specific guidance on what the threats to System Security are and no requirement for them to be addressed in the security considerations section. This may have contributed towards protocol design concentrating more on ComSec than on other aspects of System security. The security considerations section should at least call out the threats that result from the compromise of endpoints, even if no mitigation is possible. I note that Jari Arkko's draft-arkko-arch-internet-threat-model-01 has been updated and that this makes similar points regarding the need to address security threats other than ComSec. I support the additions to the text of the draft, including this one: 7. Treat parties that your equipment connects to with suspicion, even if the communications are encrypted. The other endpoint may misuse any information or control opportunity in the communication. Similarly, even parties within your own system need to be treated with suspicision, as some nodes may become compromised. I also welcome that Stephen Farrell's draft-farrell-etm-03 recognises additional categories of attacks including supply chain attacks and leaky buckets, as well as the kinds of breaches detailed in Dominique's draft. I do think however that Stephen's suggested change to the wording of RFC 3552: OLD: In general, we assume that the end-systems engaging in a protocol exchange have not themselves been compromised. NEW: In general, we assume that one of the protocol engines engaging in a protocol exchange has not been compromised at the run-time of the exchange. is restrictive. We use PFS to protect systems against compromises of the endpoint _after_ the protocol exchange has taken place. The Lazanski, Arkko and Farrell drafts could all make valuable contributions towards an improved Internet threat model. In response to Eric: * I'd like to try to explore this argument a bit. Specifically, it might be the case that the IETF has just ignored non-comsec and that if we had spent more time on it, that would be better. Alternatively, it could be true that the IETF's focus on comsec has actively harmed other kinds of security. One gets the sense that this document wants to argue the latter point, but it doesn't really come out and say it, let alone substantiate it. That, rather than arguing about the completeness or appropriateness of RFC 3552, might be a better place to start. I agree. Research into the effects that the focus on ComSec has had on other forms of security has not been brought to the IETF in a systematic way. -- Mark From: Smart <smart-bounces@irtf.org>On Behalf Of Eric Rescorla Sent: 14 July 2019 17:24 To: Stephen Farrell <stephen.farrell@cs.tcd.ie> Cc: smart@irtf.org; Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; Dominique Lazanski <dml@lastpresslabel.com>; IETF SecDispatch <Secdispatch@ietf.org> Subject: Re: [Smart] [Secdispatch] New Version Notification for draft-lazanski-smart-users-internet-00.txt I more or less agree with Stephen's position. First, I recognize that this focus on secure endpoints talking to each other is probably the part of 3552 that people are most unhappy about. As I was almost certainly the person who wrote that text, it might be helpful if I laid out some background. First, RFC 3552 isn't intended to say that endpoint threats aren't real, but merely that they are out of scope because they are hard to address. Here's the text in context: The Internet environment has a fairly well understood threat model. In general, we assume that the end-systems engaging in a protocol exchange have not themselves been compromised. Protecting against an attack when one of the end-systems has been compromised is extraordinarily difficult. It is, however, possible to design protocols which minimize the extent of the damage done under these circumstances. For a more narrow statement with a similar theme (but extended to the Web platform, see https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- and https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-compromised-infected-machines-in-Chrome-s-threat-model-): This is essentially the same situation as with physically-local attacks. The attacker's code, when it runs as your user account on your machine, can do anything you can do. (See also Microsoft's Ten Immutable Laws Of Security.) However, RFC 3552 is primarily oriented towards what can be standardized and in particular towards protocols, and generally secure protocols require some sort of TCB to be effective. Obviously, as alluded to in 3552, to the extent to which protocols can be designed to minimize damage, and we routinely attempt to do so. Examples of this include the use of Forward Secure algorithms and trying to avoid or mitigate designs with single points of failure (as with Certificate Transparency). I know that PHB has some ideas along these lines; I haven't studied them enough to know what I think, but that sort of thing is generally in scope as well. This to some extent goes to Section 2 of draft-lazanski. I certainly agree that to the extent to which it is possible to design cryptographic solutions to prevent data breaches, it is useful to do so, and protocols for doing that would potentially be in scope for IETF. I say "potentially" because I'm not sure that (a) standards are necessary in this space beyond the kind of work we are already doing or (b) that we would have the community to define them, but I don't see an in principle barrier [0] I certainly would not expect 3552 to be deployed to preclude that kind of work. Similarly, I don't think that the kinds of botnet attacks described in Section 3 are out of scope for 3552, though I see how it could be read this way. However I think that the idea of a malicious counterparty is clearly in scope if we assume that the attacker controls the network. Here too, I wouldn't expect 3552 to be deployed to preclude that kind of work; we have done plenty of anti-DoS work in IETF (whether it is good enough is a different story). Turning now to the document itself, its language seems to be trying to stake out a very strong position, but I'm not quite sure what that position is. For instance: themselves. These assumptions have led to a focus on communications security and the development of protocols that place this kind of security above all else. Ironically - or coincidentally - as the development of these protocols have taken place over the last several decades, there has been and continues to be a sharp rise in cyber attacks. The Internet threat model in RFC 3552 does not even mention that the greatest threat to the Internet is the growing scale and variety of cyber attacks against all types of endpoints that is resulting in significant data breaches. This now needs to change. First, I'm not sure that I agree that cyber attacks on endpoints are the greatest threat to the Internet, but even assuming that's so, what are the implications of that for work in the IETF? It's one thing to change the words of 3552, but what work specifically would we do if those words were different. Second, I think it's quite likely true that the IETF has focused on communications security, and this document seems to be trying to argue that that's to the detriment of other kinds of security, both here and in other places: Internet security research and technical development must accept the reality of all the security issues in the Internet ecosystem. Decisions being made in the name of privacy are sometimes leading to larger inadvertent security and privacy losses. I'd like to try to explore this argument a bit. Specifically, it might be the case that the IETF has just ignored non-comsec and that if we had spent more time on it, that would be better. Alternatively, it could be true that the IETF's focus on comsec has actively harmed other kinds of security. One gets the sense that this document wants to argue the latter point, but it doesn't really come out and say it, let alone substantiate it. That, rather than arguing about the completeness or appropriateness of RFC 3552, might be a better place to start. -Ekr [0] Indeed, work like token binding is arguably a stab at some of this stuff. On Sun, Jul 14, 2019 at 3:26 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: Hiya, On 14/07/2019 03:06, Kathleen Moriarty wrote: > It's a good start toward broadening > the conversation on the Internet threat model and I do agree that is > necessary. FWIW, I don't agree that this is a good start. ISTM that this draft is far too opinionated, for example claiming that "IETF attendees are privacy-focused", (how does the author know?), claiming it "unthinkable" that something isn't done, and that "Internet security research and technical development must accept the reality of all the security issues in the Internet ecosystem" (though I'm not sure I can parse that last quote at all). Towards the end we get: "Endpoints have changed over the last 10 years, but assumptions about endpoints in the IETF hasn't changed in that time" - I don't know how the author knows what assumptions may or may not be made by IETF participants (not "attendees" of course). And perhaps most oddly, this bold assertion: "Further, it is imperative that new conclusions and recommendations from a revisited threat model are backed up by research, case studies and experience - rather than bold assertions." ;-) The list of breaches and botnets is fine, but not much use without any analysis of how those happened. We need a good bit more work to figure out whether any changes to protocols or protocol design are actually warranted or useful in the face of these kinds of incident. (Hence the oddity of the bold assertion above.) Lastly, ISTM important, if any discussion here is to be worthwhile, to recognise from the start that existing IETF consensus positions in this space are not likely to be discarded - those were arrived at after a lot iterations of a lot of debate by well-informed IETF participants. (Despite what some may claim;-) So I reckon the right discussion to have is about how to extend and not discard the 3552 threat model. Any other attempted changes would seem to me to require a shift in deployments from 2-party to multi-party protocols, which is unrealistic, or to require magical trust in middleboxes, which would be plain silly and seems highly unlikely to be something for which IETF consensus would be established. > Also - is this a request to present at SecDispatch? I hope not. This draft is IMO clearly not ready for that. An initial discussion about threat models and how to approach this kind of work at saag may be worthwhile (and I think Jari has asked the sec ADs for such a slot). Cheers, S. _______________________________________________ Secdispatch mailing list Secdispatch@ietf.org https://www.ietf.org/mailman/listinfo/secdispatch This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright (c)
- [Smart] New Version Notification for draft-lazans… Dominique Lazanski
- Re: [Smart] New Version Notification for draft-la… Bret Jordan
- Re: [Smart] New Version Notification for draft-la… Arnaud.Taddei.IETF
- Re: [Smart] [Secdispatch] New Version Notificatio… Phillip Hallam-Baker
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Kathleen Moriarty
- Re: [Smart] [Secdispatch] New Version Notificatio… Stephen Farrell
- Re: [Smart] [Secdispatch] New Version Notificatio… Kathleen Moriarty
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Eric Rescorla
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Eric Rescorla
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Eric Rescorla
- Re: [Smart] [Secdispatch] New Version Notificatio… Stephen Farrell
- Re: [Smart] [Secdispatch] New Version Notificatio… Phillip Hallam-Baker
- Re: [Smart] [Secdispatch] New Version Notificatio… Phillip Hallam-Baker
- Re: [Smart] [Secdispatch] New Version Notificatio… Phillip Hallam-Baker
- Re: [Smart] [Secdispatch] New Version Notificatio… Eliot Lear
- Re: [Smart] [Secdispatch] New Version Notificatio… Eliot Lear
- Re: [Smart] [Secdispatch] New Version Notificatio… Eric Rescorla
- Re: [Smart] [Secdispatch] New Version Notificatio… Eliot Lear
- Re: [Smart] [Secdispatch] New Version Notificatio… Kathleen Moriarty
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Eric Rescorla
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Phillip Hallam-Baker
- Re: [Smart] [Secdispatch] New Version Notificatio… Eliot Lear
- Re: [Smart] [Secdispatch] New Version Notificatio… Bret Jordan
- Re: [Smart] [Secdispatch] New Version Notificatio… Mark O