[websec] Fwd: [secdir] SecDir review of draft-williams-websec-session-continue-prob-00

Yoav Nir <ynir@checkpoint.com> Thu, 07 February 2013 07:46 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2835321F885B for <websec@ietfa.amsl.com>; Wed, 6 Feb 2013 23:46:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUd2wJIYaHVI for <websec@ietfa.amsl.com>; Wed, 6 Feb 2013 23:46:49 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id B482721F8809 for <websec@ietf.org>; Wed, 6 Feb 2013 23:46:48 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r177kk12006956; Thu, 7 Feb 2013 09:46:46 +0200
X-CheckPoint: {51135822-0-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.18]) by DAG-EX10.ad.checkpoint.com ([169.254.3.103]) with mapi id 14.02.0328.009; Thu, 7 Feb 2013 09:46:46 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: [secdir] SecDir review of draft-williams-websec-session-continue-prob-00
Thread-Index: AQHOBQdHZfDb+/q650OjUEleUceCiQ==
Date: Thu, 7 Feb 2013 07:46:45 +0000
Message-ID: <4613980CFC78314ABFD7F85CC30277211199DCC1@IL-EX10.ad.checkpoint.com>
References: <CABrd9SR0-RTAWnK_g3N8cPStcQfMcFn-8Eq=Ny6xiADYY3NR+w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.159]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_4613980CFC78314ABFD7F85CC30277211199DCC1ILEX10adcheckpo_"
MIME-Version: 1.0
Cc: "ietf-websec-sessions@googlegroups.com" <ietf-websec-sessions@googlegroups.com>
Subject: [websec] Fwd: [secdir] SecDir review of draft-williams-websec-session-continue-prob-00
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 07:46:50 -0000

FYI

Begin forwarded message:

From: Ben Laurie <benl@google.com<mailto:benl@google.com>>
Subject: Re: [secdir] Fwd: RE: SecDir review of draft-williams-websec-session-continue-prob-00
Date: February 7, 2013 3:58:27 AM GMT+02:00
To: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>
Cc: "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>

Not really a proper review, but some thoughts:

" 4. Resistance to active attacks on https. [NOTE: This should

       probably NOT be a requirement.  Instead we should be happy to
       note where a proposed protocol provides this.]"

I'm very confused by this point, but...

a) What active attacks? Need to specify them.

b) If there are active attacks that are actually effective (surely
not?) that can be avoided by these protocols, then avoidance should be
compulsory.

And then...

" 8. Session continuation must provide protection against man-in-the-

       middle (MITM) attacks when using TLS.  (This is important when
       using anonymous Diffie-Hellman cipher suites for TLS, as well as
       when using server certificates from low-value Public Key
       Infrastructures (PKI)."

Seems to be a couple of examples of what they're talking about.

" 10. Must work across all types of proxies. Proxies that can modify

       the plaintext HTTP requests and responses can (but should not)
       interfere with any session continuation protocol."

A man-in-the-middle is a type of proxy, so this seems like an
unsatisfiable requirement.