|
> From: turners@ieca.com > To: iesg@ietf.org > CC: radext-chairs@tools.ietf.org; draft-ietf-radext-status-server@tools.ietf.org > Date: Wed, 21 Apr 2010 14:43:40 -0700 > Subject: COMMENT: draft-ietf-radext-status-server > > Comment: > I support Peter's discuss. > > Additionally, I noted the same thing Peter did wrt to random numbers. > > Section 3: In the Request Authenticator description the two paragraphs repeat that Request Authentication SHOULD be unpredictable and then says why. Maybe the second paragraph should be tweaked: > > The Request Authenticator value in a Status-Server packet > SHOULD also be unpredictable **because** an attacker **could** > trick a server > into responding to a predicted future request, and then use the > response to masquerade as that server to a future Status-Server > request from a client. > |