Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02
Leif Johansson <leifj@mnt.se> Sat, 30 August 2014 08:48 UTC
Return-Path: <leifj@mnt.se>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AE21A88D1 for <uta@ietfa.amsl.com>; Sat, 30 Aug 2014 01:48:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w6VOocdPFkA1 for <uta@ietfa.amsl.com>; Sat, 30 Aug 2014 01:48:40 -0700 (PDT)
Received: from mail-la0-f51.google.com (mail-la0-f51.google.com [209.85.215.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4800A1A88D0 for <uta@ietf.org>; Sat, 30 Aug 2014 01:48:32 -0700 (PDT)
Received: by mail-la0-f51.google.com with SMTP id gl10so3764587lab.24 for <uta@ietf.org>; Sat, 30 Aug 2014 01:48:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=9FRIBD//H3wJH5Rn2T0raIPkXa5bRGJd0g4zzantEY8=; b=ZnggSuVUb68WJEOuoZ2Ae/rh7z98BCNERCQcNcUD+TFzfB4iDhjNURDiSp9OblzQxE DhhETUxmfKT/xa2lLxmHGQwwnVGDV6zxsr+WQ6AYsQpc4WANdzHyi/cEvMLPKz0dGcbA AZz4ab7eS6hu8ubDJ1kKI8apaM2CKNPqKI4WHnbURW1cYqP7o7knust4WWHyfKjFvRIz x38fTXNrSGHptx79OOiO6pqQVWIieJFDRHBBcYULhLPCHmUhrrCLJx/UkYB+4ZDgY8Yw UXrSCL8atV/2YPPqM5BSij0BOFuRpSC29kErvxa5sSscn+DTASUBzKDHeq9b+wZGkR/a sWJA==
X-Gm-Message-State: ALoCoQl1YbZr9ijMELYFNtcSkWc0Rr9swgruqnvASLoZ5HWmowoZx304K4COyu0lFUiPMXKT4oyT
X-Received: by 10.152.121.8 with SMTP id lg8mr651787lab.98.1409388510270; Sat, 30 Aug 2014 01:48:30 -0700 (PDT)
Received: from [172.20.10.3] (2.65.35.220.mobile.tre.se. [2.65.35.220]) by mx.google.com with ESMTPSA id lf2sm1488311lac.27.2014.08.30.01.48.29 for <uta@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 30 Aug 2014 01:48:29 -0700 (PDT)
Message-ID: <54018FDC.4030709@mnt.se>
Date: Sat, 30 Aug 2014 10:48:28 +0200
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: uta@ietf.org
References: <53F1B167.3000202@mnt.se> <5D7E66F6642C1E1A80820A9D@96B2F16665FF96BAE59E9B90> <53F24630.6030701@sunet.se> <E4765640DA12D7204FDCCD37@nifty-silver.us.oracle.com> <5400E8D5.2090107@sunet.se> <54017195.5090405@gmail.com>
In-Reply-To: <54017195.5090405@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/zGVFshRDXX1nsH-9-88FOc3RvcQ
Subject: Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 08:48:42 -0000
On 2014-08-30 08:39, Yaron Sheffer wrote: > I am fine with this text. > OK then I think its fine for you to deal with this as any WGLC comment - just include it in your final IETF-LC version. > Thanks, > Yaron > > On 08/29/2014 11:55 PM, Leif Johansson wrote: >> >>> So absent other commentary, I believe the first paragraph should go >>> in the >>> document: >>> >>> === >>> 2.9 STARTTLS Command Injection Attack (CVE-2011-0411) >>> >>> A number of IETF application protocols have used an application-level >>> command, >>> usually STARTTLS, to upgrade a clear-text connection to use TLS. >>> Multiple >>> implementations of STARTTLS had a flaw where an application-layer >>> input buffer >>> retained commands that were pipelined with the STARTTLS command, such >>> that >>> commands received prior to TLS negotiation are executed after TLS >>> negotiation. >>> This problem is resolved by requiring the application-level command >>> input >>> buffer to be empty before negotiating TLS. Note that this flaw lives >>> in the >>> application layer code and does not impact the TLS protocol directly. >>> === >>> >>> This is an important motivation for design decisions in: >>> http://tools.ietf.org/html/draft-newman-email-deep-02 >>> >> >> Speaking as an individual that seems reasonable. Yaron? Others? >> > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta
- [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Leif Johansson
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 t.p.
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Ilari Liusvaara
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Chris Newman
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Leif Johansson
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Chris Newman
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Leif Johansson
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Yaron Sheffer
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Leif Johansson
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Chris Newman
- Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02 Leif Johansson