Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-23.txt
James Cloos <cloos@jhcloos.com> Thu, 14 June 2018 19:31 UTC
Return-Path: <cloos@jhcloos.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 820B9130EE0 for <uta@ietfa.amsl.com>; Thu, 14 Jun 2018 12:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhcloos.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMqlRpfBC9hJ for <uta@ietfa.amsl.com>; Thu, 14 Jun 2018 12:31:25 -0700 (PDT)
Received: from ore.jhcloos.com (ore.jhcloos.com [192.40.56.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA0F1130E88 for <uta@ietf.org>; Thu, 14 Jun 2018 12:31:25 -0700 (PDT)
Received: by ore.jhcloos.com (Postfix, from userid 10) id B07541E310; Thu, 14 Jun 2018 19:31:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore17; t=1529004685; bh=k8cH7oXVptVfWN+r3IeiKMP/tgVoLqLJKFVq8BL95dw=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=sqa1nPzZ0qHYZzHIh0QWq2wb5c4QrGoC4DSnm6QQAi44QqUJ+tqheQbpHhuHqvT1u Oe639raMwYb0SYzlpxZ9WhM68iS3MS/oJT92k2Tq2j2R1rxSXtIZhBLYxSU5iCRjAI h5X1CHHghTQKP/1B1MwDMUqhh0i1HpfCg2nita3bUp1OjCS5wrCBbtwuE79/u1np7s ON8UMp3jvZsP80LVcFr9IYtJiSZP4dmkZPLsfeMQCfgOaZSbS0eQ35WdSJ0VLJM4Av M//mWT/fVLpSnKeONxa5Z6eof09BM7IFOCDTqUh+zBkRULjYFDKgxHianuUYzk8wDj zVaZ+b7Elevqw==
Received: by carbon.jhcloos.org (Postfix, from userid 500) id 3F02B10A6FF32; Thu, 14 Jun 2018 19:31:19 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: uta@ietf.org
Cc: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <EC082EFE-C1C9-496B-B8EE-B49FDDD7B4A6@dukhovni.org> (Viktor Dukhovni's message of "Thu, 14 Jun 2018 15:16:04 -0400")
References: <152897880480.441.9920870371227371865@ietfa.amsl.com> <bef3efbe-0bec-9725-b7a2-224d6bbab24b@isode.com> <m38t7hur3m.fsf@carbon.jhcloos.org> <EC082EFE-C1C9-496B-B8EE-B49FDDD7B4A6@dukhovni.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2018 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Thu, 14 Jun 2018 15:31:19 -0400
Message-ID: <m336xpupvc.fsf@carbon.jhcloos.org>
Lines: 38
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/QUwIbmoKVo2XfPS1LvNTzTVVwVI>
Subject: Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-23.txt
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 19:31:28 -0000
>>>>> "VD" == Viktor Dukhovni <ietf-dane@dukhovni.org> writes: VD> I am surprised to see the security considerations refer to VD> multi-file gzip inputs, and processing of the filename VD> metadata inside the gzip stream. I've never seen anyone VD> do that. In practice 'gzip' archives are assumed to VD> contain just one "file", and the name from the gzip VD> metadata is ignored, instead the user specified where VD> to write the output. That did also surprise me, but the rfc makes it clear that it is permitted and thus one must assume that bad actors would try that as an attack. Since the update came from a media-type expert, it is probably something he thinks all GZIP uncomressors should keep in mind. VD> I rather think it makes more sense here to specify that VD> the "+gzip" MIME sub-type always holds exactly one VD> compressed object, and that the filename hint in VD> the compressed stream should be ignored. That idea has value. VD> By far the more interesting issue with compressed VD> content, is potential DoS, because small inputs VD> can uncompress to unreasonably large outputs. Another attack vector everyone needs to expect. VD> Applications might want to set limits on the amount VD> of data they're willing to extract from the compressed VD> stream. Good advice. -JimC -- James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… ned+uta
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… ned+uta
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… Alexey Melnikov
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… James Cloos
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… Viktor Dukhovni
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… James Cloos
- Re: [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-… Alexey Melnikov
- [Uta] I-D Action: draft-ietf-uta-smtp-tlsrpt-23.t… internet-drafts